Many organizations in India are now concerned about the need to be compliant with GDPR before the deadline of 25th May 2018. They must be receiving many e-mails from their business partners abroad with the query “Are You GDPR Compliant”?. There is therefore a scramble in the industry circles about how to be GDPR compliant in quick time.
Any compliance program is a “Journey”. It is not completed in a day. In any compliance journey it is always tough to make the beginning. Once begun, the task is half done. The same applies to GDPR compliance also. Start your GDPR compliance and you would be able to say “I am in the process of achieving GDPR Compliance”.
The first milestone to achieve is “We are GDPR Ready”. This GDPR readiness is important for all data processors who are now negotiating a data processing contract with a EU GDPR sensitive business partner who is constrained to ask the question about your GDPR readiness before starting the business dialogue with you. Before GDPR sensitive data comes into the systems and it is operated in a compliance regime for some time, it is not possible to test the real GDPR compliance of any organization.
Hence, before the actual processing of GDPR sensitive data commences and it is observed for a certain period, it is difficult to jump to the conclusion that any organization is “GDPR Compliant”. If they have instituted all measures required for compliance, the organization may however declare themselves to be “GDPR Compliance Ready” and nothing more.
Indian Companies who are Data Processors need to understand that their main obligation is with the Data Controller who hands over the “Personal Data” which comes under the material scope of the GDPR (Article 2.1) under a “Processing Contract”. The main liability for GDPR compliance is for the Data Controller and not the Indian Business Associate. (Unless the Indian Company is more than a mere Business Associate for data processing but indulges in direct collection of relevant data.).
The First question which any Indian company has to ask a controller is therefore,
Do you have a GDPR Compliance Check list for a non EU data processor? If so, please share it with us and we will make necessary arrangements. Otherwise, we are “Ready” to understand what could be your requirements and how it can be met at our end.
I will not be surprised if many of the Data Controllers think that EU GDPR is also applicable to extra territorial jurisdictions like India and India does not have any other local laws which may be in conflict. They may therefore presume that you are as much aware as them about GDPR and there is no need for them to tell you how to be GDPR compliant.
If you have such a client, then you can tell them,
“Yes, we are aware of GDPR and if you want, we can think on your behalf and implement GDPR for you. But this will be a GDPR consultancy contract and different from the Data Processing contract and will be charged separately”
Do Indian Companies have the negotiating strength to say as suggested?…. Each company needs to ask itself.
GDPR imposes liability mainly on the Data Controller and expects them to implement the Compliance requirements at the design stage of the process. It is only the Data Controller who knows what for the data is being collected and how it needs to be processed. It is only the Data Controller who has access to the drafting of the “Informed Consent” and getting it from the Data Subject. The Data Processor is not directly involved in determining the purpose of collection and the processing requirements.
There may be an exceptional case where the Data Controller has the right to determine how the data has to be collected but engages a sub contractor to create and manage a website or a system through which the data is collected after providing the necessary disclosures and obtaining the consent. In such a case, the Data Processor is himself the “Data Collector”. But still it is the responsibility of the Data Controller to specify in the service contract how the Data Collector cum Data Processor collects and processes the data.
Hence the “Data Processing Engagement Contract” becomes the key to start GDPR compliance and will be the starting point for compliance in India. Either the Data Controller has to come up with one such document or say, we donot have a detailed agreement on how the GDPR compliance is required to be done but please consider the GDPR document as part of this agreement. Interpret it in your context and be compliant.
An Indian company keen on the business may jump at such an opportunity with or without charging extra fees for consultancy. However in such cases the responsibility to interpret GDPR clauses shifts to the Indian company. We all know that legal interpretations are always daisy. There may be differences in interpretation and the interpretation of the Indian company may not be agreed upon by the EU company when a dispute actually arises.
Hence in such cases, it is necessary for the local company to conduct a GDPR Impact analysis in the context of what is envisaged in the contract and develop a written document that is sent to the principal for his information and confirmation. In this document, the obligations that the local company takes and the obligations it does not want to take or cannot take because of conflict with the local laws can be specified.
Once this “GDPR Impact Assessment and Implementation Plan” is documented in a contractually agreeable manner, the Indian company can go ahead and implement the requirements from the technical perspective, test it to the extent possible and if everything goes well call itself “GDPR Compliant”.
The principal has the right to inspect the implementation plan, run his own tests and be satisfied beyond the claims of the local company at any time either before starting the processing contract or later.
Since there is a cost to “Getting GDPR Ready”, if the Data Controller imposes a condition that “You should be GDPR ready before …. and I will inspect and have the right to reject”, the local company should either take the cost of getting GDPR ready as a cost of business promotion or collect it separately as additional preparatory cost.
I presume that wise Indian companies have already adopted these measures.