India Data Protection Law and Need of Building Competence to Make Enterprises ‘Compliant
In the last two decades, one thing that has grown exponentially is data. During the initial stage, it was Enterprises or Government, which generated the data, so the data produced was at a controllable speed. Every organization was sitting on tons of data, but they were unsure of what to do with it. However, with the introduction of Smartphones and Social Media in the last decade, the need for data has suddenly grown and generated exponentially. Data has become the new oil for which enterprises and states have developed a keen interest.
Every enterprise is now focusing not just on structured data but also on unstructured data to generate their business strategy and various models around it. Few organizations are focusing on using this data to offer multiple personalized services to the customers, and few are focusing on drawing the product strategies around it. Due to various use cases, many enterprises are keeping the data forever knowingly or unknowingly.
The poorly stored data for a very long time is always at risk and might go into the exploiter’s hands that could further be misused.
Data exploitation can also be state-sponsored to threaten another nation.
Many countries have realized the associated risk and have either introduced or introducing the Data Protection Law. To control data misuse, the New India Data Protection Law 2019 will go live by early 2021.
2) Data Protection Law
The New Data Protection Bill 2019 (“Bill”) provides general guidelines for collection, using, storing, and transferring data. It also categorizes data into three categories, i.e. Data, Personal Identifiable Data (PII), and Sensitive Data. The bill’s final details are not yet out, but it seems to be in line with the GDPR of Europe. It will cover more attributes considering India’s complex demography.
The collection criteria, usage, transfer, and retention of the data will depend on the nature of the data collected. Additional restrictions/ compliance’s are to follow where the data of children is involved. It also identifies few exceptions to collect and process the data with consent under certain specific instances, such as state functions, compliance’s with a court order, response to a medical emergency, and recruitment and employment termination.
Though it primarily states to process data in India, it allows sensitive personal data transfer outside India’s basis explicit consent from the individuals. The storage of the data remains within the Indian territory.
The entities collecting the data are Data Fiduciaries; it is further classified based on the data volume, data sensitivity, and turnover of the entity, as Significant Data Fiduciaries, Guardian Data Fiduciaries, and Social Media Intermediaries.
There is another category called Data Processors (DP) that are required to implement necessary security guardrail concerning, inter alia, the nature, scope, and purpose of processing the personal data and the risks associated with a breach.
In case of any personal data breach, immediate notice to the Data Protection Authority (DPA) is mandatory. The DPA will further determine and communicate the same to the individual if needed. The bill also has strict compliance requirements and heavy penalties, including imprisonment up to three (3) years and fines ranging from INR 5000 a day to INR 15 Crore or 4% of annual turnover.
3) What is Introduced, Regulated, and Governed
Following activities, processes are being introduced, regulated, or governed in this policy:
3.1) Data Lifecycle Management
Until now, the organizations’ or data collectors’ focus was only on generating and using the data. Now, they have to define the purpose of collecting, using, transferring, and retaining the data based on the data collected and consent taken from the individuals. There are additional restrictions/ compliance’s in case of data of children involved.
Though the data processing has been in India itself, organizations can process the data outside India with defined consent and approval process in a few cases. However, the data storage remains within Indian territory.
In specific scenarios, the data process is without consent and categorically documented while taking the exceptions.
3.2) Classification of the Data Fiduciaries
The entities collecting the data are Data Fiduciaries; it is further classified based on the data volume, data sensitivity, and turnover of the entity, as Significant Data Fiduciaries (SDF), Guardian Data Fiduciaries (GDF), and Social Media Intermediaries.
Data Processors (DP)is another category. DPS collects the data and processes it on behalf of the DFs. They are required to implement necessary security guardrail concerning, inter alia, the nature, scope, and purpose of processing, personal data, and the risks associated with a breach remain the same as DFs.
3.3) Privacy by Design Policy
India Personal Data Protection Bill makes it mandatory to implement privacy by the data owner’s design policy to control the data breaches. It makes each enterprise compulsory to include privacy and its related principles as part of internal systems when launching the business/ operations and not as post-facto.
3.4) Appointment of Data Protection Officer (DPO)
Significant data fiduciaries are required to appoint a DPO to inter alia advice on matters under the Bill; they monitor the data processing activities, ensure compliance and report the breaches if any. Data Protection Authority (DPA), a new authority similar to IRDA, TRAI, and SEBI, monitors the data breaches and safeguards the individual and the nation’s interests. DPO can also be a focal point to avail cybersecurity policy to protect the interest of the organization in case of any breaches despite following the necessary guardrails.
4) High-Level Compliance Process
Awareness of the Law and its impact
- Organize awareness sessions across users in the organization
- Impact of the law on the organization
Identification of Data and Data Owners
- Identification and Categorization of Data being collected and processed
- Identifying Data Owners, their roles, and responsibility
- Data processing agreements between the data owner and the data processor
- Data Mapping within the organization and understanding the data life cycle.
- Define processes to retain, delete data. Identifying policy, consent requirements and implementing them for effective compliance.
- Data Retention policy and process
- Policies for security safeguards: de-identification and encryption, prevent misuse, unauthorized access, modification, disclosure, or destruction of personal data.
Privacy by Design Policy
- Privacy by Design policy: Framework for the proactive embedding of privacy into the ‘default setting’ of the business to achieve the most vital privacy protections possible.
- Creating a data center in India for storing Sensitive Personal Data.
Data Protection Office
- Setup data protection office.
- Appoint Internal resource as Data Protection Officer to take responsibility for compliance.
- Create policies and processes for identifying and reporting any issues or data breaches.
- Setup grievance redressal process.
Many organizations think it is not a big thing considering India’s various lapses on non-compliance penalties and refined execution. The way the Data has become more and more precious, the government does not have any other option than to put stringent monitoring around the data usage.
Organizations must start planning their privacy by design policy, data categorization, lifecycle management, and data retention policy to build an ecosystem where data breaches are more stringent than physical theft in the organization.
As physical theft would have minimal losses, the massive penalties in data breaches may impact the organization’s balance sheet and affect the brand value.
Hence, taking this law at ease would be disastrous for organizations coming under DF, SDF, GDF, Social Media Intermediaries, and DP categories. So, start building the necessary steps from now until later, and we are here to help you with this.