Protection of personal data of data principal is at the core of draft Personal Data Protection Bill, 2018. This means once the bill is enacted and enforced, privacy will no longer be optional and cannot be ignored. Among many significant provisions, the PDPB proposes substantial penalty for violation of the stated requirements. Such provisions, along with heightened focus on collection and use of personal data, will require organizations (referred in the bill as Data fiduciary and Data processor ) to revisit their risk acceptance criteria and establish a robust privacy and data protection framework.
What is Personal Data Protection Bill, 2018?
The committee headed by (retd.) Justice B.N. Srikrishna drafted India’s Personal Data Protection Bill, 2018. SriKrishna Committee report refers to the Puttaswamy judgement which defines the contours of the right to privacy for the data principal. The Committee reiterates that the data protection framework must ensure the right to autonomy and self-determination in respect of one’s personal data while balancing the requirements of the legitimate concerns of the State.
Applicability of the Bill
We understand that the proposed bill will be applicable to the following after it has been enacted:
- Organizations (public or private) incorporated under the Indian law engaged in collection, disclosure, sharing or processing of the personal data within the territory of India.
- Organizations not having an establishment within India, if such organizations process personal data in connection with any business carried out in India, or any systematic activity of offering goods or services to data principals within the territory of India, or in connection with any activity which involves profiling of data principals within the territory of India.
Indian Personal Data Protection Framework
- Data Protection Plan - Policies, procedures and processes should focus on the core value of protecting the personal data and privacy of people as a top-most priority.
- Data requirement, collection and purpose – A company should clearly distinguish between personal, public, sensitive data and the need for collecting such data. The method of collection, the time of requirement and its purpose should be clear to the person whose data is being requested.
- Storage and transfer of Personal data – The company must define where the data is stored and what is duration for which it will be retained. It should also define if personal data is transferred to locations outside the country and if the same meets the PDP Bill requirements.
- Data Principal Rights – There should be processes defined to ensure individuals (data principals) can exercise the 4 major rights granted to them by the Bill by following the said processes.
- Breach Identification & Notification – A company should have procedures in place to identify breaches and notify the relevant Authority as prescribed in the bill.
- Grievance Mechanism - A company should have grievance redressal mechanisms in place to give individuals the right and access to highlight any issues or concerns regarding their personal data.
- Data Protection Impact Assessment – When using a new technology or adopting a new process/system, the company should conduct a Data Protection Impact Assessment to ensure personal data is protected always.
- Record-Keeping – A company should maintain personal data only for the time period they require and not exceed the same which would breach the requirements of the bill.
- Data Audits – The company should conduct an annual review of its data protection policies and processes to ensure adherence to the Bill requirements.
- Data Protection Officer – The company should appoint a data protection officer to carry out duties and functions as required by the Bill.
- Offences – Relevant staff handling personal data should be trained on the regulatory requirements of the PDP bill to ensure non compliances or negligence on their part do not invite any unsolicited fines and penalties which would tarnish the company reputation and lead to loss of clients/customer trust.
How Xiarch Can Help?
- Gap Assessments - Conduct a data privacy/protection gap assessment to highlight any gaps or lapses in your framework/policies/processes and suggest an effective data privacy management mitigation plan based on relevant industry best practices to close those gaps.
- Framework Setup - Define a data protection governance framework by setting up privacy policies, controls, risk assessments and consent forms which are compliant with the regulations of India’s Personal Data Protection Bill (draft) 2018. Riskpro can also help you implement the framework/policies/processes in a timely and systematic basis.
- Third Party Risk Assessments – If you have any third parties who handle processes wherein personal data may be involved, Riskpro can conduct third party risk assessment to give you clarity/ assurance regarding the level of adherence to the PDP Bill by your third parties. Riskpro can also suggest putting a plan in place so that potential personal data breaches by third parties are identified and rectified on a timely basis.
- Implement/ Review Regulatory Updates - Define procedures and processes in place to ensure any changes or updates in the bill are identified and incorporated within the company policies and implemented accordingly. Additionally, Riskpro can also conduct policy reviews to ensure the latest regulatory updates are reflecting therein.
- Compliance Audits – If you already have a data protection/privacy framework and policy/procedures defined, Riskpro can conduct a compliance audit to ensure the processes are working effectively and the controls/ framework defined is adequate and in accordance with the requirements of the PDP Bill.
- Training to Staff – Riskpro can conduct online or in-person trainings to relevant staff regarding the regulatory requirements of the Indian Personal Data Protection Bill and their duties while handling or processing personal data to ensure compliance to the bill.
Benefits of Conducting a PDP Compliance Assessment
- Competitive Edge – When your firm is certified as PDP compliant, it will give you an edge over your competitors who aren’t. This becomes a differentiating factor for you. You will get more clients having this as a feather in your cap.
- Customer Trust – You can earn the valuable trust of your existing and potential customers that personal data is handled securely and as per the compliances required by the PDP bill.
- Strengthen Controls – When you know you adhere to the compliances required by the PDP Bill; you are more confident about the controls with regards to data handling and processing within your company.
- Be Assessment Ready – By adhering to compliance requirements of the PDP Bill, you will be well prepared for internal assessments or audits by external firms rather than reacting to incidents or data breaches when they happen.
- Avoid Penalties – If there are gaps/ breaches highlighted during our assessment, you can take reasonable steps to ensure controls are in place to ensure such lapses and breaches don’t occur again thus avoiding hefty penalties.
What We Deliver ?
Xiarch is part of a global network of trained, certified, and experienced privacy and data protection professionals. Our practitioners are equipped to assess the impact of the privacy requirement on complex, multinational clients, and develop strategic, prioritized roadmaps tailored to each organization’s unique environmental and organizational drivers.
Our experts will furnish an itemized security evaluation report with legitimate remediation steps to be taken.
Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.
We also assured you that your assessments are executed by Qualified Experts.
Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.
Compliance & Certification
We will help you with the Compliance & Certification process that deals with the understanding of various documentation having the implementation verification.
Xiarch is worked with the wholesome approach that deals with compliance process.
Why Xiarch ?
Xiarch is a CERT-IN Empanelled & ISO 9001:2015 | ISO 27001-2013 Licensed Cyber Security Company and IT Services Company with solutions providers in Information Security like VAPT Services, Penetration Testing Services, Vulnerability Assessment Services, Among our consumers we proudly work for Government Organizations, Fortune one thousand Companies and countless start-up companies. We are additionally Value Added Partners, Authorized Re-sellers & Distributor of Leading Web Application Security Testing Tools.
We are headquartered in Delhi and have branch presence in Gurugram and Mumbai - India
Few Customer Testimonials
Our clients like us for our specialized abilities, administration quality and polished methodology. Sharing their great words is a delight for us.
Trusted by Thousand of Brands
Get In Touch With Us
Test the effectiveness of your own security controls before malicious parties do it for you. Our security experts are here to help — schedule a call today.
Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface digitally, physically and socially.
Certified Security Experts
Our security experts are exceptionally qualified and confirmed by CEH, ECSA, OSCP, CISA, CISSP, and numerous others.
Communication & Collaboration
After surveying the code our specialists shared the best answers to correct them. Our experts will communicate with you for any further implementations.
We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.
Free Remediation Testing
Once your team addresses remediation recommendations, Xiarch will schedule your retest at no additional charge.