What Indian Firms Need to Know About GDPR Compliance
It's extremely important for people doing business with European Union to know about GDPR and hence we elaborate on the subject
Every organization in India that deals with, or has access to, personal data of EU residents is required to store and manage such data in compliance with the EU’s General Data Protection Regulation (GDPR) which became effective since 25th May2018.
GDPR expands the definition of ‘personal data’, which denotesany information relating to an individual who can be recognised directly or indirectly by identification numbers, location, and physical, genetic, economic or social identity.
GDPR assures EU residents privacy of their personal data stored within an organization. The regulation has extraterritorial scope mandating data storage entities outside the EU borders to be compliant. GDPR commissions organizations that possess data on EU residents to protect it; disclosure of which may cause these firms to face considerable penalties. Such organizations must also ensure that data is collected via valid legal approaches.
Impact on Service Providers
Given that many Indian entities render various types of service processes to entities registered in EU who provide access to personal data of EU residents, it is pertinent for such Indian organizations to be GDPR compliant.
Service providers likely impacted:
Chartered Accountants providing Personal Tax consulting to EU nationals and residents
Organizations performing Background Checks on EU nationals and residents
Law Firms working with direct clients, and law firms, based in the EU
Forensic investigators conducting fraud investigations on Indian subsidiaries of EU companies
Recruitment, HR and Payroll Consulting firms analysing personal data of EU residents
EU based consulting firms internally bidding and outsourcing contracts obtained in the EU to their Indian subsidiary/back office.
Keeping Data Safe
Indian organizations must revisit the terms of their contracts which allow them access to personal data of EU residents. Both awareness and vigilance will be necessary prerequisites to remain compliant with GDPR. Some options to mitigate breach of data:
Stringent non-disclosure terms and strict confidentiality agreements with all senior employees is a must. Ideally these should be locked-in with their employment agreement.
Employees should have access to such data in accordance with their assigned role and responsibilities. Sharing or providing access to information should be only on a need to know basis as at times critical personal information is shared with other employees or third-party vendors without realizing the consequences of such actions. Therefore, it is important to have in place back-to-back confidentiality agreements with all those with whom personal data of EU residents is to be shared.
An organization must have an IT policy in place to further secure such data when an employee is serving his or her notice period, to have limited or no access.
Ex-employees may attempt to access information by connecting with unsuspecting employees. Ensure that data confidentiality is stressed to all employees during attrition.
Invest and maintain a reliable encrypted backup and storage system. Indian companies that control information about EU individuals must audit their data storage integrity, and archives access policies, while ensuring they have access to all necessary data when needed.
Use of portable storage media must be prohibited unless critical but should be monitored and supervised. SD cards hold 512GB easily and are unnoticed.
Random audit of data security procedures and processes may be undertaken to monitor system integrity, especially during change in the IT department or major migration of data or software.
Lastly, regular training for employees to understand the scope of GDPR, what it entails and implications to the company, especially in case of non-compliance. Employees must be made aware of the consequences in the case of mishandling or mismanagement of digital data.
Indian organizations must provide comfort to EU clients that they’re committed to complying with GDRP regulations and that data with them is securely stored, and data rights under GDPR are respected. These include an EU resident’s right to:
withdraw consent for the use of their personal data at any time
access their personal data
know the nature of the data
To object concerning how the data is used.
Map and Audit Data Flows
To remain GDPR compliant all entities in India, irrespective of their size, will need to take stock of the data they store about EU residents. To do this they must keep track of where and when they use such data. In the event an EU resident seeks information, pertaining to their personal data, its storage and purpose for which they said data is used, Indian firms must be able to share such information with ease, transparency and clarity.
Stronger Data Control and Collection
GDPR tightens the privileges of consent when acquiring data from customers. Indian companies falling within the ambit of GDPR may consider appointing a Chief Data Officer to manage how they receive, control, collect, store and archive data of EU residents.
Compliance with Local Indian Laws
Indian companies, while developing compliance to GDPR, must not ignore compliance with India’s cyber laws too, for which Legal and IT will need to work together.
Although continuous efforts will be needed to remain GDPR compliant, SME’s should view this as an opportunity rather than a hindrance. Being GDPR compliant provides a USP to a service provider differentiate itself and acquire more business from the EU.