Why India’s proposed data protection law will multiply compliance requirements

Dynamic digital technologies are rapidly changing the way business is run today. Also, as economies are marching towards a more digitized ecosystem, the value of data has grown exponentially. Businesses acquire data from many sources, such as social media sites, online polls, cookies, etc., to assess online activities, find new ways to target customers, and monetize the data. However, such data often includes personal and sensitive personal information, which if compromised or misused can cause immense harm.

The sensitization around privacy and data protection coupled with the increasing regulatory rigours, starting from the European Union’s General Data Protection Regulation (GDPR) to India’s upcoming personal data protection law, is all set to increase the compliance load of organizations. Undoubtedly, therefore, these discussions have taken centre stage in boardroom discussions and have become a top priority to attend to.

India Inc gearing up for the quantum leap

The draft Personal Data Protection Bill, 2018 (Draft Bill) has now been submitted to the Government of India for consideration. The Draft Bill is expected to be further deliberated upon before it is presented to the Parliament and finally becomes a law. However, several organizations are already gearing up their internal compliances to be future-ready on this front. The reason for this could be the realization that though there may be certain tweaks to the Draft Bill, the core principles of privacy and data protection would largely remain constant. Some examples are data minimization, informed consent, clear notices, etc.

These are becoming uniform across laws of most jurisdictions. Therefore, to do business in India and with nations across the globe, it is prudent to adopt these gold standards that have been proposed in the Draft Bill.

The Draft Bill envisages the constitution of a Data Protection Authority of India (Authority) for several purposes, including the effective implementation and adjudication of penalties. For certain offences, the penalties imposed may be as high as Rs 15 crores or 4 percent of the total worldwide turnover, whichever is higher.

Increased obligations under the Draft Bill

The Draft Bill mandates several obligations, such as:

Collection and purpose limitation: The collection and processing of personal data should only be for purposes that are clear, specific, and lawful.

Notice: Clear notice must be provided at the time of collection of personal data. The notice should specify details such as the purpose of processing, categories of personal data being collected, etc. The notice must also mention the individuals or entities with whom personal data will be shared. Significantly, the Draft Bill also mandates that such information should be provided in a manner that is easily comprehensible and in multiple languages, where necessary and practicable. Obligations such as these will certainly increase compliance cost and effort requirements.

Data quality: Reasonable steps are required to be taken to ensure that the personal data processed is complete, accurate, not misleading, and updated. Therefore, strong data management practices, along with a continuous review of personal data stored by entities, will have to be undertaken.

Storage limitation: Personal data should be retained only as long as may be reasonably necessary to satisfy the purpose of processing. Again, entities need to develop robust data management and review practices to meet such obligations.

The localisation of personal data: At least one serving copy of personal data is required to be stored on a server or data centre located in India. Further, the Central Government may notify certain critical personal data which is mandatorily required to be processed in a server or data centre located in India. The requirements of data localisation are expected to increase costs for retaining personal data on Indian servers.

Security safeguards: Security safeguards are required to be implemented and periodically reviewed considering the nature, scope, and purpose of processing of personal data. Some of the measures prescribed include de-identification and encryption and steps for preventing misuse and unauthorized access to personal data. Entities would, therefore, need to invest in their IT systems and teams to ensure these obligations are met.

Personal data breach notification: Notification to the Authority is required to be made where a breach of personal data is likely to cause harm to persons whose personal data is breached. The Authority may direct that a notification is made to the affected persons, and also to publish details of the breach on the concerned organisation’s website.

Additional obligations: Data fiduciaries (akin to data controllers) may be designated as ‘significant data fiduciaries’ by the Authority based on certain parameters such as the volume of personal data processed, the sensitivity of personal data processed, etc. These entities will have additional obligations such as the appointment of a data protection officer, conducting data audits, etc.

The Draft Bill is all set to increase the compliance burden of businesses. Entities would have to invest adequately to upgrade their data protection practices and procedures. Moreover, time and effort will have to be expended to build organisational capabilities on this front. However, if the measures of compliance are initiated today in a systematic manner, it will eventually turn out to be a worthwhile investment and a real business differentiator in the long run.

Supratim Chakraborty is an Associate Partner and Sumantra Bose is an Associate at Khaitan & Co.

(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)