TP - Corporate guarantee commission should be worked out at 0.50% of average amount of loan outstanding from AEs: ITAT (See "TOG Latest')I-T - Unit specific R & D expenditure can be excluded for apportionment of expenses against units enjoying benefit u/s 80IB & 80IC: ITAT (See 'TOG Latest')Customs - DC Motor of e-bike is classifiable under tariff item 85013119 & Revenue cannot initiate proceedings without contesting adjudication order attaining finality: CESTAT (See 'TOG Latest')Central Excise - Duty demand for alleged clandestine removal of goods cannot be raised without producing any corroborative evidence: CESTAT (See 'TOG Latest')Lt Gen (Retd.) DS Hooda likely to become next Governor of J&K (See 'TOG News')Shillong selected as 100th Smart CityArvind Subramanian quits as Chief Economic Advisor, FM accepts resignationIndia set to become most productively efficient nation: Kant (See 'TOG News')Prabhu launches National Strategy for standardisation of products (See 'TOG News')GST: A Frightening but Fascinating Future world…! – Part II (See 'TOG INSIGHT')President Kovind approves imposing Governor's Rule in J&KTP - Routine captive service provider cannot be compared to entity providing liaison services, in garb of broad functionality, by adopting TNMM method of benchmarking: ITAT (See 'TOG Latest')I-T - Provisions of notification mandating assessees to file all appeals before first appellate authority electronically should not be strictly applied during transition period: ITAT (See 'TOG Latest')Central Excise - Remanding an issue for re-verification serves no purpose after a 20-year gap considering the difficulty in tracing witnesses for cross-examination: CESTAT (See 'TOG Latest')Service Tax - Exemption from service tax is available on services provided in a Special Economic Zone: CESTAT (See 'TOG Latest')J&K CM Mehbooba Mufti resigns after BJP pulls out of coalition govtGovt lays production targets for off-shore wind power (See 'TOG News')Ministry of HRD opens up National Digital Library containing over 1.7 crore textsDefence ministry ramps up preparation against cyber threats (See 'TOG News')
Tax on Go
Budget 2015
Click the banner to download Documents


A Basic Primer on GDPR and its Relevance to the Indian Context
By Neeladri Chakrabarti, Domain and Technical Lead, TCS Limited
May 25, 2018

THE Regulation on General Data Protection (GDPR), devised by the European Commission, is scheduled to come into effect from today, 25 May 2018. In recent times, public media (both social and traditional) has been buzzing about GDPR formulated by the European Union and global businesses are sitting up and taking notice to comply with its requirements. The GDPR is a comprehensive update on the EU's data protection and privacy rules. Essentially, it recognizes and addresses issues of the fundamental right to data privacy of natural persons, drives a 'rights-based', consent driven approach, creates categories of data privacy and compliance, and proposes administrative fines on businesses and compensation to natural persons for breach of regulations.

The GDPR was formulated after almost three years of comprehensive negotiations and is set to apply across the 28 Member block on any act of 'processing data'. At its heart, the regulation aims in increase consumer confidence in the online processing (including but not limited to collection, analysis, storage, dissemination etc) of data and aims to create greater transparency and control over data both at the time of accumulation and its handling after collection. Anextension of the primary aim of GDPR is an attempt to provide a sense of security and transparency so that data collected by businesses are stored and safeguarded at the time of use (including providing information /purpose about collection and making copies of the data made available on demand).

The GDPR boundaries are not merely constricted to EU members. GDPR applies globally, in fact, to all organizations that endeavor to do business in the EU. The three major ways GDPR applies are :to businesses having establishments (whether singular or permanent) in an EU member state; offers any form of goods and services to natural persons inside EU member states; and/ or is engaged in the monitoring of behavior of any person inside the EU member state, irrespective of where the business headquarters or operation centers are situate or where the data is stored and processed. The GDPR is a successor to the EU Data Protection Directive and applies to every business (including data transfer to third parties by a parent), unless a business is specifically structured tightly to bypass any aspect of the EU.

Several important aspects of this new paradigm deals with safeguarding personal data (defined as any information related to an identified or identifiable person), any operation of controlling or processing said data (including third party and automated data processing), the importance of 'consent' including consent rights of children (hard capped to 13 years and below) and encourages the use of encryption, anonymization/pseudonymization of data. Failure to comply attracts strict penalties including imposition of administrative fines upto 20 million Euro or 4 percent of the total group turnover of a business and empowering statutory authorities to compensate individuals whose data privacy may be proven to be breached. In essence, privacy by design and default become firm legal requirements to business who fall under the ambit of GDPR regulations.

How is GDPR relevant in the Indian context? The GDPR by its requirement covers a major chunk of Indian corporates doing business internationally including by not limited to the IT majors, the software majors, e-commerce companies, merchant houses, consultancies, and any other corporate who even have a sniff of EU data. In the context of the recent judgement of the Indian Supreme Court in Puttuswamy v Union of India, which laid down the existence of the fundamental right to privacy and asked for legislation against breach of such fundamental rights, these regulations are a foundation for the protection of individual fundamental rights. Data protection laws in India are in a nascent stage with only the IT(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the IT Act, 2000 addressing some form of data privacy in its singular consent provision. At a stage, where individual data privacy may be continuously be breached by both the state and non-state (private) players, without recrimination,and in the absence of a comprehensive national data protection legislation, the compliance to GDPR would be an essential first step to self-regulation.

Indian companies must take GDPR seriously and integrate it in their day-to-day environment. This should include analyses on how GDPR impacts business; devising internal systems for the proper collection, storage and processing of data; creating and rolling out appropriate privacy policies for all stake holders including comprehensive reviews of all customer facing contracts to augment GDPR provisions; adhering to regulation by means of periodic audits/ monitoring of stake holders; and sensitizing/ training employees in regulations relating to data privacy. It is important that Indian business wake up to protecting individual data privacy rights and recognize the same as a fundamental tenant of running ethical business operations for the future.

(The views expressed are strictly personal.)