What is GDPR (General Data Protection law)?
What does the GDPR do?
GDPR enshrines data protection and privacy rights for European users, and holds companies handling their data, wherever they may be, liable for violations. The penalties run into hefty fines — highest being 20 million euros or 4% of annual turnover — whichever is greater. Facebook has sprung into action to redistribute its data-handling operations. Microsoft-owned LinkedIn has done the same. Twitter has updated its privacy policy too. Indian tech, publishing and e-commerce companies will also have to review how they handle, store and erase data.
What does the law say?
The EU law comes into force on May 25, and decrees that consumers or “data subjects” have right to erasure of their data and a right to port their data from one place to another. It also places a premium on the data subjects’ consent to collection and processing of data. Although the law is being introduced in the EU, its ramifications extend the world over.
That is because it is not focused on regulatory measures for tech companies, but rather on the protection of EU citizens and their data. Since internet and tech companies the world over handle data from across the globe, the consequences of breaking the law extend to them. The law was introduced in 2016, with data controllers and processors the worldover given two years, until this year’s May deadline to comply.
What's the status of Indian companies when it comes to compliance?
Experts and industry watchers say Indian companies are still behind when it comes to GDPR compliance. "Most companies have woken up to this only six months ago. Some of the Fortune 500 companies and other MNCs have done good work in data discovery and information flow mapping. Smaller organisations feel it is a distraction from core business," says Shree Parthasarathy, national leader for cyber risk services, Deloitte.
Industry bodies in India are attempting to handhold companies through the regulatory maze. Nasscom and the Data Security Council of India held familiarisation workshops in March in Delhi, Mumbai and Bengaluru.
What does it mean for Indian users of internetbased services or products?
You will continue to use online products and services the way you did. The EU law is not designed to protect citizens outside of it. Indian businesses handling EU user data, however, will have to take another look at the way they collect and use data or face massive fines.