GDPR is an extension of the earlier Data Protection regulation present in EU and hence the Privacy Principles included in GDPR as a “Right of the Data Subject” are not unfamiliar to the data processing community in India. However, in view of the huge penalties envisaged under the regulation, it is necessary for data processors to keep reminding themselves about the expectations under GDPR where by a Data subject may raise issues of Privacy infringement leading to claim of compensation besides instances where the regulator himself may initiate action due to any observation of non compliance.
Let us therefore take a fresh look at some of the key Data Subject Rights that are of concern to the Data Processor and the Data Controller since they are expected to provide “Privacy Protection By Design”.
The established norms of Privacy by Design is that Privacy Protection should be a proactive exercise and should be embedded into the design of the data processing activities including the software.
The first step in Privacy Protection is “Obtaining a Proper Consent after Adequate Transparent Disclosure”. Most of the time companies take “Consent” but without being transparent about the disclosures and without providing sufficient opportunities for the user to review the Privacy Policy and withdraw the consent if required.
GDPR requires that the data subject should be given “Access” to the data on request and also the right to “Demand Rectification and/or Erasure” of data.
If the Data Controller/Processor does not have a proper identification of the data subject, then obviously it would be difficult to meet the request for access and request for erasure since the company may not know who exactly is asking for the access or erasure.
At the same time, once identity is associated with the data, the benefits of “Identification” of data during the processing cannot be availed.
Further, the “Right to Erasure” is in direct conflict many times with the “Right of the Law Enforcement” and “Right of the Judiciary” for preservation of “Evidence”.
Matters become complicated when there is a local law which may interfere with the GDPR and requires either disclosure or retention of data which is apparently not within the provisions of GDPR.
Hence in any request for access or erasure, the first task for the company is to follow the correct procedure of whether the request is verified and the decision to allow access or erasure or refusal to do so should be based on established procedures and documented.
This is one area where many of the Indian data processors may find themselves wanting.
While the large Indian IT entities may be able to manage the GDPR requirements because they have access to the knowledge of how to comply and the resources to make things happen, it is the smaller entities which will lose out their business due their incapability to meet the demands of GDPR.
We have seen that with the hardening of HIPAA, the home based Medical Transcription community were eliminated from the market. Similarly, with GDPR, the smaller entities will have to exit the business of data processing and this is an issue that NASSCOM needs to address.
The so called “Personal Sector” consisting of IT professionals who often give up their jobs and take up independent ventures will now find it difficult to build a business that meets the requirements of GDPR.
Those small and medium enterprises which have the necessary expertise therefore need to consolidate into an informal group or a society and ensure that certain standards are established in the community that provides an assurance to the EU Data Controllers to use their services.
Unless NASSCOM tries to help out these SMEs, it is unlikely that such coordinated approach to building a “Privacy Secure Process Oriented Community” of data processors in India is unlikely to develop and this is one reason why India may see an erosion of IT business in the coming days.
Hopefully the industry and NASSCOM will raise to the occasion and meet the demands of GDPR to atleast protect their existing business.
Naavi