As India coming closer towards its own data protection law(Keyword), many companies are concerned as they have access to the personal data of numerous employees, consumers, vendors, business partners and other stakeholders. With the launch of this bill, shielding and guarding personal information would become increasingly important for any type of business dealing with personal data. Many companies in India, however, scared with the proposed law that it will impose extra costs that could affect the business operations, Although, referred “Data Privacy Law(Keyword)” has not yet been passed but in process of getting launched in coming months, In year 2019, it was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019.
What are the key highlights in newly drafted bill?
In year 2018, committee had submitted the draft Personal Data Protection Bill (PDPB), but that couldn’t finalize tle%5D=Personal+Data+Protection+e up with a revised version based on suggestions of the public, various stakeholders, ministers and consultants, and final Personal Data Protection Bill (PDPB), was cleared by the Union Cabinet on December 4, 2019. Personal Data Protection Bill has given more importance towards the Sensitive Personal Information(SPI), which may include — Financial Data, Genetic Data, Transgender status, Health Data, Official Identifier, Caste or Tribe, Sex Life, Inter-sex Status, Sexual Orientation, Religious or Political Belief or affiliation, Bio-metric data or any other data categorized as sensitive personal data by the authority. This regulation has been strictly restricting the companies to process the personal data without any specific, clear and lawful purpose, however, in earlier version of referred bill, a reasonable amount of data processing was provisioned without consent data owner.
Impact of “Personal Data Protection Bill” on India Companies:
Personal Data Protection Bill (PDPB) will certainly change the way privacy is being looked up and practiced within the Indian business, this Bill would be applicable on both government and private entities who are acting as data controllers/fiduciaries or data processors irrespective of whether they present within the territory of India or operating overseas.
It will have a fundamental impact on various Businesses as this Bill is going to be the first ever comprehensive data protection legislation in India, however it is placing limited obligations on companies, and will only restrict to regulate sensitive personal information (SPI) belonging to Indian citizens.
Impact can be classified on below three categories:
- Companies have to ensure that the user rights such as data portability, right to erasure, are to be availed.
- Companies have to ensure whether they are following the right security practices securing their user’s personal data.
- Companies have to be compliant by significant data fiduciaries, and have to prepare an impact assessment reports.
- Startups & SMEs may have to entirely overhaul their Information Systems to meet the regulatory requirements.
- Personal Data Protection Bill asks the companies to give the complete ownership of data in the hands of its owners and companies have to take prior consent of data-owners before collecting, storing & processing it.
- Any company who collects the sensitive personal data of users, have to delete the data in a specified time.
Apart from it, Indian Startups will have to revamp the way they are currently capturing, storing the data and have to set up a new consent mechanism as per the regulation, to adopt these changes, companies need to consult with appropriate third parties who understands these law, rules & help them to maintain aforementioned security practices. The biggest impact of Personal Data Protection Bill on Indian companies would be the additional cost burden that they might have to face. Mr. Rama Vedashree who is CEO at Data Security Council of India(DSCI) says that, it’s not a big challenge for Startups to comply with, however the real challenge would be for the government and other large organizations who deal with huge amount of user data.
To conclude it in simple terms, companies will have to deal with additional cost burden to implement the privacy provisions and necessary security measures as directed by Bill, however it won’t be a big challenge as regulatory body will give enough time to implement the law. The companies which are already compliant with GDPR (General Data Protection Regulation) will not have to start on a blank slate and they could be fast forward in terms of complying with regulation, but to effectively comply and migrate your Information Security Systems with respect to the Data Protection Bill, my suggestion would be to consult with an expert third party agency with reasonable understanding of regulation.
At Securitybulls Intelligence, our experts may help you to revamp your current Infrastructure as per the guidelines of regulation and provide you strategic consultation to follow the right security practices to secure your user’s personal data.