What is Data Governance and why is it important in India?
Data Governance, simply put, is the right set of policies and procedures established to handle and manage data. It is to make sure that the data is kept secured and maintains quality throughout its life cycle, accurately documented and managed, and regularly audited. This type of governance helps ensure organization’s ownership to manage the data throughout its lifecycle.
As the world moves towards digitization in most aspects, data collection for various purposes becomes the most basic workflow for everyone. Under such business models, the value of data is immense, thereby, making data governance in India a key aspect for a safer execution of the entire process.
Data governance certification helps organisations in decision making, management and accountability that improves
Is India ready for the Personal Data Protection Act (PDPA) Compliance?
Followed by the example of the European Union’s General Data Protection Regulation (EU-GDPR) and the need for data governance, all nations/political regions including India are, evidently, coming up with Data Protection Act to safeguard and ensure the handling of data, in view of the foreseeable online shift in every domain of business. Organisations in India need to gear up and be ready for the big change with the emergence of the Personal Data Protection Act in India, which is still at a draft stage.
GDPR and PDPA: What's the Difference?
Topic |
Key Differences |
DEFINITION OF SENSITIVE PERSONAL DATA |
• The draft PDPA includes “financial data” within the scope of sensitive data. |
LEGAL BASIS FOR PROCESSING OF PERSONAL DATA |
The “reasonable purposes” basis under the draft PDPA is similar to the GDPR’s legitimate interest basis but is limited to purposes that are specified by Indian regulation. |
CONDITIONS FOR PROCESSING SENSITIVE DATA |
In the absence of an “employment purposes” basis for processing sensitive data under the Personal Data Protection Bill (PDPB), employers will likely rely more heavily on explicit consent for employee benefits programs. |
CHILDREN |
|
TRANSPARENCY REQUIREMENTS |
|
RIGHT OF ACCESS |
As per the draft, Personal Data Protection Act (PDPA) in India requires identities to be shared with data principal of all data fiduciaries with whom personal data has been shared. |
APPOINTMENT OF A DPO |
DPO appointment is required only for significant data fiduciary and The PDPB leaves it to the Data Protection Authority (DPA) to determine the thresholds for being considered a “significant data fiduciary”. |
DATA PROTECTION IMPACT ASSESSMENT |
As per the draft, it applies only to significant data fiduciaries and the PDPB requires all DPIAs to be submitted to the DPA for review. |
PRIVACY BY DESIGN |
The PDPB’s privacy-by-design requirements appear to be aimed in particular at the development of policies and certification from the DPA for the privacy-by-design policies, whereas the GDPR accords controllers with greater flexibility in how they will implement the requirement. |
AUDIT REQUIREMENTS |
As per the draft, Personal Data Protection Act (PDPA) in India has an audit requirement for significant data fiduciaries, whereas the GDPR contains no similar audit requirement. |
DATA LOCALISATION REQUIREMENTS |
“Critical personal data” must be processed in India, except under emergency circumstances or where the government has approved the transfer, considering India’s security and strategic interests whereas localisation is not required unless international data transfer requirements are not met. |
What is India's PDPA?
As per the draft, The Indian Personal Data Protection Act is a Data Protection regulation aimed to guarantee strong protection for individuals on their personal data. This regulation applies to businesses that collect, use, or share consumer data. This bill was tabled in the Indian Parliament by the Minister of Electronics and Information Technology on 11th December 2019 and is being analyzed by a joint Parliamentary Committee in consultation with various groups. The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India.
Why did India introduce the Personal Data Protection Act?
Even the most appreciable larger organisations down to the smallest organisations are challenged by data protection from potential and imminent cyber-attacks. As technological development continues to evolve in India and become more sophisticated, protecting data is becoming a growing challenge. The introduction of a stringent privacy watchdog in India was necessary to avoid far-reaching consequences and hence the India PDPA was established. Primarily, the Personal Data Protection Act (PDPA) India is focused on safeguarding data owners from the illegal collection, use, or disclosure of personal data.
What are the Key Business Benefits of Personal Data Protection Regulation in India?
How will it impact the Indian businesses?
As per the draft Personal Data Protection Act (PDPA) in India will bring in demand for cultural transformation amongst the organisations and the way they are expected to handle data. There will be a higher level of transparency, strictness, and stringent procedures that each company would be required to abide to. This will end up in organisations having to increase their compliance spending, not only for ensuring that the operational processes are up to standards, but also that the existing technological framework is up to the latest protocols.
Who should pay attention to the Personal Data Protection Act (PDPA) in India?
If your organisation holds personally identifiable information of an Indian citizen, it is obliged to follow the Personal Data Protection Act (PDPA) India requirements.
What are organisational obligations of the Personal Data Protection Act (PDPA) India as per the draft?
Role and Emergence of a Data protection officer (DPO)
Significant data fiduciary shall appoint a data protection officer to carry out the following functions:
Typical Implementation Journey of the Emerging Personal Data Protection Act (PDPA) India
Organisations will require 10 to 12 months to implement the Personal Data Protection Act (PDPA) India and then the on-going compliance. TÜV SÜD would assess and recommend the organisations as per the following phases and timelines:
What are the consequences of non-compliance?
As per the draft, India PDPA failing to adhere to the norms would attract a hefty penalty on the defaulter organisation. The organisation would be liable to a penalty which may extend to Five (5) Crore Rupees or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.
How TÜV SÜD can help
Having implemented several data governance/privacy acts like the EU-GDPR, Singapore PDPA, etc. and closely monitoring the development of the Personal Data Protection Act(PDPA) India which is still at a draft stage, TÜV SÜD can help with a beforehand preparedness activity to address and help close the gaps between the existing policies of the organisation and the expected PDPA guidelines. This would help organisations with a smooth transition in work protocols and compliance compatibility as and when the bill gets enforced.
Embrace the change!
Finally, to conclude, all we would want to say is, to not look at this as a new challenge but an opportunity to move forward in the right direction. This bill will only help reshape and re-structure the data practices not just to safeguard customer data but also to strengthen data security.
*Disclaimer : All above guidance is only for the readiness/preparedness towards emerging India Personal Data Protection Act.
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa