ITRA

Personal Data Protection Bill


Data privacy and protection has been the buzz word over the past couple of years across the globe. With nations building newer laws and amending existing ones to meet the vulnerabilities associated with personal data for their citizens, India has followed suit by introducing the Personal and Data Protection Bill 2018 – 2019, which is awaiting fortification into a law.

The draft bill for collective Data Privacy was built with the essence of fair and reasonable processing at its core. . It is fair to assume that the bill was drafted to determine what would be considered as the rightful and lawful processing of personal data. As most of the global data privacy and protection laws, this bill also places the responsibility of compliance with its requirements by the data fiduciary ( the entity responsible directly or indirectly for collecting personal data.) The data processor or the entity responsible for processing or acting on the personal data to extract any meaningful information although not directly responsible for compliance to the bill would be bound by contractual obligations by the data fiduciary.

The bill defines the acceptable grounds for collecting/processing personal data:

The most significant being CONSENT: The bill aims at giving the controlling power to the data principal, therefore providing them with the right to access, update, correct and request for the erasure of their data and thus being forgotten (permissible within legal and lawful parameters). The bill attempts to provide the citizenss of India with comprehensive rights with the intent to build a trustworthy relationship between the data principal and the data fiduciary.

The bill also emphasizes the idea of privacy by design: Data fiduciaries will need to review the system, applications, and processes to ensure that privacy is embedded at all the stages in the data life cycle. Data fiduciaries might need to enforce stringent security measures in order to safeguard personal data. Training and awareness sessions must be included as an integral part of the data security and management process.

The bill gives comprehensive rights to the data principal, thus making the data fiduciary obligated to ensure these rights are taken care of throughout the data life cycle. Data fiduciaries must have adequate provisions to notify the data principal and authorities. However, the notable point is, that unlike other global privacy regulations, this bill does not mention the timelines for reporting a breach.

The bill further makes it clear that a copy of the personal data processed must be stored locally in India or have a mirrored copy. Additionally, all the critical data must be stored only in India.

In order to be relevant, organizations must be ready to adopt and adapt to the new change. The draft bill incorporates elements such as consent and a reasonable purpose for processing personal data. The bill also explains personal and sensitive data, while clarity is awaited on what is identified as the critical data.

Did You Know?

Consent

Refers to explicit permission from the data principal to use his/her data for the purpose as clearly mentioned before collecting it. The objective of the use of such data must be clearly communicated to the data principal.

Explicit permission

Indicates that the data fiduciary must be informed clearly on the actual processing and use of the data that may impact him/her. The information must be in clear format with no ambiguity in meaning or understanding and allow for specific options to choose.

Purpose limitation

Processing of personal data must be restricted to the purpose for which it is has been collected. The collection must be limited to the extent it is needed to deliver the requestes service/product by the data principal. Further, the bill also mandates the collection to be limited to the extent permitted by the data principal.

Right to be forgotten

The bill gives the data principal to restrict the use/processing of his/her personal information as collected by the data fiduciary unless specified for legal and lawful purposes. The data principal must be able to correct and update the information provided while, the data must be shared in a portable format in case the data principal desires to stop/restrict the services availed at any time.

Connect with our specialists to understand how we can help

Mayank Lakhani
Senior Managing Director
Consulting and Assurance Advisory
mayank.lakhani@nexdigm.com

Deepti Ahuja
Vice President
Global Sales, Business Development and Indirect Tax
deepti.ahuja@nexdigm.com