Data Governance and Emergence of India Data Protection Law (PDPA)

Posted by: Vaibhav Pulekar Date: 20 Oct 2020

A Practical Guide to the readiness for India Personal Data Protection Act (PDPA)

Addressing the Key Challenges in Data Privacy with Data Governance

What is Data Governance and why is it important in India?

Data Governance, simply put, is the right set of policies and procedures established to handle and manage data. It is to make sure that the data is kept secured and maintains quality throughout its life cycle, accurately documented and managed, and regularly audited. This type of governance helps ensure organization’s ownership to manage the data throughout its lifecycle.

As the world moves towards digitization in most aspects, data collection for various purposes becomes the most basic workflow for everyone. Under such business models, the value of data is immense, thereby, making data governance in India a key aspect for a safer execution of the entire process.

Data governance certification helps organisations in decision making, management and accountability that improves

  • Security
  • Productivity
  • Usability
  • Quality

Is India ready for the Personal Data Protection Act (PDPA) Compliance?

Followed by the example of the European Union’s General Data Protection Regulation (EU-GDPR) and the need for data governance, all nations/political regions including India are, evidently, coming up with Data Protection Act to safeguard and ensure the handling of data, in view of the foreseeable online shift in every domain of business. Organisations in India need to gear up and be ready for the big change with the emergence of the Personal Data Protection Act in India, which is still at a draft stage.

GDPR and PDPA: What's the Difference?

Topic 

Key Differences 

 DEFINITION OF SENSITIVE PERSONAL DATA

 • The draft PDPA includes “financial data” within the scope of sensitive data.
• The draft PDPA allows the government to define additional categories of sensitive data, whereas the list of categories under the GDPR is finite.
• GDPR provides for additional rules for processing criminal convictions and offenses data, but the PDPB includes no similar provision.

LEGAL BASIS FOR PROCESSING OF PERSONAL DATA

The “reasonable purposes” basis under the draft PDPA is similar to the GDPR’s legitimate interest basis but is limited to purposes that are specified by Indian regulation.

CONDITIONS FOR PROCESSING SENSITIVE DATA

 

In the absence of an “employment purposes” basis for processing sensitive data under the Personal Data Protection Bill (PDPB), employers will likely rely more heavily on explicit consent for employee benefits programs.

 

CHILDREN

  •  The PDPB’s requirement to verify a child’s age before any processing imposes a significant new requirement not present in the GDPR.
  • The ban on profiling of children for guardian data fiduciaries

 TRANSPARENCY REQUIREMENTS

 
  • The draft PDPA does include additional disclosure requirements such as details on grievances, and, if applicable, a data trust score assigned by a data auditor.
  • Requirement to provide notice in multiple languages, may require the localisation of global privacy notices.

 RIGHT OF ACCESS

 As per the draft, Personal Data Protection Act (PDPA) in India requires identities to be shared with data principal of all data fiduciaries with whom personal data has been shared.

 

APPOINTMENT OF A DPO

 

DPO appointment is required only for significant data fiduciary and The PDPB leaves it to the Data Protection Authority (DPA) to determine the thresholds for being considered a “significant data fiduciary”.

 DATA PROTECTION IMPACT ASSESSMENT

 

As per the draft, it applies only to significant data fiduciaries and the PDPB requires all DPIAs to be submitted to the DPA for review.

 

PRIVACY BY DESIGN

 

The PDPB’s privacy-by-design requirements appear to be aimed in particular at the development of policies and certification from the DPA for the privacy-by-design policies, whereas the GDPR accords controllers with greater flexibility in how they will implement the requirement.

 

AUDIT REQUIREMENTS

 As per the draft, Personal Data Protection Act (PDPA) in India has an audit requirement for significant data fiduciaries, whereas the GDPR contains no similar audit requirement.

 

DATA LOCALISATION REQUIREMENTS

 

“Critical personal data” must be processed in India, except under emergency circumstances or where the government has approved the transfer, considering India’s security and strategic interests whereas localisation is not required unless international data transfer requirements are not met.

What is India's PDPA?

As per the draft, The Indian Personal Data Protection Act is a Data Protection regulation aimed to guarantee strong protection for individuals on their personal data. This regulation applies to businesses that collect, use, or share consumer data. This bill was tabled in the Indian Parliament by the Minister of Electronics and Information Technology on 11th December 2019 and is being analyzed by a joint Parliamentary Committee in consultation with various groups. The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India.

Why did India introduce the Personal Data Protection Act?

Even the most appreciable larger organisations down to the smallest organisations are challenged by data protection from potential and imminent cyber-attacks. As technological development continues to evolve in India and become more sophisticated, protecting data is becoming a growing challenge. The introduction of a stringent privacy watchdog in India was necessary to avoid far-reaching consequences and hence the India PDPA was established. Primarily, the Personal Data Protection Act (PDPA) India is focused on safeguarding data owners from the illegal collection, use, or disclosure of personal data.

What are the Key Business Benefits of Personal Data Protection Regulation in India?

  • There is substantial growth due to the digital economy, the data protection act will help to create a collective culture that fosters a free and fair digital economy, respecting the information privacy of individuals
  • Improved consumer confidence and builds trust
  • Reduced costs by managing data throughout the life cycle and improving data quality
  • Better alignment with evolving technology, by getting approval from the Data Protection authority for the sandbox environment

How will it impact the Indian businesses?

As per the draft Personal Data Protection Act (PDPA) in India will bring in demand for cultural transformation amongst the organisations and the way they are expected to handle data. There will be a higher level of transparency, strictness, and stringent procedures that each company would be required to abide to. This will end up in organisations having to increase their compliance spending, not only for ensuring that the operational processes are up to standards, but also that the existing technological framework is up to the latest protocols.

Who should pay attention to the Personal Data Protection Act (PDPA) in India?

If your organisation holds personally identifiable information of an Indian citizen, it is obliged to follow the Personal Data Protection Act (PDPA) India requirements.

Personal Data Protection Act in India - What your Business Needs to Know

What are organisational obligations of the Personal Data Protection Act (PDPA) India as per the draft?

  • No personal data shall be processed by any person, except for any specific, clear and lawful purpose.
  • The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data (Purpose Limitation)
  • Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data.
  • The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated (Quality).
  • The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing (Retention Period).
  • The data fiduciary shall be responsible for complying with the provisions of this act in respect of processing undertaken by it or on its behalf.
  • The consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained.

Role and Emergence of a Data protection officer (DPO)

Significant data fiduciary shall appoint a data protection officer to carry out the following functions:

  • Providing information and advice to the data fiduciary on matters relating to fulfilling its obligations under this Act.
  • Monitoring personal data processing activities of the data fiduciary
  • Providing advice to the data fiduciary on carrying out the data protection impact assessments and carrying out its review.
  • Providing advice to the data fiduciary on the development of internal mechanisms to satisfy the obligations.
  • Aiding and co-operating with the Authority on matters of compliance of the data fiduciary with the provisions under this Personal Data Protection Act (PDPA) India draft.
  • Act as the point of contact for the data principal for the purpose of grievances redressal.
  • As per the draft, an inventory of records to be maintained by the data fiduciary to demonstrate compliance with the  Personal Data Protection Act (PDPA) India.

Typical Implementation Journey of the Emerging Personal Data Protection Act (PDPA) India

Organisations will require 10 to 12 months to implement the Personal Data Protection Act (PDPA) India and then the on-going compliance. TÜV SÜD would assess and recommend the organisations as per the following phases and timelines:

 

What are the consequences of non-compliance?

As per the draft, India PDPA failing to adhere to the norms would attract a hefty penalty on the defaulter organisation. The organisation would be liable to a penalty which may extend to Five (5) Crore Rupees or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.

How TÜV SÜD can help

Having implemented several data governance/privacy acts like the EU-GDPR, Singapore PDPA, etc. and closely monitoring the development of the Personal Data Protection Act(PDPA) India which is still at a draft stage, TÜV SÜD can help with a beforehand preparedness activity to address and help close the gaps between the existing policies of the organisation and the expected PDPA guidelines. This would help organisations with a smooth transition in work protocols and compliance compatibility as and when the bill gets enforced.

Embrace the change!

Finally, to conclude, all we would want to say is, to not look at this as a new challenge but an opportunity to move forward in the right direction. This bill will only help reshape and re-structure the data practices not just to safeguard customer data but also to strengthen data security.

  • Organisations will require 10 to 12 months to implement Personal Data Protection Act (PDPA) India and then ongoing compliance.
  • This transition will need more time in practice, as this is not just compliance but cultural transformation.
  • Organisational change management, Training & capacity building, upskilling of employees to understand the concept of data privacy will be key factor.

*Disclaimer : All above guidance is  only for the readiness/preparedness towards emerging India Personal Data Protection Act.

Next Steps

Site Selector