GDPR Compliance
The author heads the practice of Cybersecurity and Data Privacy Compliance at Bellwether. At Bellwether, he has been advocating the core principles of EU-GDPR like data minimization, purpose limitation, explicit consent and privacy by design and default. He leads the GDPR compliance consulting practice with a team of experienced consultants in the field of global data privacy regulations.
LinkedIn: https://in.linkedin.com/in/balu0103
Key points from the article
GDPR Overview: The article introduces GDPR as the European privacy law designed to protect the personal data of European Union citizens. It emphasizes that GDPR compliance is essential for organizations.
Applicability to Indian Companies: The article highlights that Indian companies, even if they do not have a physical presence in the EU, need to comply with GDPR if they serve EU clients or process data of EU citizens.
Impact on Indian Companies: GDPR compliance is not only a legal matter but also a business development concern for Indian companies, as European clients now require their vendors to be GDPR compliant.
Penalties for Non-Compliance: The article discusses the penalties for non-compliance with GDPR, which can be substantial, including fines of up to 4% of a company's global turnover.
GDPR Compliance Requirements: It outlines the key steps for GDPR compliance, such as creating data privacy awareness, conducting in-house audits, performing gap analysis, and documenting data flows.
Data Controller and Data Processor Checklists: The article provides checklists for both data controllers and data processors, detailing the steps they need to take to ensure GDPR compliance.
Information Security: It emphasizes the importance of information security policies and robust security processes in GDPR compliance.
Future Legislation: The article mentions the Indian Personal Data Protection Bill and how becoming GDPR compliant now can be beneficial when this bill becomes law.
Overall, the article underscores the significance of GDPR compliance for organizations, particularly Indian companies, and provides practical guidance on achieving and maintaining compliance with this regulation.
What is GDPR Compliance
GDPR is the abbreviated form of European Commission‘s privacy law – the General Data Protection Regulation, that came into enforcement on 25th May 2018. GDPR Compliance refers to an organization's adaption of the principles of data privacy and it's restriction of processing of personal data in line with the mandates set forth in the regulation.
Before hiring a GDPR Consultant or considering to outsource GDPR compliance, GDPR training or GDPR audit, you need to understand why GDPR compliance is important to your organization.
Before hiring a GDPR Consultant
What is PII?
GDPR compliance for Indian companies
GDPR's impact on Indian companies
GDPR requirements
GDPR penalties
GDPR checklist
Hiring a GDPR Consultant - what you need to know
During the last two decades, several countries across the globe have enacted information privacy laws or data protection laws to protect their citizens’ personally identifiable information (PII). However, the European Union's GDPR is significantly different than others due to its aggressive mandates and restrictions on the organizations that collect and process the data of the citizens of the European Union.
What is Privacy, anyways? Click here.
What is PII - Personally Identifiable Information
A PII is any data that can individually recognize a person with great accuracy. For example, Name of a person combined with the date of birth is a PII. Similarly, Address, email id, phone number are PII. Apart from these, an individual’s health information, political and religious beliefs are all declared as personal information and come under the purview of EU-GDPR regulation. GDPR is intended to protect the personally identifiable information of the citizens of the EU member states.
Since, you have visited this website, your IP address is recorded in our web server logs which can be used to identify you as a person. Hence IP addresses are also included in the definition of PII.
Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our GDPR consulting clients range from start-ups to large enterprises.
GDPR Compliance for Indian companies
“Hey, we are an Indian business entity! And, we don’t have our business operations in EU. So, we don’t need to be GDPR Compliant“
It may sound logical that GDPR for Indian companies does not apply, at least for business entities that are operating only from India or employing only Indian citizens or those that are not engaged in business with European businesses or citizens. However, the reality is different.
For Indian companies (or companies operating outside European Union), even if they do not have business presence in EU, but serve a client in EU, then GDPR Compliance is necessary, as the regulation mandates.
The dilemma, whether GDPR compliance for Indian companies is needed or not, can be eliminated by answering two questions:
Are you an Indian company and have a business office in European Union?
Are you an Indian company and have a client anywhere in the world that does business with EU entities?
If you have answered yes for any of the above questions, then you need to hire a GDPR compliance consultant in India and may also need to create a role for Data Protection Officer/DPO in your organization.
Non-compliance with GDPR, after 25th of May 2018, could result in devastating impact for businesses not just operating or having presence in European Union, but also for Indian companies who process information of citizens of European Union
GDPR impact on Indian companies
For Indian Companies that do data processing for their customeers (viz, CRM, data analytics, data mining, big data and other technology services firms) GDPR compliance has become a business development issue as much as legal issue, since European clients now want to confirm that their vendors are GDPR compliant too.
In 2023, we have seen a surge in vendor due diligence questionnaires being sent to Indian service providers in order to assess their ability to protect personal data as well as benchmark their information security and business resilience processes. Personally, I have seen a lot of companies looking for GDPR consulting because their new prospects or customers started asking if they are GDPR compliant.
The Indian mainstream media is already abuzz with news about the hardships being faced by Indian outsourcing companies who are not prepared for GDPR yet.
The unforeseen impact is felt by many functions of Indian Companies.
Marketing managers of Indian companies are questioning if their teams can contact prospects in their marketing funnels and email lists.
Sales managers want to understand if their sales reps can do cold-calling to EU citizens.
HR teams are concerned about the personal information, in the form of resumes, they hold from the prospective employees of EU region.
IT Heads are worried about the type of access control they need to have to comply with GDPR.
Legal counsels are worried about drafting new data processing addendums with standard contractual clauses
Inspired by EU-GDPR, An Indian version of the Privacy regulation – Personal Data Protection bill has been drafted and waiting for the parliament’s nod to become an act. Read more about the Indian Personal Data Protection Bill 2018. Becoming GDPR compliant now, will be beneficial when the Indian Personal Data Protection Bill becomes a legally enforced Act making it mandatory for the Indian Tech Industry to abide by the privacy laws.
If your website has visitors from European Union, despite having no business operations in EU, your business is liable to pay penalties up to 20 million Euro or up to 4% of your company’s global turnover, for non-compliance. It may sound too harsh but that’s what the regulation says. You can read Article 84 of GDPR, which discusses the penalties for non-compliance.
Our GDPR consultants can drive your Enterprise Risk Management
Looking for GDPR Compliance Consulting?
Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our GDPR consulting clients range from large enterprises to start-ups.
Get in touch today to talk to a GDPR Compliance Consultant and explore the ways to manage your enterprise risk and uncover value.
GDPR penalties
Every month, since 25th of May, 2018, law suits are being filed on organizations of all sizes. Most notably, a few tech giants are facing GDPR legal suits for allegedly not complying with the European Union’s privacy regulation.
An Austrian non-profit, led by privacy activist and attorney Max Schrems, has filed a suit against Amazon,Apple,Youtube, Netflix, Spotify, and three more tech companies alleging that they have violated the terms of GDPR.
It comes as a surprise that companies like Google have failed to get things right with regards to GDPR compliance. The French Data Protection Authority had fined Google 50 million Euros, recently. Read more about GDPR Penalties.
GDPR compliance requirements
GDPR compliance requirements are the steps you have to take and processes you have to adapt in your organization that help to protect personal data of individuals.
Before you hire a GDPR Consultant
Create Data privacy awareness
Creating awareness about the implications of data privacy among all the internal and external stakeholders aka. employees, contractors, freelancers, vendors and business partners is the first step towards GDPR compliance. The leadership team should understand the importance of data protection and the same has to be effectively communicated to the entire team via a top-down approach. Moreover, conducting training and awareness about data privacy is mandated by GDPR under article 47 & article 39
Conduct an in-house audit
Conducting an in-house audit about all the data your organization holds – how it is generated, stored, transferred and used will give you a high level overview of the potential data risks you are currently sitting on. This in-house audit report can be of great help when you want to prepare your RFP to send to GDPR consultants.
After you hire a GDPR Consultant
Gap analysis
A gap analysis is the first step in identifying what is non-compliant in your organization. Your GDPR consultant needs to interact with all the departments in your company, to understand the status-quo of your processes and establish benchmarks to be met in order to transform non-compliance into compliance.
DPIA
DPIA or Data Protection Impact Assessment is the process of identifying the risks to privacy and finding solutions to address them. A DPIA many not be needed for your organization if the data processing you are doing is simple and not inherently risky for the privacy of your data subjects.
Other GDPR compliance requirements
Several other requirements are to met to be GDPR complaint. A few of them are:
Documenting Data Flows (Data flow Mapping)
Protecting Data Subject Rights (DSARs)
Lawful bases for processing (legitimate business interests, consent etc.)
Privacy policy drafting (in clear and concise language, without using much legal jargon)
Tweaking your website (explicit consent for cookies, contact forms etc.)
While a GDPR compliance checklist is exhaustive and beyond the scope of this article, the following pointers will help you understand the basic requirements to be compliant before outsourcing GDPR compliance.
Data Controller’s Checklist
If you are a Data Controller (Who is a data controller? Read here), then you might need to look into the following
Conduct an information audit to map data flows
Create an appropriate data protection policy
Identify your lawful bases for processing and documented the data you have collected from individuals.
Review how you ask for consent and record the same thoroughly in a way that can be retrieved and presented to the European Union authorities / GDPR Law Enforcement officers, when asked for.
Have internal systems to record and manage ongoing consent of the individuals, to be GDPR compliant
If your business relies on consent to offer online services directly to children, you have systems in place to manage it
Most importantly, protect individual’s legitimate rights and interests and fulfil GDPR’s aim
Pay the Data protection fee to ICO. More details here
Data Processor’s Checklist
If you are a Data Processor (Who is a data processor? Read here), then you might need to look into the following
Conduct an information audit to map data flows
Documented below personal data questions
what data you hold
where it came from
who you share it with and
what you do with it
Create a Data protection Policy
Nominate a Data Protection Officer
Communicate with your team about Data Protection compliance commitment
Understands the business impact of personal data breach and have a contingency plan
Implement technical and organisational measures to integrate data protection into your processing activities
Provide data protection awareness training to all your employees
Appoint a representative within the EU (if applicable)
Set up processes to monitor and report any personal data breaches to your controller
Set up a process to respond to a controller’s request for information (arising from an individuals’ request to access their personal data)
Have processes to ensure personal data of individuals remains accurate and up to date
Have a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales as stated in your contract with the data controller
Have specific procedures to fulfil to a data controllers’ request to stop/cease the processing of specific personal data
Ensure your business can respond to a request from the controller to supply the personal data you process in electronic format
Create information security policy supported by robust security processes.
GDPR compliance checklist
Understand your Privacy risk ...
Evaluate your data security processes ...
Stay compliant ...
Avoid penalties !!!