GENERAL DATA PROTECTIONN REGULATIONS (GDPR)

DATA PROTECTION
Data protection is the process of safeguarding important information from corruption,
compromise or loss.
Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize
intrusion into one's privacy caused by the collection, storage and dissemination of personal data.
Personal data generally refers to the information or data which relate to a person who can be
identified from that information or data whether collected by any Government or any private
organization or an agency.
The importance of data protection increases as the amount of data created and stored continues to
grow at unprecedented rates. There is also little tolerance for downtime that can make it
impossible to access important information. Consequently, a large part of a data protection
strategy is ensuring that data can be restored quickly after any corruption or loss. Protecting data
from compromise and ensuring data privacy are other key components of data protection.
The term data protection is used to describe both the operational backup of data and business
continuity/disaster recovery

GDPR (General Data Protection Regulations)

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the
collection and processing of personal information of individuals within the European Union
(EU). The GDPR sets out the principles for data management and the rights of the individual,
while also imposing fines that can be revenue-based. The General Data Protection Regulation
covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate
compliance officers at banks, insurers, and other financial companies. GDPR will come into
effect across the EU on May 25, 2018.

Countries falling under EU (European Union)

Austria Cyprus Finland Hungary Malta Romania Spain

Belgium Czech Republic France Latvia Netherlands Slovakia Ireland
Bulgaria Denmark Germany Lithuania Portugal Slovenia United Kingdom
Croatia Estonia Greece Luxembourg Poland Sweden Italy
 The History of the General Data Protection Regulation
The EU's data protection laws have long been regarded as a gold standard all over the world.
Over the last 25 years, technology has transformed our lives in ways nobody could have
imagined so a review of the rules was needed.
In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest
achievements in recent years. It replaces the1995 Data Protection Directive which was adopted at
a time when the internet was in its infancy. The GDPR is now recognized as law across the EU.
Member States have two years to ensure that it is fully implementable in their countries by May
2018.

Why does the GDPR exist?

The short answer to that question is public concern over privacy. Europe in general has long had
more stringent rules around how companies use the personal data of its citizens. The GDPR
replaces the EU’s Data Protection Directive, which went into effect in 1995. This was well
before the internet became the online business hub that it is today. Consequently, the directive is
outdated and does not address many ways in which data is stored, collected and transferred
today.
According to the RSA Data Privacy & Security Report1, consumers said
 Lost banking and financial data is a top concern
 Lost security information (e.g., passwords) and
 Identity information (e.g., passports or driving license)

Were amongst the major reasons of concern.

Lack of trust in how companies treat their personal information has led some consumers to take
their own countermeasures. Respondents said they intentionally falsify data when signing up for
services online. Security concerns, a wish to avoid unwanted marketing, or the risk of having
their data resold were among their top concerns.2
Since the mid-1990’s, legislation that protects the information privacy of individuals in the
European Union (EU) has been primarily based on EU Directive 95/46/EC: the Data Protection
Directive. This is the legislative act that has set out the minimum standards on data protection in
the whole of Europe. Since the Directive has essentially not changed since 1995 and all local
legislation based on it has only seen minor updates, the European Commission and European
Parliament deemed it outdated to meet modern privacy needs and concerns. Therefore
preparations have been started over four years ago to come up with a replacement A European
data protection act that is up to date and protects individuals’ privacy in the digital world we live

1
(RSA, 2017)
2
(Michael Nadeau, 2018)
in today. That data protection act has now been finalized. It is called the General Data Protection
Regulation (GDPR) and will replace local data protection laws, such as the ones mentioned
above, being valid in every country of the EU.3
A key part of the regulation requires consent4 to be given by the individual whose data is held.
Consent means “any freely given, specific, informed and unambiguous indication of his or her
wishes by which the data subject, either by statement or by a clear affirmative action, signifies
agreement to personal data relating to them being processed”. Organisations will need to be able
to show how and when consent was obtained. This consent does not need to be explicitly given,
it can be implied by the person’s relationship with the company. However, the data obtained
must be for specific, explicit and legitimate purposes. Individuals must be able to withdraw
consent at any time and have a right to be forgotten; if their data is no longer required for the
reasons for which it was collected, it must be erased.
When companies obtain data from an individual, some of the areas that must be made clear are:
 The identity and contact details of the organization
 The purpose of acquiring the data and how it will be used
 Whether the data will be transferred internationally
 The period for which the data will be stored
 The right to access, rectify or erase the data
 The right to withdraw consent at any time
 The right to lodge a complaint.
The regulations demand that individuals must have full access to information on how their data
is processed and this information should be available in a clear and understandable way.
Individuals can make requests, and these must be executed “without undue delay and at the latest
within one month of receipt of the request”. Where requests to access data are manifestly
unfounded or excessive then small and medium‑sized enterprises will be able to charge a fee for
providing access.

What types of privacy data does the GDPR protect?

 Basic identity information such as name, address and ID numbers
 Web data such as location, IP address, cookie data and RFID tags
 Health and genetic data
 Biometric data
 Racial or ethnic data
 Political opinions
 Sexual orientation

3
(Siddhesh Hedulkr, 2017)
 Does GDPR apply to my country?
 The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in
some other jurisdictions, the GDPR is applicable to organizations of all sizes and all industries.
Specifically, the GDPR applies to:
1. Processing of anyone’s personal data, if the processing is done in the context of the
activities of an organization established in the EU (regardless of where the processing
takes place);
2. Processing of personal data of individuals who reside in the EU by an organization
established outside the EU, where that processing relates to the offering of goods or
services to those individuals or to the monitoring of their behavior.

The EU is often viewed as a role model on privacy issues internationally, so we also expect to see
concepts in the GDPR adopted in other parts of the world over time.

Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU states must
comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria
for companies required to comply are:

 A presence in an EU country.
 No presence in the EU, but it processes personal data of European residents.
 More than 250 employees.
 Fewer than 250 employees but its data-processing impacts the rights and freedoms of data
subjects, is not occasional, or includes certain types of sensitive personal data. That effectively
means almost all companies.5

How do I know if the data that my organization is processing is covered by the

GDPR?

The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data6 is
defined very broadly under the GDPR as any data that relates to an identified or identifiable
natural person. “Personal data” includes any data that relates to an identified or identifiable
individual. This can include data such as online identifiers (e.g., IP addresses), employee
information, sales databases, customer services data, customer feedback forms, location data,
biometric data, CCTV footage, loyalty scheme records, health and financial information and

5
(Michael Nadeau, 2018)
6
Article 4, General Data Protection Regulations(GDPR), 2016
much more. Indeed, the term is so broad that it can even include information that does not appear
to be personal – such as a photo of a landscape without people – where that information is linked
by an account number or unique code to an identifiable individual. And even personal data that
has been pseudonymized can be personal data if the pseudonym can be linked to a particular
individual. You should also be aware that the processing of certain “special” categories of
personal data – such as personal data that reveals a person’s racial or ethnic origin, or concerns
their health or sexual orientation – is subject to more stringent rules than the processing of
“ordinary” personal data.

My organization is only processing data on behalf of others. Does it still need

to comply with the GDPR?

Yes. Although the rules differ somewhat, the GDPR applies to organizations that collect and
process data for their own purposes (“controllers”) as well as to organizations that process data
on behalf of others (“processors.”) This is a shift from the previous Directive, which applied
primarily to controllers.

Compliance with GDPR

 Companies must be able to show compliance by May 25, 2018.7

 Firms violating these rules will have to cough up penalties of 2-4% of their annual
revenues or nearly $25 million, whichever is higher.8
 Upon becoming aware of a data breach, the GDPR makes it mandatory for companies to
notify users of the situation within 72 hours9. Users will also have more control over
their data by having the full authority to find out what kind of information is being
collected and used.

Fines are assessed by supervisory authorities, or Data Protection Authorities (DPAs). These
are the entities appointed to implement and enforce the European privacy laws in each member
nation. This is not new with the GDPR; the Directive that came before it addressed the
appointment, responsibilities, jurisdiction of DPAs, providing that each DPA enforces data
protection law at the national level and is also tasked with providing organizations with guidance
regarding how the privacy laws are to be interpreted.

The roles and responsibilities are generally the same after the replacement of the Directive with
the GDPR. GDPR requires that “each Member State shall provide for one or more independent
public authorities to be responsible for monitoring the application of this Regulation.”10

Both the Directive and the Regulation require that the persons acting as DPA must have the skills
and experience necessary to perform the role and be subject to a duty of professional secrecy.
7
Article 51, General Data Protection Regulations(GDPR), 2016
8
Article 83(4), 83(5), 83(6), General Data Protection Regulations(GDPR), 2016
9
Article 33 r/w Article 55, General Data Protection Regulations(GDPR), 2016
10
Article 51, General Data Protection Regulations(GDPR), 2016
The GDPR adds that each DPA must be created through a transparent procedure, although such
procedure isn’t described.

DPAs have a great deal of power in enforcing the GDPR. They are authorized to hear claims
brought by data subjects, investigate alleged violations of the GDPR and to institute legal
proceedings against violators. They are required to keep records and publish reports of their
activities and enforcement actions.

DPAs operate independently, but they also work together, with the head of one supervisory
authority per member state making up the European Data Protection Board (EDPB). The primary
task of the Board is to ensure consistent application of the Regulation across the EU states.
Chapter 7 11is all about cooperation and consistency and this is where the Board’s responsibilities
are defined.

Because each nation has its own DPA, this can complicate matters if your organization processes
personal data across multiple EU countries. You would generally only deal with a DPA if your
organization has been reported to have engaged in a serious violation of the privacy law. In that
case, your legal representatives should have experience in EU privacy law in general, the GDPR
in particular, and dealing with DPAs.

Responsibility of compliance as per GDPR lies with:-

 Data controller,
 Data processor and
 The data protection officer (DPO)

The data controller defines how personal data is processed and the purposes for which it is
processed. The controller is also responsible for making sure that outside contractors comply.
Data processors may be the internal groups that maintain and process personal data records or
any outsourcing firm that performs all or part of those activities. The GDPR12 holds processors
liable for breaches or non-compliance. It’s possible, then, that both your company and processing
partner such as a cloud provider will be liable for penalties even if the fault is entirely on the
processing partner.13

The GDPR requires the controller and the processor to designate a DPO14 to oversee data
security strategy and GDPR compliance. Companies are required to have a DPO if they process
or store large amounts of EU citizen data, process or store special personal data, regularly

12
Articles 60-76, General Data Protection Regulations(GDPR), 2016
13
(Michael Nadeau, 2018)
14
Article 37, General Data Protection Regulations(GDPR), 2016
monitor data subjects, or are a public authority. Some public entities such as law enforcement
may be exempt from the DPO requirement.

How do the regulations seek to protect consumers?

Broad jurisdiction. The GDPR applies to all companies that process personal data of EU citizens,
regardless of where the EU citizen resides.15
Strong penalties. Breaches can cost companies up 20 million Euros or up to 4 percent of their
annual global turnover. Some infractions are less expensive but still represent a significant
penalty.
Simplified and strengthened consent from data subjects. Consent must be given in an easy-to-
understand, accessible form, with a clear written purpose for the user to sign off on, and there
must be an easy way for the user to reverse consent16.
Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and
freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will
also be required to notify their customers “without undue delay” after first becoming aware of a
data breach.
A reiteration of important consumer rights. This includes the data subject’s right to get copies of
their data and information on how it’s being used and the right to be forgotten, also known as
Data Erasure. Additionally, it will also allow customers to move their data from one service
provider to another.
Better systems. In order to comply with the core foundation of “privacy by design,” GDPR
requires processes to be built with data protection in mind, rather than treated as an afterthought.
Specific protection for children. Since kids are generally more vulnerable and less aware of risks,
GDPR includes guidance that includes parental consent for children up to age 16.17

How does the GDPR requirements effect the working of the companies?

The GDPR requirements will force companies to change the way they process, store, and protect
customers’ personal data. For example, companies will be allowed to store and process personal
data only when the individual consents and for “no longer than is necessary for the purposes for
which the personal data are processed.” Personal data must also be portable from one company
to another, and companies must erase personal data upon request.

15
Article 3, General Data Protection Regulations(GDPR), 2016
16
Article 7, General Data Protection Regulations(GDPR), 2016
17
Article 8, General Data Protection Regulations(GDPR), 2016
That last item is also known as the right to be forgotten. There are some exceptions. For
example, GDPR does not supersede any legal requirement that an organization maintain certain
data.

Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay and the controller shall have the obligation to
erase personal data without undue delay where one of the following grounds applies:
 the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed;
 the data subject withdraws consent on which the processing is based according to point
(a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground
for the processing;
 the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2);
 the personal data have been unlawfully processed;
 the personal data have to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject;
 The personal data have been collected in relation to the offer of information society
services referred to in Article 8(1).

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1
to erase the personal data, the controller, taking account of available technology and the cost
of implementation, shall take reasonable steps, including technical measures, to inform
controllers which are processing the personal data that the data subject has requested the
erasure by such controllers of any links to, or copy or replication of, those personal data

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member
State law to which the controller is subject or for the performance of a task carried out in
the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and
(i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) in so far as the right referred to in
paragraph 1 is likely to render impossible or seriously impair the achievement of the
objectives of that processing; or
 e) For the establishment, exercise or defense of legal claims.18

Several requirements will directly affect security teams. One is that companies must be able to
provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR
means by “reasonable” is not well defined.

What could be a challenging requirement is that companies must report data breaches to
supervisory authorities and individuals affected by a breach within 72 hours of when the breach
was detected. Another requirement, performing impact assessments, is intended to help mitigate
the risk of breaches by identifying vulnerabilities and how to address them.

18
Article 17, GDPR (General Data Protection Regulations),2016
 IN INDIA

Current Position

India presently does not have any express legislation governing data protection or privacy.
However, the relevant laws in India dealing with data protection are the Information Technology
Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of data protection is
likely to be introduced in India in the near future.

The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of
compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of
personal data and violation of contractual terms in respect of personal data.

Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is
possessing, dealing or handling any sensitive personal data or information, and is negligent in
implementing and maintaining reasonable security practices resulting in wrongful loss or
wrongful gain to any person, then such body corporate may be held liable to pay damages to the
person so affected. It is important to note that there is no upper limit specified for the
compensation that can be claimed by the affected party in such circumstances.

Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information,
knowingly and intentionally, without the consent of the person concerned and in breach of the
lawful contract has been also made punishable with imprisonment for a term extending to three
years and fine extending to Rs. 5,00,000 (approx. US$ 8,000).

It is to be noted that s 69 of the Act, which is an exception to the general rule of maintenance of
privacy and secrecy of the information, provides that where the Government is satisfied that it is
necessary in the interest of:

 the sovereignty or integrity of India,

 defense of India,
 security of the State,
 friendly relations with foreign States or
 public order or
 for preventing incitement to the commission of any cognizable offence relating to above
or
 for investigation of any offence,

The Government has notified the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with
protection of "Sensitive personal data or information of a person", which includes such personal
information which consists of information relating to:-
  Passwords;
 Financial information such as bank account or credit card or debit card or other payment
instrument details;
 Physical, physiological and mental health condition;
 Sexual orientation;
 Medical records and history;
 Biometric information.

Data processing is, generally, "the collection and manipulation of items of data to produce
meaningful information.” In this sense it can be considered a subset of information processing,
"the change (processing) of information in any manner detectable by an observer."19

Impact of GDPR on Indian Companies

GDPR regulates how ‘Personal Data’ of European citizens is managed and processed not just in
Europe, but anywhere in the world. Any organization that is dealing with the personal data of
European citizens comes under the ambit of GDPR.20

While European Parliament’s General Data Protection Regulation (GDPR) is slated to have
global and far-reaching ramifications, a degree of uncertainty looms amongst Indian companies,
especially those which are engaged in outsourced data processing activities (whether captive or
otherwise) and consequently deal with personal data of data subjects in the European Union
(EU). This uncertainty is mainly with respect to the applicability of GDPR and its implications
on their businesses. The penalty scheme prescribed under the GDPR is also a cause of concern
for such companies since GDPR permits enforceability against a data processor directly.

GDPR Regulations affecting Indian Companies

The definition of data processor under GDPR has a very wide connotation. It means any
operation performed on personal data such as collecting, recording, structuring, storing, using,
disclosing by transmission and even includes erasing and destroying. Article 3 (Territorial scope)
of GDPR21 makes it clear that it will be applicable regardless of whether the processing takes
place in EU or not.

Therefore, an Indian company processing personal data in context of activities of an

establishment of a controller or processer in EU, in all likelihood will fall within the ambit of
GDPR.

19
https://en.wikipedia.org/wiki/Data_processing
20
(Rajiv Kumar, 2018)
21
https://gdpr-info.eu/
 Changes to be expected by Indian Data Processing Units

Prior to undertaking any processing activity, Indian companies will be required to enter into a
contract with their customer (generally, a data controller). Such contract will, inter alia, stipulate
the subject-matter and duration of processing activity, its nature and purpose and the type of
personal data and categories of data subjects.

By way of such contract, a customer (the data controller) will seek from an Indian company a
flow down of the following obligations:

 Implementation of appropriate organizational measures to ensure

(i) Pseudonymisation (Pseudonymization is a data management and de-identification
procedure by which personally identifiable information fields within a data record are
replaced by one or more artificial identifiers, or pseudonyms) and encryption of personal
data;
(ii) Confidentiality and integrity of processing systems;
(iii) Restoration of availability and access to personal data after a physical or technical
incident; and
(iv)Regular testing and evaluation of such measures;
 In the event of a personal data breach, the same must be notified to the customer without
undue delay after it becomes aware of such personal data breach; and
 Carry out a data protection impact assessment prior to commencement of the processing
activity.22

TAKEAWAYS FOR INDIA

It must be noted that GDPR mandates that the contract between data controller and processor
will necessarily comprise of the obligations stated above. In addition to the foregoing, an Indian
company carrying out data processing will also be obligated to allow the customer to conduct an
audit and inspection of its systems to demonstrate compliance with the above. Further, the right
of a data processor to subcontract their obligations has been curtailed and made conditional to
the data controller’s approval. Therefore, the ability of an Indian process outsourcing
company to refuse flow-down of contractual obligations has been severely impacted.

A keystone of GDPR is the stipulation of ‘adequacy requirements’23 which restrict the transfer
of personal data to any third country or international organization that does not “ensure an
adequate level of protection.”

The Supreme Court’s judgment24 last year establishing privacy as a fundamental right has put
India on the same page as the EU in terms of their outlook on privacy. The country’s data
22
(Harsh Walia and Shobhit Chandra, 2017)
23
Article 45, General Data Protection Regulations(GDPR), 2016
24
Writ Petition (Civil) No. 494 of 2012, JUSTICE K. S. PUTTASWAMY (RETD.) AND ANR. VS UNION OF
INDIA AND ORS.
protection law, being drafted by a government-appointed committee, is being closely monitored
by the European Union and could be a major deciding factor for getting the adequacy status for
the domestic IT industry.

To add to this, whether or not India will meet the ‘adequacy requirements’ will be discerned by
the manner and profundity with which the Forthcoming Legislation deals with these ‘adequacy
requirements’. While Privacy Judgment has presented several anecdotes for the legislature to
consider while framing this legislation, it will be interesting to see to what extent they are
adopted. Many experts anticipate that the Forthcoming Legislation will be on the lines of GDPR
and this may aid its acceptance by the European Commission.25

India’s demonetization move was followed by the Union Budget for 2017 that outlines an
ambitious goal of achieving 25 billion digital transactions in 2017-18 -- which means the
Government will need to ensure security and regulatory compliance of unprecedented number of
websites and web applications offering digital transaction services. With the Goods and
Services Tax or GST coming into effect recently, all businesses will now have to maintain
electronic invoices on the cloud. India could draw on an over-arching data protection regime by
building on GDPR. However, data protection cannot be in the government sphere alone.
Businesses in India can also take cognizance and bring in strong data protection measures akin to
GDPR that will only enable their growth in the long run.26

One area to be considered is the electronic consent architecture in India, which is a global first,
but this needs to be extrapolated further. For instance, Indian citizens should be able to claim
penalties, if businesses failed to obtain clear consent to use their personal data. In the horde of
digital marketing, consumer right to opt-out is often not delineated or respected. Also, there is
the question of what constitutes as personal and sensitive data. Freely available data like a
person’s name and email ID could be classified as personal data, while information about a
person’s net worth or investment decisions, should be treated as sensitive data, which requires
stronger governance and compliance measures. Digital marketers should be able to leverage
technology to classify data categories based on such rules.

GDPR, which replaces a 20-year-old system, allows specific industries to be tagged with the
‘data adequate’ status under European law as compared to entire countries being tagged if they
are fully complaint.

Gagan Sabharwal, senior director, global trade development at Nasscom, said it is difficult to
estimate an opportunity cost from GDPR because India is not a ‘data adequate’ country as per
European law. “There are some negatives in the new regulation but the positive is that now there
is a legal framework available where they can categorize the Indian IT sector as ‘data adequate’
without having to stamp all over India.”27

25
(Harsh Walia and Shobhit Chandra, 2017)
26
(Rajiv Kumar, 2018)
27
(Surabhi Agarwal, 2018)
The Indian information technology and IT-enabled services industry would be the most affected
by the new law since it derives almost 30% of its revenues from Europe.28

28
(Surabhi Agarwal, 2018)
References

Harsh Walia and Shobhit Chandra. (2017, December 20). Impact of GDPR on Indian data processing
companies. Retrieved from Data Quest: http://www.dqindia.com/impact-general-data-
protection-regulations-indian-data-processing-companies/

Michael Nadeau. (2018, April 13). CSO. Retrieved from General Data Protection Regulation (GDPR)
requirements, deadlines and facts: https://www.csoonline.com/article/3202771/data-
protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

Rajiv Kumar. (2018, March 22). GDPR: What does it mean to india? Retrieved from Nasscom Community:
https://community.nasscom.in/community/discuss/policies/gdpr/blog/2018/03/22/general-
data-protection-regulationgdpr-what-it-means-for-india-and-the-world

RSA. (2017). Data Privacy and Security. France, Germany, Italy, the United Kingdom and the United.

Siddhesh Hedulkr. (2017, November 22). Impact od GDPR on indian organizations. Retrieved from CTA
Profesional Network: http://ctapn.com/archives/755

Surabhi Agarwal. (2018, April 13). The Economic Times. Retrieved from Europe's data protection law may
have severe implications for India’s IT industry :
https://economictimes.indiatimes.com/tech/internet/europes-data-protection-law-may-have-
severe-implications-for-indias-it-industry/articleshow/63741020.cms

TECHNOLOGY, M. O. (2011 , April 11). Retrieved from

http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf