Here are concerns and curiosity about European Union General Data Protection Regime (GDPR) and there is a related issue in India being covered under Data Empowerment and Protection Architecture (DEPA) layer of India Stack being vigorously followed at iSPIRT.
iSPIRT organised a Policy Hacks session on these issues with Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.), Sanjay Khan Nagra (Core Volunteer at iSPIRT and M&A / corporate expert from Khaitan & Co) and Siddharth Shetty (Leading the DEPA initiative at iSPIRT).
Sanjay Khan interacted with both Siddharth and Supratim posing questions on behalf of Industry.
A video of the discussion is posted here below. Also, the main text of discussion is given below. We recommend to watch and listen to the video.
GDPR essentially is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
Since it affects all companies having any business to consumer/people/individual interface in European Union, it will be important to understand this legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
Supratim mentioned in the talk that GDPR is mentioned on following main principles.
- Harmonize law across EU
- Keep pace with technological changes happening
- Free flow of information across EU territory
- To give back control to Individual about their personal data
Siddharth explained DEPA initiative of iSPIRT. He mentioned that Data Protection is as important as Data empowerment. What this means is that individual has the ability to share personal data based on one’s choice to have access to services, such as financial services, healthcare etc. DEPA deal with consent layer of India Stack.
This will help service providers like account aggregators in building a digital economy with sufficient control of privacy concerns of the data. DEPA essentially is about building systems so that individual or consumer level individual is able to share data in a protected manner with service provider for specified use, specified time etc. In a sense, it addresses the concern of privacy with the use of a technology architecture.
DEPA is being pursued India and has nothing to do with EU or other countries at present.
For more details on DEPA please use this link here http://indiastack.org/depa/
Sanjay Khan poses a relevant question if GDPR is applicable even on merely having a website that is accessible of usable from EU?
Supratim explains, GDPR applicable, if there is involvement of personal data of the Data subjects in EU. Primarily GDPR gets triggered in three cases
- You have an entity in EU,
- You are providing Goods and services to EU data subjects whether paid for or not and
- If you are tracking EU data subjects.
Many people come in the third category. The third category will especially apply to those websites where it is proved that EU is a target territory e.g. websites in one of the European languages, payment gateway integration to enable payments in EU currency etc.
What should one do?
Supratim, further explains that the important and toughest task is data management with respect to personal data. How it came? where all it is lying? where is it going? who can access? Once you understand this map, then it is easier to handle. For example, a mailing list may be built up based on business cards that one may have been collected in business conferences, but no one keeps a track of these sources of collections. By not being able to segregate data, one misses the opportunity of sending even legitimate mailers.
Is a data subject receives and gets annoyed with an obnoxious email in a ‘subject’ that has nothing do with the data subject, the sender of email may enter into the real problem.
Siddharth mentioned that some companies are providing product and services in EU through a local entity are shutting shops.
Supratim, mentions that taking a proper explicit and informed consent in case of email as mentioned GDPR is a much better way to handle. He emphasised the earlier point of Data mapping mentioned above, on a question by Sanjay khan. Data mapping, one has to define GDPR compliant policies.
EU data subjects have several rights, edit date, port data, erase data, restrict data etc. GDRP has to be practised with actually having these rights enabled and policies and processed rolled out around them. There is no one template of the GDPR compliant policies.
Data governance will become extremely important in GDPR context, added Siddharth. Supratim added that having a Data Protection officer or an EU representative may be required as we go along in future based upon the complexity of data and business needs.
Can it be enforced on companies sitting in India? In absence of treaties, it may not be directly enforceable on Indian companies. However, for companies having EU linkages, it may be a top-down effect if the controller of a company is sitting there.
Sanjay asked, how about companies having US presence and doing business in EU. Supratim’s answer was yes these are the companies sitting on the fence.
How about B2B interactions? Will official emails also be treated as personal? Supratim answers yes it may. Again it has to be backed by avenues where data was collected and legitimate use. Supratim further mentions that several aspects of the law are still evolving and idea at present is to take a conservative view.
Right now it is important to start the journey of complying with GDPR, and follow the earlier raised points of data mapping, start defining policy and processes and evolve. In due course, there will be more clarity. And if you are starting a journey to comply with GDPR, you will further be ready to comply with Indian privacy law and other global legal frameworks.
“There is no denying the fact that one should start working on GDPR”, said Sanjay. “Sooner the better”, added Supratim.
We will be covering more issues on Data Protection and Privacy law in near future.
Author note and Disclaimer: PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on the case to case basis.