There are concerns and curiosity about European Union General Data Protection Regime (GDPR) and there is a related issues in India being covered under Data Empowerment and Protection Architecture (DEPA) layer of India Stack being vigorously followed at iSPIRT.
iSPIRT organised a Policy Hacks session on these issues with Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.), Sanjay Khan Nagra (Core Volunteer at iSPIRT and M&A / corporate expert from Khaitan & Co) and Siddharth Shetty (Leading the DEPA initiative at iSPIRT).
Sanjay Khan interacted with both Siddharth and Supratim posing questions on behalf of Industry.
A video of the discussion is posted here below. Also main text of discussion is given below. We recommend to watch and listen to the video.
GDPR essentially is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
Since, it effects all companies having any business to consumer/people/individual interface in European union, it will be important to understand this legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
Supratim mentioned in the talk that GDPR is mentioned on following main principles.
- Harmonize law across EU
- Keep pace with technological changes happening
- Free flow of information across EU territory
- To give back control to Individual about their personal data
Siddharth explained DEPA initiative of iSPIRT. He mentioned that Data Protection is as important as Data empowerment. What this means is that individual has ability to share personal data based on one’s choice to have access to services, such as financial services, healthcare etc. DEPA deal with consent layer of India Stack.
This will help service providers like account aggregators in building a digital economy with sufficient control of privacy concerns of the data. DEPA essentially is about building systems so that individual or consumer level individual is able to share data in a protected manner with service provider for specified use, specified time etc. In a sense it addresses the concern of privacy with use of a technology architecture.
DEPA is being pursued for India and has nothing to do with EU or other countries at present.
For more details on DEPA please use this link here http://indiastack.org/depa/
Sanjay Khan poses a relevant question, if GDPR is applicable even on merely having a website that is accessible of usable from EU?
Supratim explains, GDPR applicable, if there is involvement of personal data of the Data subjects in EU. Primarily GDPR gets triggered in three cases
- You have an entity in EU,
- You are providing Goods and services to EU data subjects weather paid for or not and
- If you are tracking EU data subjects.
Many people come in third category. The third category will especially apply to those websites where it is proved that EU is a target territory e.g. websites in one of European languages, payment gateway integration to enable payments in EU currency etc.
What one should do?
Supratim, further explains that the important and toughest task is data management with respect to personal data. How it came? where all it is lying? where it is going? who can access? Once you understand this map, then it is easier to handle. For example a mailing list may be built up based on business cards that one may have been collected in business conferences, but no one keeps a track of these sources of collections. By not being able to segregate data, one misses the opportunity of sending even legitimate mailers.
Is a data subject receives and gets annoyed with an obnoxious email in a ‘subject’ that has noting do with the data subject, the sender of email may enter in to real problem.
Siddharth mentioned that some companies are providing product and services in EU through a local entity are shutting shops.
Supratim, mentions that taking a proper explicit and informed consent in case of email as mentioned GDPR is much better way to handle. He emphasised the earlier point of Data mapping mentioned above, on a question by Sanjay khan. After Data mapping, one has to define GDPR compliant policies.
EU data subjects have several rights, edit date, port data, erase data, restrict data etc. GDRP has to be practiced with actually having these rights enabled and policies and processed rolled out around them. There is no one template of the GDPR compliant policies.
Data governance will become extremely important in GDPR context, added Siddharth. Supratim added that having a Data Protection officer or an EU representative may be required as we go along in future based upon complexity of data and business needs.
Can it be enforced on companies sitting India? In absence of treaties it may not be directly enforceable on Indian companies. However, for companies having EU linkages, it may be be a top down effect if the controller of a company is sitting there.
Sanjay asked, how about companies having US presence and doing business in EU. Supratim’s answer was yes these are the companies sitting on the fence.
How about B2B interactions? Will official emails also be treated as personal? Supratim answers yes it may. Again it has to be backed by avenues where data was collected and legitimate use. Supratim further mentions that several aspects of law are still evolving and idea at present is to take a conservative view.
Right now it is important to start the journey of complying with GDPR, and follow the earlier raised points of data mapping, start defining policy and processes and evolve. In due course there will be more clarity. And it you are starting a journey to comply with GDPR, you will further be ready to comply with Indian privacy law and other global legal frameworks.
“There is no denying the fact that one should start working on GDPR”, said Sanjay. “Sooner the better”, added Supratim.
We will be covering more issues on Data Protection and Privacy law in near future.
Author note and Disclaimer: PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on case to case basis.