Today is 25th May 2019, an year after the GDPR came into effect. During this one year, Indian Companies and the professionals in the Data Protection domain have discussed the impact of GDPR in great detail.
When we started the year, GDPR in principle was known for two years but the companies had not taken any action for their implementation. There was an expectation that the date could be extended. But when it dawned on the industry that no extension of date was in the offing, there was panic alround.
Indian companies were pushed to a higher level of panic by their US vendors who, because of their general concern arising out of the huge stakes involved demanded compliance from the Indian Data Processing contractors without fulfilling their own responsibilities as the Data Controllers.
It has taken a full year for this panic to subside. Now Indian Companies are aware that in most cases they are not Data Controllers. They are Data Processors and from a different legal jurisdiction. Their liabilities therefore are confined to the contract with the vendors from US or EU who are the data controllers and have to clearly indicate what “Privacy By Design” means in the specific context of the data processing contract between the two.
Indian Companies have also now realized that EU does not have direct jurisdiction on the Indian Companies who donot have offices in EU countries. Their liabilities arise only out of the indemnity contracts they might have signed.
In many cases, Indian Companies had engaged the sub contractors who were actually discharging functions of “Data Controller” where as the Indian company which was the principal in the contract was himself only a Data Processor to another Data Controller who appeared to be only a customer of the Indian Data Processor.
I suppose some of this role clarification might have occurred by this time and people are aware who is the Data Controller, who is the Joint Data Controller, who is the Data Processor and who is a a sub contractor and who is the Data Recipient.
Secondly, initially there was also confusion on what is the data that is subject to GDPR. Many of the companies did not have a mechanism to identify data of EU Citizens in respect of their activities in EU or identifying the activity in the EU region that they were profiling. The classification of stake holding data was therefore a difficult hurdle to pass through.
I hope companies have made some progress in this direction by now.
Once the roles are clarified and the stake holding data is identified, the companies have the technical wherewithal to implement compliance measures such as “Pseudonymization”, “Encryption”, “Access Control” and other measures that would be required for compliance.
This part of the compliance was perhaps the easier aspect since some tools were available and more could be acquired and created.
The last hurdle was the creation of the organizational culture that is conducive to the compliance. Typically, in the initial days, the hype was sufficient to make every employee aware that GDPR is big, there will be huge penalties etc.
But this awareness does not automatically convert itself into a compliance culture. Further the enthusiasm is likely to wane as the days go by.
Hence at the end of the first year, what Indian companies need to review is whether the employees are sufficiently tuned to the compliance culture.
This should be the task before every Indian Company exposed to the GDPR risk in this coming year.
As regards the Indian Companies, the coming year would be even more complicated from the point of view of Privacy Compliance. With the return of Mr Modi as the PM, the unfinished jobs of the previous regime will move forward without much of a hurdle. One of the tasks that remained unfinished in the previous regime was the passage of the Personal Data Protection Act .
We can now expect that the formalities of the Bill being reintroduced and perhaps taken up by a Standing Committee for finalization, in the very first session of the Parliament is very high. I expect that the Data Protection Authority would be set up in the next 6 months and things will start rolling fast.
Indian Companies therefore need to incorporate the Indian PDPA compliance into their GDPR compliance plan at the earliest. Otherwise they will have to face a restructuring exercise a little while later.
Naavi’s initiatives for the coming year
Naavi has tried to make the industry realize that the time for action is now…before the PDPA becomes the law.
The FDPPI (Foundation of Data Protection Professionals in India) was formed by Naavi and his friends to address this issue of spreading the relevant knowledge and create a knowledgeable, skilled ethical eco system for data protection in India.
Now in 2019, FDPPI is likely to develop as the main representative of the Data Protection Industry in India and undertake activities that will enable the smooth implementation of PDPA of which GDPR would be a part.
Naavi on his own is in the process of developing the PDPSI (Personal Data Protection Standard of India” which will be incorporating the best global industry standards within the framework of the Indian Data Protection compliance requirements.
Further, Cyber Law College, which is the education wing of Naavi will start operating a new division on Data Protection education and training.
Ujvala Consultants Pvt Ltd, which is the consultancy wing of Naavi will focus on developing the Data Protection related consultancy with greater vigour.
During 2018, Naavi was working on a system of pseudonymization and anonymization for which a provisional patent had also been applied. Now Naavi intends to integrate it as a part of the PDPSI implementation structure and throw the idea open for implementation.
In the meantime, Naavi.org along with the Privacy Education Center (www.privacy.ind.in) and other associate websites will continue to spread knowledge through the web.
Coming months are therefore appearing to be exciting as we look forward to a new Government, new initiatives and a new hope.