Indian Professionals (particularly CAs) have come a long way in building successful outsourcing businesses in the areas of Accounting, Tax, Finance and other allied areas. Thanks to internet, social media growth, digitisation, cloud computing etc., the way business is done is constantly evolving. Another wave of turbulence is expected in the form of Data Privacy laws that may drastically alter the ways in which we deal with the data in the future. Therefore, it is imperative to take note of developments in this arena to stay compliant, be competitive and successfully meet challenges posed by the regulatory changes.
Few professionals wonder whether these developments directly affect their day to day operations; thanks to disruption caused by GST implementation in the last one year, we are still recovering! At least one section of professionals who are involved in cross border rendering of services, outsourcing operations, offshore document processing etc. are situated in the direct line of sight and will be certainly affected by the developments in this area. Overseas clients have started demanding compliance with data privacy standards before committing future business. Therefore, this subject is not academic anymore. Here is a concise write-up that dwells on certain fundamental principles.
On 14th April 2016, EU parliament approved the General Data Protection Regulation (GDPR). After a two year adoption period, the regulations are effective 25 May 2018. In India, the 10-member “committee of experts” headed by former Supreme Court Justice B N Srikrishna recently submitted the draft of the Data Protection Bill (on the lines of GDPR). However, unlike GDPR, which involved a thorough process of consultation and evolution over four years, the committee report is more revolutionary in approach. Either way, one thing is certain, lot of developments in the coming days!
The GDPR replaces the earlier Data Protection Directive 95/46/EC which was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. (Please note it was a ‘Directive’ that provided guidance which was non-binding in nature; but the current ‘Regulation’ is legally enforceable).
Both the GDPR and the Directive 95/46/EC are based on an even older set of principles. The Organisation for Economic Co-operation and Development (OECD) published its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was a set of recommendations endorsed by both the EU and the US that set out to protect personal data and the fundamental human right of privacy. The document was originally adopted on 23 September 1980 and proposed the following eight principles for the processing of personal data. These principles are relevant and still hold true even today.
Collection Limitation: There should be limits to the collection of personal data, data should be obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject.
Data Quality: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification: The purpose for the collection of data should be specified at the time of collection and data should not be used for anything other than its original intention without again notifying the data subject.
Use Limitation: Personal data should not be used for purposes outside of the original intended and specified purpose, except with the consent of the data subject or the authority of the law.
Security Safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness: There should be a general policy of openness about developments, practices and policies with respect to personal data. Individuals should have easy access to information about their personal data, who is holding it, and what they are using it for.
Individual Participation: An individual should have the right to know if a controller has data about him/her and to have access to that data in an intelligible form for a charge, if any, that is not excessive. An individual should also have the right to challenge a controller for refusing to grant access to his/her data, as well as challenging the accuracy of the data. Should such data be found to be inaccurate, the data should be erased or rectified.
Accountability Principle: Data controllers should be accountable for complying with the measures detailed above.
Who does the GDPR affect?
The GDPR applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Imagine a professional firm in India handling tax or payroll data of individuals in the EU region, which contains personal data; such firms are squarely hit by these regulations. Are you one among them?
What constitutes personal data?
The GDPR applies to ‘personal data’ i.e. any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Examples of personal data
- a name and surname;
- a home address;
- an email address such as name.surname@company.com;
- an identification card number; (Social Security Number, Driver’s Licence Number, Tax ID etc.)
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
Examples of data not considered personal data
- a company registration number;
- an email address such as info@company.com;
- anonymised data
Complete body of regulations deal with many topics in detail like subject’s right to access data, right to be forgotten (Data erasure), consent requirements, concept of data minimisation, notifications of breach, data protection authorities, strict penalties for violation, increased scope (in the nature of extra-territorial applicability) etc.
Professionals (or enterprises) directly affected by these developments may consider professional assistance in the form of one time exercise to evaluate compliance with the data privacy standards, review their IT policy, review data security safeguards and may even consider certifications that lend credibility to their operations.
Regardless of global developments, the data privacy laws are imminent in India as well. In the coming days, one may have to devote greater focus in this area, to be prepared for changes and to continue being relevant in the marketplace.
Reference: https://ec.europa.eu and https://www.eugdpr.org
Author can be reached at guru.kasar@mail.com
Author Bio
