Govt to work with Republic of Moldova in agriculture sector (See 'TOG News')Railways release new pan-India time table effective from Aug 15 (See 'TOG News')Govt signs agreement on rail safety with Japan (See 'TOG News')TP - Department cannot frame ad hoc adjustment u/s 92 without complying with proper method & strict mandate of Section 92C(1): ITAT (See 'TOG Latest')I-T - Failure of payer to deduct tax at source u/s 195 will not obligate payee to interest liability u/s 234B for failure to pay advance tax: ITAT (See 'TOG Latest')Customs - Imported goods kept under bond which has expired can be given benefit of advance licences subsequently issued by licensing authority: CESTAT (See 'TOG Latest')Central Excise - When goods are cleared to SEZ developers & to domestic consumers then credit availed on common input services is to be reversed @ 10% of value of goods cleared to SEZ: CESTAT (See 'TOG Latest')NDMC unveils solar-powered 'Smart City' (See 'TOG News')TP - Merchant banking company being functionally dissimilar cannot be compared to pure investment advisors for purpose of benchmarking: HC (See 'TOG Latest')I-T - Application filed by charitable trust u/s 12A merits deemed registration if Revenue has not acted upon such application within six months of its receipt: HC (See 'TOG Latest')VAT - Commercial tax Department cannot recover its dues by squeezing cash credit facility availed by assessee dealer from its bank: HCService Tax - Payments made by or received by law firm as re-imbursements towards Senior Counsel fee cannot be included in value of services rendered by it: HC (See 'TOG Latest')Ease of Living Index - country's Capital ranks abysmal 65th (See 'TOG News')MHA dehorts use of plastic flags ahead of I-day (See 'TOG News')9% improvement in cleanliness in top 100 railway stations: QCI (See 'TOG News')
Tax on Go
Budget 2015
Click the banner to download Documents


A Basic Primer on GDPR and its Relevance to the Indian Context
By Neeladri Chakrabarti, Domain and Technical Lead, TCS Limited
May 25, 2018

THE Regulation on General Data Protection (GDPR), devised by the European Commission, is scheduled to come into effect from today, 25 May 2018. In recent times, public media (both social and traditional) has been buzzing about GDPR formulated by the European Union and global businesses are sitting up and taking notice to comply with its requirements. The GDPR is a comprehensive update on the EU's data protection and privacy rules. Essentially, it recognizes and addresses issues of the fundamental right to data privacy of natural persons, drives a 'rights-based', consent driven approach, creates categories of data privacy and compliance, and proposes administrative fines on businesses and compensation to natural persons for breach of regulations.

The GDPR was formulated after almost three years of comprehensive negotiations and is set to apply across the 28 Member block on any act of 'processing data'. At its heart, the regulation aims in increase consumer confidence in the online processing (including but not limited to collection, analysis, storage, dissemination etc) of data and aims to create greater transparency and control over data both at the time of accumulation and its handling after collection. Anextension of the primary aim of GDPR is an attempt to provide a sense of security and transparency so that data collected by businesses are stored and safeguarded at the time of use (including providing information /purpose about collection and making copies of the data made available on demand).

The GDPR boundaries are not merely constricted to EU members. GDPR applies globally, in fact, to all organizations that endeavor to do business in the EU. The three major ways GDPR applies are :to businesses having establishments (whether singular or permanent) in an EU member state; offers any form of goods and services to natural persons inside EU member states; and/ or is engaged in the monitoring of behavior of any person inside the EU member state, irrespective of where the business headquarters or operation centers are situate or where the data is stored and processed. The GDPR is a successor to the EU Data Protection Directive and applies to every business (including data transfer to third parties by a parent), unless a business is specifically structured tightly to bypass any aspect of the EU.

Several important aspects of this new paradigm deals with safeguarding personal data (defined as any information related to an identified or identifiable person), any operation of controlling or processing said data (including third party and automated data processing), the importance of 'consent' including consent rights of children (hard capped to 13 years and below) and encourages the use of encryption, anonymization/pseudonymization of data. Failure to comply attracts strict penalties including imposition of administrative fines upto 20 million Euro or 4 percent of the total group turnover of a business and empowering statutory authorities to compensate individuals whose data privacy may be proven to be breached. In essence, privacy by design and default become firm legal requirements to business who fall under the ambit of GDPR regulations.

How is GDPR relevant in the Indian context? The GDPR by its requirement covers a major chunk of Indian corporates doing business internationally including by not limited to the IT majors, the software majors, e-commerce companies, merchant houses, consultancies, and any other corporate who even have a sniff of EU data. In the context of the recent judgement of the Indian Supreme Court in Puttuswamy v Union of India, which laid down the existence of the fundamental right to privacy and asked for legislation against breach of such fundamental rights, these regulations are a foundation for the protection of individual fundamental rights. Data protection laws in India are in a nascent stage with only the IT(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the IT Act, 2000 addressing some form of data privacy in its singular consent provision. At a stage, where individual data privacy may be continuously be breached by both the state and non-state (private) players, without recrimination,and in the absence of a comprehensive national data protection legislation, the compliance to GDPR would be an essential first step to self-regulation.

Indian companies must take GDPR seriously and integrate it in their day-to-day environment. This should include analyses on how GDPR impacts business; devising internal systems for the proper collection, storage and processing of data; creating and rolling out appropriate privacy policies for all stake holders including comprehensive reviews of all customer facing contracts to augment GDPR provisions; adhering to regulation by means of periodic audits/ monitoring of stake holders; and sensitizing/ training employees in regulations relating to data privacy. It is important that Indian business wake up to protecting individual data privacy rights and recognize the same as a fundamental tenant of running ethical business operations for the future.

(The views expressed are strictly personal.)