Overview of the Indian PDP Bill (draft) 2018
The Indian PDP Bill (draft) 2018 is one of the most momentous steps towards safeguarding the personal data of citizens. The Bill gives citizens a say in protecting their data held by companies for various purposes and prevents companies from misusing personal data.
Once the Bill comes into force, all Indian companies handling, storing or processing personal data will be required to adhere to it. The Bill gives four basic rights to data principals, namely - Right to confirmation and access; Right to correction, Right to Data Portability and Right to Be Forgotten.
Companies using personal data for online marketing activities or any other purposes will have to think twice before doing so. The Bill has outlined various offences and heavy penalties for non-compliance to regulatory requirements.
The Bill, among other points, talks about various measures to safeguard personal data such as:
• Ensuring privacy of personal data is at the centre of all frameworks, policies and procedures
• Ensuring transparency while collecting personal data and stating the purpose for collecting or maintaining the data
• Personal Data Breaches to be informed to the Authority on a timely basis
• Data Protection Impact Assessments to be carried when using new technologies/ processes
• Accurate and up-to date records being maintained
• Data Audits to be conducted by an independent data auditor
Furthermore, the Bill also cites restrictions on and conditions for Cross-Border Transfer of Personal Data and requiring the data fiduciary to ensure appropriate procedures in place for grievance redressal.
Status of Bill as of August 2019
As per an August 2019 article in the Economic Times, The Ministry of Electronics and Information Technology (MeitY), through a letter to select stakeholders, has sought feedback, on the draft PDP bill.
The MeitY has sought clarifications on issues such as data localisation and ways to govern non-personal data, including anonymised, community and ecommerce data. Further, it has also sought inputs on the scope of the data authority and obligations for the data fiduciary. It also asked stakeholders for feedback on the “contours of a policy that should govern non-personal data” and whether there was a case to mandate free access to such data.
The latest letter from MeitY also seeks to know the “scope, powers and authority” of the proposed data regulator — Data Protection Authority (DPA) — and whether it should be expanded to include non-personal-data.
How Riskpro can help?
Riskpro has a strong team of experienced and certified data privacy and data protection professionals who have thorough industry and technical knowledge.
Riskpro can assist you with the following services relating to India’s Personal Data Protection (PDP) Bill (draft) 2018:
- Conduct a data privacy/protection gap assessment to highlight any gaps or lapses in your framework/policies/processes and suggest an effective data privacy management mitigation plan based on relevant industry best practices to close those gaps.
Framework Set up-
Define a data protection governance framework by setting up privacy policies, controls, risk assessments and consent forms which are compliant with the regulations of India’s Personal Data Protection Bill (draft) 2018. Riskpro can also help you implement the framework/policies/processes in a timely and systematic basis.
Third Party Risk Assessments –
If you have any third parties who handle processes wherein personal data may be involved, Riskpro can conduct third party risk assessment to give you clarity/ assurance regarding the level of adherence to the PDP Bill by your third parties. Riskpro can also suggest putting a plan in place so that potential personal data breaches by third parties are identified and rectified on a timely basis.
Implement/ Review Regulatory Updates -
Define procedures and processes in place to ensure any changes or updates in the bill are identified and incorporated within the company policies and implemented accordingly. Additionally, Riskpro can also conduct policy reviews to ensure the latest regulatory updates are reflecting therein.
Compliance Audits –
If you already have a data protection/privacy framework and policy/procedures defined, Riskpro can conduct a compliance audit to ensure the processes are working effectively and the controls/ framework defined is adequate and in accordance with the requirements of the PDP Bill.
Training to staff –
Riskpro can conduct online or in-person trainings to relevant staff regarding the regulatory requirements of the Indian Personal Data Protection Bill and their duties while handling or processing personal data to ensure compliance to the bill.
Benefits of conducting a PDP compliance assessment
• Competitive Edge – When your firm is certified as PDP compliant, it will give you an edge over your competitors who aren’t. This becomes a differentiating factor for you. You will get more clients having this as a feather in your cap.
• Customer Trust – You can earn the valuable trust of your existing and potential customers that personal data is handled securely and as per the compliances required by the PDP bill.
• Strengthen Controls – When you know you adhere to the compliances required by the PDP Bill; you are more confident about the controls with regards to data handling and processing within your company.
• Be Assessment Ready – By adhering to compliance requirements of the PDP Bill, you will be well prepared for internal assessments or audits by external firms rather than reacting to incidents or data breaches when they happen.
• Avoid Penalties – If there are gaps/ breaches highlighted during our assessment, you can take reasonable steps to ensure controls are in place to ensure such lapses and breaches don’t occur again thus avoiding hefty penalties.
How Indian companies can implement data protection
Indian companies can no longer take for granted the personal data available with them. Once the Bill is implemented, companies which are into the business of handling, storing and personal data will have to confirm to the regulatory requirements of the PDP Bill.
One of the first steps to implement data protection is to know whether the Bill applies to you. If it does, you need to:
• Review all your mechanisms and procedures in place to ensure data privacy and protection is at the core of your business and is one of your top-most priorities.
• Check whether these policies and procedures comply with the requirements of the PDP Bill and if not, amend or update existing policies/ processes to ensure compliance.
• Train and educate relevant staff who are data handlers or processors about the change in processes, mandatory regulatory compliances and the consequences and penalties levied for non-compliance.
• Ensure there is an internal review mechanism in place to highlight any lapses or breaches on your part. Alternatively, you can also contract an independent data auditor to review your policies and processes for compliance and improvements.
• In case of any data breaches, ensure the same is notified duly and timely to the concerned authorities as prescribed in the Bill.
• Ensure a Grievance Redressal mechanism is put in place to allow data principals to raise issues or queries regarding their personal data.
Indian PDP – Framework for effective data protection
An effective data protection Framework would encompass the following:
• Data Protection Plan - Policies, procedures and processes should focus on the core value of protecting the personal data and privacy of people as a top-most priority.
• Data requirement, collection and purpose – A company should clearly distinguish between personal, public, sensitive data and the need for collecting such data. The method of collection, the time of requirement and its purpose should be clear to the person whose data is being requested.
• Storage and transfer of Personal data – The company must define where the data is stored and what is duration for which it will be retained. It should also define if personal data is transferred to locations outside the country and if the same meets the PDP Bill requirements.
• Data Principal Rights – There should be processes defined to ensure individuals (data principals) can exercise the 4 major rights granted to them by the Bill by following the said processes.
• Breach Identification & Notification – A company should have procedures in place to identify breaches and notify the relevant Authority as prescribed in the bill.
• Grievance Mechanism - A company should have grievance redressal mechanisms in place to give individuals the right and access to highlight any issues or concerns regarding their personal data.
• Data Protection Impact Assessment – When using a new technology or adopting a new process/system, the company should conduct a Data Protection Impact Assessment to ensure personal data is protected always.
• Record-Keeping – A company should maintain personal data only for the time period they require and not exceed the same which would breach the requirements of the bill.
• Data Audits – The company should conduct an annual review of its data protection policies and processes to ensure adherence to the Bill requirements.
• Data Protection Officer – The company should appoint a data protection officer to carry out duties and functions as required by the Bill.
• Offences – Relevant staff handling personal data should be trained on the regulatory requirements of the PDP bill to ensure non compliances or negligence on their part do not invite any unsolicited fines and penalties which would tarnish the company reputation and lead to loss of clients/customer trust.
Most importantly, each of the points stated above and the overall framework defined, should be compliant with the regulatory requirements of the PDP Bill.