When GDPR came into existence, it created a stir in the Corporate markets all over the world including India. The immediate concern was that the administrative fines under GDPR could go upot 4% of the global turnover of an organization which is considered a “Data Controller”. Additionally the applicability of GDPR was extended to organizations outside EU region if they were directing their business to the Data Subjects in EU or were profiling the activities of individuals in EU. Hence companies in India were concerned about non compliance of GDPR.
Since 25th May 2018 when GDPR came into effect there is a better understanding of the applicability of GDPR and how it operates on entities located in India, particularly if the organization is only a processor and is not a Controller or Joint Controller.
However the July 14, 2020 order of the Court of Justice EU on the invalidation of the US Privacy shield has given a new jolt to the Indian organizations. The US Companies are now out of the shelter of the self certified US privacy shield arrangement and are banking more on the Standard Contractual Clauses (SCC). The Controller-Processor template of a SCC is also extended by US data vendors to their contracts with Indian data processors along with the indemnity clauses.
As a result the need for documented compliance of GDPR has increased in India.
The fundamental obligation under GDPR is on securing the personal data of EU Citizens that is being processed. However, the SCC imposes a “Data Controller” obligation even on a “Data Processor” in certain exceptional circumstances. In some cases the data vendor may be not fully aware of the implications of GDPR in a given context and the Indian organization needs to negotiate with the data vendors the inter-se responsibilities and a proper role definition.
For both these reasons, Indian companies whether they are conrollers, joint controllers or processors, would do well to implement a GDPR compliance program within their organization.
Being fully GDPR Compliant will also enable the Indian Data Processing Companies to bid for business from out of India either from the EU area itself or from many other countries where there may be no data protection regulations and GDPR is looked upon as a Standard for data protection.
Presently organizations aspire to achieve GDPR Compliance through the privacy frameworks such as BS 10012 or ISO27701.
Both BS 10012 and ISO 27701 are frameworks specifically developed for GDPR compliance and address the issues of Privacy Protection envisaged in GDPR.
However the ISO 27701 is an extension of ISO 27001 and even BS 10012 makes a normative reference to ISO 27001. Both frameworks are therefore dependent frameworks and can be relied upon only if the organization is already ISO 27001 compliant.
In the Indian context, Though large organizations would be comfortable with ISO 27001+ISO 27701 as the compliance standards SMEs and MSMEs would find it difficult to maintain ISO 27001 and hence ISO 27701 remains an impractical goal.
Also for most data processors, pursuing ISO 27701 would be an overkill.
In order to address the needs of such Indian organizations, Ujvala has adopted the standard created by Naavi under PDPSI and its extension PDPSI-GDPR as the effective alternative to ISO 27701.
Compliance framework of PDPSI-GDPR would be more than sufficient to cover all aspects of ISO 27701 along with ISO 27001.
Lead implementers for this implementation is also being developed by Cyber Law College through its certification programs in association with FDPPI. The consultants of Ujvala will be adopting this framework for GDPR compliance.
The PDPSI-GDPR in its full implementation mode is a step ahead of the ISO 27701 with a Data Trust Score to indicate the maturity level of the organization in terms of implementation of GDPR compliance program.