A degree of uncertainty looms amongst Indian companies which are engaged in outsourced data processing activities mainly due to the applicability of GDPR and its implications on their businesses. Companies need to revisit their policies and procedures with respect to data privacy and protection.
“EU GDPR presents a golden opportunity to Indian data processing companies to revisit their data protection, information security and confidentiality policies and ensure compliance as per global standards.”
Navdeep Singh Ahluwalia
Head Network and Information Security
Dalmia Bharat Group
The European Union’s General Data Protection Regulation (the “GDPR”) is effective 25 May 2018 and is related to data privacy and protection. It aims to bring all the EU member states under one umbrella by enforcing a single data protection law and is intended to put guidelines and regulations on how data is processed, used, stored or exchanged. It applies to all the organizations that are registered in EU or have an establishment or subsidiary in EU. It also applies to organizations selling goods or services to citizens of the EU.
A degree of uncertainty looms amongst Indian companies which are engaged in outsourced data processing activities. This uncertainty is mainly due to the applicability of GDPR and its implications on their businesses. The penalty scheme mentioned in the GDPR is also a major concern for such companies since GDPR permits enforceability against a data processor directly. Companies need to revisit their policies and procedures with respect to data privacy and protection.
Article 3 (territorial scope) of GDPR will be applicable irrespective of the location whether processing happens in EU or outside and includes the operation performed on personal data such as collecting, recording, structuring, storing, using, disclosing by transmission and even includes erasing and destroying. So any Indian company processing the data will fall under the ambit of GDPR.
Indian companies are required to enter into a contract with the customer before undertaking any processing activity and following measures need to be implemented at the organization level –
- a) Pseudonymization and encryption of personal data
- b) Confidentiality and integrity of processing systems
- c) Restoration of availability and access to personal data after a physical or technical incident
Organizations need to notify the customer in the event of a personal data breach and need to do a data protection impact assessment immediately. Indian companies doing data processing for EU have to allow the customer to conduct an audit and inspection of its systems to be compliant.
The right of a data processor to subcontract their responsibility has been curtailed and made conditional. The ability of an Indian process outsourcing company to refuse flow-down of contractual obligations has been severely impacted.
Indian organizations engaged in data processing have gained access to the data of EU citizens which has brought them within the ambit of GDPR. Indian companies need to meet the adequacy requirements and privacy judgment which has presented several anecdotes for the consideration of the Legislature. This presents a golden opportunity to Indian data processing companies to revisit their data protection, information security and confidentiality policies and ensure compliance as per global standards.