Every individual has a right for privacy and to decide where and with whom the data should be shared.
India's Personal Data Protection Bill (PDPB) aims to provide consumers with new privacy rights pertaining to data collection, which require consent from a user for their information to be collected and shared.
The increasing pace of digitization of the services in the corporate and government sectors has increased the demand for the collection of personal data. The usage of this data to check individual preferences and behavior online can be further utilised for business. The absence of any data privacy laws leaves it completely to the business choice to protect data, leading to mishandling of data and big financial frauds. Hence making the need for an appropriate privacy legal framework becomes critical.
The amount of data shared by citizens directly or indirectly with the various entities have made it crucial to ensure that individual users have autonomy and control over their personal data. Understanding the need for a strong and structured privacy regime to govern the processing of the data, the Indian Government has introduced a draft for the Personal Data Protection Bill (PDPB).
This draft covers the data privacy of personal data of individuals across the data life cycle that covers the collection, transfer, process, disclosure, and disposal. It has similarities to the other leading global data protection regulations like EU's General Data Protection Regulations (GDPR). The draft also covers obligations of the data fiduciary, such as lawfulness, limitations, storage limitation, quality of personal data, etc.
The PDPB applies to the Government of India, any company incorporated in India, as well as any company outside India that deals with the personal data of individuals in India. So, it’s extraterritorial, like CCPA and GDPR and many other privacy laws around the world.
PDPB gives some rights similar to the other compliances like GDPR and CCPA, like -
- The right to access data
- The right to correction
- The right to data portability
- The right to erasure
- The right to be forgotten
The organisations need to ensure the fulfilment of data rights access and automate the manual process on request.
PDPB includes restrictions around data minimization, ensuring the data is collected only to the extent it is necessary for purposes of processing personal data. The law gives strict retention requirements for data retention policies that organisations can ac6t on swiftly.
The PDPB focuses on the categorization of the data ensuring that companies must contextualise data with identity profiling and indexing that covers all types of sensitive data across the organisation.
In terms of penalties, PDPB is very similar to GDPR, with fines of up to 4% of the company's global annual revenue. It also includes criminal penalties of up to three years of imprisonment and a $3,000 fine.
1. The PDPB defines minors as under the age of 18, while under the GDPR minors are children under the age of 16 with some states between 13 and 16 years of age.
2.In the category of sensitive personal data, PDPB also includes financial data, while GDPR does not.
3. According to the PDPB, the government has the possibility to request the publication of anonymized data, unlike the GDPR, where this possibility does not exist.
4. In the Indian Privacy Act, portability is more broadly defined than in the GDPR.
5. The PDPB has seven reasons for processing personal data, unlike the GDPR, which has six.
6. The PDPB also includes requirements for social media intermediaries to verify information as well as register services.
PDPB consulting services typically cover various aspects of data protection compliance, such as below -
1. Gap Assessment - This is for evaluating the organization's current data protection practices against the requirements of the PDPB and identifying areas for improvement.
3. Data Mapping and Inventory - Identifies the types of personal data processed, collected, and stored by the organization, along with the data flow across systems.
4. Consent Management - Advising on obtaining and managing user consent for data processing activities.
5. Data Protection Impact Assessments (DPIAs) - Conducting DPIAs for high-risk data processing activities and ensuring risk mitigation.
6. Employee Training - Providing training and awareness sessions to employees about data protection best practices and their roles in compliance.
7. Vendor and Third-Party Compliance - Assessing the compliance of vendors and third-party service providers with data protection regulations.
8. Incident Response Planning - Assisting in developing incident response plans to handle data breaches and security incidents.
PDPB can significantly impact businesses and individuals in India, particularly in the areas of compliance, data protection standards, and user control over data. It imposes strict data protection standards and requires businesses to report data breaches to authorities within a certain timeframe. This could lead to more rigorous data protection practices and greater accountability. It also imposes restrictions on the transfer of personal data outside India, which could impact cross-border data flows and trade. This could lead to challenges for businesses that operate across multiple jurisdictions.
Quality of data and automation for better handling.
Application of immediate actions in case of data breaches.
Data processing in a legal way gives a better image to the business
Better data picture of the data being stored and processed by the organisation.
Demonstrating commitment to data protection can build trust with customers and stakeholders.
We provide a holistic approach to data protection, addressing various aspects of compliance.