Globalization, evolving data lifecycle, criticality of data and technology advancements has brought forth new challenges and risks including those related to privacy protection. With Industrialization 4.0, Internet of Things (IoT), Smart Cities, cloud adoption, mobility and wearables, etc. developments, huge amount of personal data is getting generated and transacted with limitless boundaries. . As a result, in many geographies privacy regime, has started taking revived shape to tackle this conundrum. Regulators and policymakers, in countries like Singapore, Australia, Canada, Japan, Qatar, among others are formulating and reviewing their regulations based on new principles & practices of data protection, so as to elevate the privacy regime to its highest pedestal. Furthermore, in the last few years, the pace of lawmaking in this sphere, has witnessed more than 100 countries enacting laws to govern privacy and data protection. However, the state of legislation is still seen to be lagging behind compared to the technology developments.
The same is applicable in the Indian context. Indian outsourcing industry nearly stands at over USD150 bn, contributing nearly 9.3% to the GDP. More than USD 100 bn of revenues comes from overseas, largely attributed to cross border data flow, that too from majority of countries of western region and European Union (EU). With factors like data privacy and security becoming an important determinant in outsourcing, the global landscape on data flows is likely to be impacted. The EU General Data Protection Regulation (GDPR) notified in May 2016, enhance the overall privacy regime in EU on the one hand and impose various liabilities on outsourcing organizations in India and various parts of the world, on the other.
The privacy regime in EU has been seen as a model law/framework basis which various nations’ data protection laws had been derived. EU has emerged as a global thought leader in privacy law formulation and its stipulation. Considering the evolving technologies and data world around it, EU had been working on revamping its entire approach to data privacy from several years. The EU Data Protection Directive (EU DPD) had been in force since 1998 and will continue to be applicable till new regulation (EU GDPR) replaces it in May 2018. It was felt that given the near-cataclysmic developments that have been taking place since 1995, and the objective of succeeding harmonious privacy law in EU to augment the ‘single digital market’, review and modernization of the EU DPD was vital. It was also observed that most of the EU countries laws were not standardized and each country interpreted EU directives distinctly. This resulted in its implementation inefficiencies across the globe and also within EU. Thereby, resulting EU GDPR, present fresh, standardized and one set of stringent obligations onto IT-BPM outsourcing industry to comply with. Notably, GDPR’s provisions shall become applicable from 25th May 2018, two years from the date of its release. This period has been given to enable all entities (data controllers and data processors) that come under its ambit, to prepare for complying with it.
As the implementation deadline May 2018 draws nearer, organizations around the world are putting in efforts to understand these rules and their impact while doing businesses with EU organizations. These rules not only govern the organizations and data controllers in EU but also data processors outside EU countries are under its ambit. While GDPR regulates the cross-border data flows and impact the functioning of organizations outside EU, including India, the detailed understanding of GDPR and its direct impact on IT operations in context of Indian organizations is of prime importance.
The GDPR uses the term ‘Personal Data’ and defines it as ‘any information relating to an identified or identifiable natural person (‘data subject’)’. The term ‘identifiable natural person’ is defined separately as ‘one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” It is to be noted here that the GDPR specifically talks of technology-related identifiers as personal data such as online identifiers, profiling, special categories of data, etc. Thereby, it takes into cognizance the changes that have taken place in the last few years in terms of technology and, consequently, how enterprises interact with their customers and other stakeholders. Today, data may not always be collected directly from individuals but can also be observed, derived or inferred via other data sets obtained by technologies like tracking, profiling, correlating, etc.
The GDPR has looked afresh at existing privacy principles in general and has introduced some new and strong aspects to it viz. a viz. additional compliance burden on organizations while implementing data processing activities, limiting data to only required and relevant purpose, obtaining consent religiously and many others. Article 5 of the GDPR lists out the seven privacy principles for processing of personal data – Lawfulness, fairness and transparency (Notice, Choice & Consent), Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity & Confidentiality and Accountability.
In addition to the privacy principles, the GDPR articulates various rights granted to the individuals. These rights are required to be read and comprehended in conjunction with the privacy principles as many of them relates directly with them. Some of these rights formulated under GDPR is the outcome of discussions that have required court’s intervention to quote them time to time. The rights notified and explained under GDPR are the right to be Informed, right of Access, right to Rectification, right to Erasure (or right to be Forgotten), right to Restrict Processing, right to data portability, right to object and rights in relation to automated decision making and profiling. In order to interpret these rights correctly and implement them, specific guidelines and clarifications have been published in timely manner by the authorities. Notably, till now, guidelines for identifying Lead Supervisory Authority, defining role of Data Privacy Officer, implementing data portability and conducting Privacy Impact Assessment (PIA) have been notified, and more will follow. Globally, organizations have already started grappling with them (published ones) and preparing themselves for the upcoming ones.
Note: This was part 1 of the topic – EU GDPR, briefly explaining the criticality and updates on this stringent privacy regulation. The second part, with conclusion, will define the implementation and compliance issues being witnessed and tackled by the industry.