Why India Has Brought in the New Personal Data Protection Bill?

Why India Has Brought in the New Personal Data Protection Bill?

Since the EU GDPR arrived into force in 2018 many countries around the world have pursued the suit and have each of two clean or introduced the new data protection and privacy rules. India also is taking further steps to authorize an information framework that incorporates many elements of the GDPR. The new law, the personal Data Protection Bill (PDP), is now in front of parliament and was expected to affect an all-inclusive overhaul of India’s recent Data Protection regime, which currently is governed by the Information Technology Act, 2000.

Why-India-Has-Brought-in-the-New-Personal-Data-Protection-Bill-image1

What does the New PDP consist of?

The PDP Bill consists of the need for notice and previous approval for the utilization of individual data, limitations on the purposes for which the information can be processed by the organizations, and restrictions to assure that only data essential for facilitating a service to the individuals in question is gathered. Additionally, it consists of data localization needs and the appointment of data protection officers within the companies.     

India has not yet enacted this specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information.

What are the rules around the Collection and Disclosure of Sensitive Information?

Indian central government finally issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules under Section 43A of the IT Act. The Rules have imposed additional requirements on commercial and business entities in India, relating to the collection and disclosure of sensitive personal data or information, which have some similarities with the GDPR and the Data Protection Directive.  

Why-India-Has-Brought-in-the-New-Personal-Data-Protection-Bill-image2

Companies in regulated sectors such as financial services and telecoms are subject to obligations of confidentiality under sector laws which require them to keep customer personal information confidential and use them for prescribed purposes, or only in the manner agreed with the customer.         

How does the PDP Implement?

The governments of India and a Joint Parliamentary Committee have proposed the draft PDP Bill on data protection which will be India’s first law on the protection of personal data and will abolition 43A of the IT Act. However, even after enactment, the law is likely to be implemented in a phased manner. Currently, there is no data about that implementation timeline.

Moreover, India does not have a national regulatory authority for the security of personal data. The Ministry of Electronics and Information Technology is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The PDP Bill proposes creating a Data Protection Authority of India that will be responsible for protecting the interests of data principals, preventing misuse of personal data, and ensuring compliance with the new law.

What is a Data fiduciary?

The PDP Bill proposes the concepts of a ‘data fiduciary’ and a ‘data processor’. A ‘data fiduciary’ and a ‘data processor’ are equivalent to the concept of controller and processor under the GDPR. The PDP Bill will not only apply to persons in India but also to persons outside India concerning business conducted in India, the offering of goods or services to individuals in India, or the profiling of individuals in India.

Organizations must therefore implement the appropriate measures to prevent unauthorized access to sensitive, and confidential information, and to prevent malicious cyber-attacks, accidental loss, or the deletion of any confidential data. This involves putting in place a robust data security strategy that centers on people, processes, and technology. Organizations need to ensure that employees are trained and understand the importance of securing sensitive and confidential information. Therefore, security should be embedded into the culture of the business and processes put in place to support this. This also involves implementing the right technology to guard against both the malicious and accidental loss of data. Here data security is only as robust as the various elements that support it, therefore, we recommend layering proven solutions to ensure your sensitive and confidential data remains secure from start to finish.

Why-India-Has-Brought-in-the-New-Personal-Data-Protection-Bill-image3

Conducting observation needs a combination of Individuals, Methods, and technology

Eventually, in today’s highly handled data environment, associations in India need to assume and build an adequate observation process, as those that do will experience positive industry benefits and undoubtedly reap the rewards. Those with low levels of data privacy protection and data governance software adoption need to change – and change quickly. But, more broadly, companies need to obtain better visibility of their data before they can consider themselves compliant with relevant data protection regulations. By taking a layered approach to data security and adopting a people, process, and technology-centric approach, organizations in India can confidently embrace the new PDP Bill and, once compliant, should view this as a competitive benefit.      

Leave a Reply