Since the EU GDPR came into force in 2018 many countries around the world have followed suit and have either revamped or introduced new data protection and privacy regulation. India, too, is taking steps to enact a data protection framework which incorporates many elements of the GDPR. The new law, the Personal Data Protection Bill (PDP), is currently in front of parliament and was proposed to effect a comprehensive overhaul of India's current data protection regime, which today is governed by the Information Technology Act, 2000.
So, what does the new PDP Bill include?
The PDP Bill includes requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. In addition, it includes data localization requirements and the appointment of data protection officers within organizations.
India has not yet enacted this specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information.
Rules around the collection and disclosure of sensitive personal data
The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules under Section 43A of the IT Act. The Rules have imposed additional requirements on commercial and business entities in India, relating to the collection and disclosure of sensitive personal data or information, which have some similarities with the GDPR and the Data Protection Directive.
Companies in regulated sectors such as financial services and telecoms are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes, or only in the manner agreed with the customer.
PDP will be implemented in a phased manner
The government of India and a joint Parliamentary Committee have proposed the draft PDP Bill on data protection which will be India’s first law on the protection of personal data and will repeal 43A of the IT Act. However, even after enactment, the law is likely to be implemented in a phased manner. Currently, there is no information about that implementation timeline.
Additionally, India does not have a national regulatory authority for protection of personal data. The Ministry of Electronics and Information Technology is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The PDP Bill proposes creating a Data Protection Authority of India that will be responsible for protecting the interests of data principals, preventing misuse of personal data and ensuring compliance with the new law.
What is a data fiduciary?
The PDP Bill proposes the concepts of a ‘data fiduciary’ and a ‘data processor’. A ‘data fiduciary’ and a ‘data processor’ are equivalent to the concept of controller and processor under the GDPR. The PDP Bill will not only apply to persons in India but also to persons outside India in relation to business conducted in India, the offering of goods or services to individuals in India, or the profiling of individuals in India.
Organizations must therefore implement the appropriate measures to prevent unauthorized access to sensitive, and confidential information, and to prevent malicious cyber-attacks, accidental loss, or the deletion of any confidential data. This involves putting in place a robust data security strategy that centers on people, process and technology. Organizations need to ensure that employees are trained and understand the importance of securing sensitive and confidential information. Therefore, security should be embedded into the culture of the business and processes put in place to support this. This also involves implementing the right technology to guard against both the malicious and accidental loss of data. Here data security is only as robust as the various elements that support it, therefore, we recommend layering proven solutions to ensure your sensitive and confidential data remains secure from start to finish.
Achieving compliance requires a combination of people, process, and technology
Ultimately, in today’s highly regulated data environment, organizations in India need to embrace and build an effective compliance strategy, as those that do will experience positive business benefits and undoubtedly reap the rewards. Those with low levels of data privacy protection and data governance software adoption need to change – and change quickly. But, more broadly, companies need to obtain better visibility of their data before they can consider themselves compliant with relevant data protection regulations. By taking a layered approach to data security and adopting a people, process, and technology centric approach, organizations in India can confidently embrace the new PDP Bill and, once compliant, should view this as a competitive advantage.