You NEED to Act Even If Your Company Is Compliant With EU GDPR

There is a common perception amongst privacy and business leaders that they do not need to take any action (for India’s PDPB) if they have already taken actions for compliance with EU GDPR. While the amount of work may not be as much, companies still need to take specific actions for PDPB. This article talks about what actions companies compliant with GDPR shall need to take to become compliant with PDPB.

India’s Personal Data Protection Bill (PDPB) is in its final stages of approval. Inspired by the EU General Data Protection Regulation (GDPR), the PDPB is sometimes referred as India’s GDPR. This is because EU GDPR is currently the gold standard when it comes to privacy laws. Most privacy laws that have been passed after GDPR have taken concepts and principles from EU GDPR. And, India’s PDPB is no exception in replicating quite a few concepts from EU’s GDPR law. At the level of principles or concepts, you may believe that both laws are similar and compliance with one means compliance with the other. However, as you dig deep, there are significant variants that require specific actions when it comes to compliance with PDPB. Let us dive into what your company will need to do specifically for PDPB even if your company is GDPR Compliant. Of course, compliance is always relative and there is no 100% compliance.

The differences

There are many differences that you will need to be cognizant and considerate about. For now, let us focus on 10 key areas that are significantly different in PDPB and will require you and your company to start working on:

1. The territorial scope: As per EU GDPR, the scope is limited to processing of personal data of EU residents. However, the PDPB states that any processing that is being done in India shall be under the realm of PDPB. This means, your company may have taken necessary actions to comply with processing EU residents but now will need to extend the protection to all processing that is being done within India. This has consequences for processors who may have contracts with companies that need to comply with EU GDPR but now need to extend similar protection to almost all processing being done in India.
2. Definition of personal and sensitive data: The EU GDPR defined personal data as anything that identifies a person directly or indirectly. However, the PDPB also considers inferred data as personal data. Similarly, PDPB rules that ‘financial data’ is also sensitive data. Further, PDPB has a provision that the government may define additional categories of sensitive data. So, to comply with PDPB, you will need to reconsider the way your company defines personal and sensitive data and adapt processes and systems to add ‘financial data’ into the ‘sensitive data’ category. Ideally, adapting your processes/systems to cater additional categories into the sensitive data definition will be a more preferred approach in longer term perspective.
3. Legal basis for processing: The EU GDPR and PDPB has a different set of legitimate bases for processing of personal data. More specifically, PDPB does not provide for processing under a contract because it leans more on consent. Furthermore, PDPB has something called ‘reasonable purposes. So, even though your company mapped all its processing activities to legitimate bases as part of GDPR compliance, the mapping may need to be reviewed again.  Once you do so, there will be changes to systems and processes as well.
4. Consent: The EU GDPR considered the consent to be explicit, clear and informed while PDPB’s consent are more like contractual obligations. Furthermore, sharing information through a privacy notice may also be considered consent in PDPB. So, there is a choice to made by your company on whether to continue to lean on the GDPR consent approach and add contractual agreement as a consent when processing in India or consider completely different approaches. Either way, this is a significant and fundamental piece that determines compliance actions with PDPB.
5. Legitimate Interest: The EU GDPR allows controllers to assign certain processing activities as being a legitimate interest. However, in the PDPB, this assignment is done by Data Protection Authority (DPA). So, your company will need to justify and validate the choice of processing as legitimate interest with DPA. And, what if the DPA does not agree? I hope this will change before the final text is approved.
6. Children’s age:..

Read The Full Article