fb
+91-9717109099 +91-9717344473 info@estartindia.com Knowledge Hub Income Tax eFiling GST Filing ExpertsDesk Login / Register Cart


What is GDPR Policy?

What is GDPR Policy?

Introduction

The strictest privacy and security law in the world is the General Data Protection Regulation (GDPR). Although it was created and approved by the European Union (EU), GDPR lays requirements on any organizations that target or gather information about individuals residing in the EU. The rule becomes effective on May 25, 2018. The GDPR will impose severe fines—up to tens of millions of euros—on those who break its security and privacy criteria.

In a period where many individuals are sharing their personal information with cloud services and intrusions are occurring daily, Europe is signaling with the GDPR its tough approach to privacy and security. The policy itself is substantial, comprehensive, and relatively light. Specifically for small and medium-sized businesses, GDPR compliance is a frightening proposition due to the regulation's scale, scope, and relative lack of specifics (SMEs).

The General Data Protection Regulation of the European Union is remarkable in that it applies to companies that might not have anything in common with the EU.

The jurisdictional range of the law is defined in Article 3 of the GDPR:

  • Regardless of whether personal data is processed inside or outside of the Union, this Regulation applies to activities conducted at a controller or processor's establishment there.

  • Where a processor or handler that is not located in the Union, processes private data of data persons who are in the Union, this Regulation is applicable.

  • This Regulation applies to the processing of personal data carried out by a controller based outside of the Union but within the scope of public international law in a Member State.

According to Article 3.1, even if the data are being held or used outside of the EU, enterprises with a base in the EU must comply with the GDPR. If two requirements are met, Article 3.2 goes even further and applies the rule to organizations outside the EU: The company either provides services or goods to EU citizens or keeps track of their internet activity. (Article 3.3 mentions other peculiar situations, like in EU missions.

Objective of GDPR

The safeguarding of human beings when their data is processed, security of their fundamental liberties and rights about data protection, and liberty of circulation of personal information for processing purposes are the three goals listed in the GDPR.

The right to protection is granted by law to the data subject. Additionally, it expressly acknowledges the European Union's Fundamental Rights Charter and the rights to data privacy granted by the European Union Treaty on its Functioning.

How Will the GDPR Impact Indian Businesses?

The GDPR might have a significant influence on several industries, particularly the IT and BPO sectors, as it will affect businesses globally. The proposed data security regulation in Europe will first have an impact on the information technology industry. If Indian businesses adhere to the GDPR, it will open up outsourcing opportunities for a broader segment of the Indian IT industry, increasing their market share.

Indian e-commerce businesses that deal with EU citizens must still comply with the GDPR. Businesses that store a subject's data, like Flipkart, or those that offer medical services and keep some of the subjects' data in their databases. Such businesses possess the capacity to expand, but they cannot do so until the Indian legal system complies with GDPR protection requirements.

Sections 43A, 72, and 72A of the Information Technology Act of 2000 (as revised in 2008) provide for data protection today. The regulatory process for privacy protection in India is provided by these clauses. While it outlines the standards for data collecting and usage, it does not provide any instructions for data storage methods, user consent, or standards for data processing.

In contrast, the GDPR expressly grants users security and the right to select the way their information is used, which is not stated in the IT Act. Additionally, computational standards are subject to the GDPR's guiding principles. However, the provisions of the IT Act 2000 apply to the gathering and utilization of information. The objectives of data security, security from unauthorized handling, transparency, fairness, and accountability are specified in the GDPR yet are not included in the IT Act.

GDPR's Effect on the Indian IT Industry

The Indian BPO, ITeS, and drug companies are well aware of the sizeable market that currently exists in Europe. Approximately 15 and 20 billion dollars are reportedly invested in the IT industries of Germany and France, two European Union members. Thus, it shouldn't come as a surprise that the GDPR is a must for the Indian IT industry to follow to grow. Indian companies that violate the GDPR will pay a fee either of 20 million euros or 4% of their worldwide sales.

The offshoring industry in India is estimated to be worth $150 billion, or 9.3% of the world's GDP. The European Union is one of the biggest marketplaces for the Indian offshore industry because of India's lesser data protection laws, which placed it at a massive disadvantage to rival nations.
In general, the GDPR is rigorous, preventing businesses from taking a risk and making choices regarding transferring data outside the EU. Indian companies must follow the rules and take the appropriate safety procedures. This is because the process for transferring private information out of the EU would increase compliance costs.

Article 3 which is talking about the Territorial Scope of the GDPR specifies the regulations that must be followed regardless of whether the data processing takes place in or out of the EU. This suggests that enterprises in India must abide by the GDPR's regulations to avoid being forced out of business, paying hefty fines, and being sued.

In reaction to a Cambridge Analytica data breach case, which was made public in March 2018, the European Union (EU) enacted the GDPR 2018. As a result, e-commerce companies registered in non-European nations are subject to laws that are similar to these regulations. Indian e-commerce companies must abide by the same stringent rules.

A law has been established about infrastructure and technology. The services sector would likely be impacted by the GDPR, particularly the banking, customer service, advertising, and data input industries as well as the IT sector. Except if the Indian data privacy laws are deemed to have been on par with it or adequately severe by EU standards GDPR, such people would not receive these services. European citizens will still need to abide by GDPR even if Indian enterprises do not interact directly with them.

This is due to the possibility that personal data concerning Europeans could be utilized for other pertinent data-processing tasks. If this was the case, Indian enterprises would be subject to harsh penalties for noncompliance. For instance, if an Indian business violates the GDPR, it could be fined.

If an Indian company uses the information of former European customers, for example, it may be subject to penalties under the GDPR. Therefore, it is crucial to take into account how data privacy is currently governed by the legal systems in India and the EU. Government agencies and industry associations like FICCI and NASSCOM must develop a legal structure that creates harmony between Indian and EU information security regimes to increase trade between India and the EU.
The new legislation will be adopted in India.

To resolve these disparities, the Indian Draft Personal Data Protection Bill, 2018, would've been tabled to Parliament during the ensuing session. To ensure data integrity privacy regulations do not interfere with e-commerce among both India and EU member countries, this regulation has taken numerous elements from the GDPR.

In addition to the differences between the GDPR and the Indian Data Protection Bill 2018, there are differences regarding data localization and the requirement that data be retained on an Indian server.

Apprehension of declining sales

The Indian e-services sector would lose its European markets and decrease its competitiveness as a result of India's comparatively weak data privacy regulations. According to the GDPR, Indian businesses would have to put in place sufficient protections to stop the transmission of private information outside of EU borders. Compliance expenditure would rise as a result. Since the GDPR is applicable outside of the EU, Indian businesses that are not compliant with it are unable to do business with EU organizations. Only nations that provide appropriate confidentiality and data subject protection are allowed to receive Europeans' personal information under the GDPR's adequacy standards.

Conclusion

India currently lacks privacy rules to safeguard its citizens, in comparison to the rest of the globe which has laws and regulations that are intended to protect citizens' privacy. Privacy rights were considered basic freedom guaranteed by the Indian constitution in August 2017 by the Supreme Court of India.

India has to make more of an effort to match its data protection legislation with the global data protection vision. The rules relieve citizens of their burden and provide businesses with a clear path to compliance.

Author:

Archita Sharma
Kanpur
Archita Sharma, IV year BA.LLB (Hons.) student from PSIT College of Law


Leave a Comment



Previous Comments


Related Blogs

Recent GST Amendment in One form GST Filing Process

GENERAL DATA PROTECTION REGULATION

 Get Started
Recent GST Amendment in One form GST Filing Process

Importance of Website Policy

 Get Started
Recent GST Amendment in One form GST Filing Process

Why we need website terms and conditions for the website

 Get Started


All Categories

Get a Callback

Recommend Links: