Since the GDPR came into effect in 2018, many countries across the world followed suit and introduced their own data privacy laws. India is the latest addition to this list. The proposed Personal Data Protection Bill (PDPB) aims to bring about a comprehensive overhaul of India’s current data protection policies. The data protection practices of Indian organizations are currently governed by the Information Technology Act, 2000 (IT Act).
However, the two-decade-old act hasn’t been able to keep up with the rapid advancements in technology we’ve seen over the past few years. With India witnessing a massive increase in cyberattacks in recent times, cybercriminals have been steadily discovering new ways to obtain sensitive personal information. To make matters worse, the pandemic has catapulted the digital ecosystem forward by years, and remote working has expanded the attack surface available to hackers.
As organizations have adopted new technologies, the scale of their data burden and responsibility has grown exponentially. As a result, cyber risks have amplified, and regulatory authorities have been scrambling to catch up. Consequently, businesses across the globe now face a slew of privacy protection laws. As the risks of noncompliance can be dire, organizations are often left wondering how they can mitigate this ever-evolving privacy landscape.
Driving regulatory change across the country
Many Indian organizations have faced a volley of cyberattacks recently. From BigBasket, a popular online grocery delivery service, to Air India, small and large organizations alike have fallen prey to massive data breaches, exposing the sensitive personal information of millions of customers. The only silver lining of these high-profile attacks has been that they have had a powerful effect on the regulatory landscape of the country. The PDPB thus comes at a much-needed time when the country is seeing exponential digital growth.
In 2017, the Supreme Court of India recognized the right to privacy as a fundamental right. Currently, the IT Act has two provisions to govern the improper exposure of personal information:
(i) Section 43A of the IT Act requires the maintenance of “reasonable security practices and procedures” in relation to any “sensitive personal data or information” handled by an organization.
(ii) Section 72A of the IT Act imposes a penalty on any person (including an intermediary) who intentionally discloses personal information without the consent of the user.
However, Parliament recognized that a specialized regulation for protecting privacy rights is required, and thus, the PDPB was drafted. Once implemented, the PDPB will repeal Section 43A of the IT Act.
What does the PDPB include?
The PDPB will be India’s first law focusing solely on data privacy and protection. It defines personal data as data “relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such natural person, whether online or offline, […] and shall include any inference drawn from such data for the purpose of profiling.”
The bill includes requirements for notice and prior consent for the use of individual data, puts limitations on the purposes for which data can be collected and/or processed, and has restrictions to ensure that only the data essential for providing a service is collected. In addition, the bill also includes data localization requirements and necessitates the appointment of data protection officers within organizations.
Like the GDPR, the PDPB aims to give individuals more control over their personal information. As per the bill, a separate regulator called the Data Protection Authority of India (DPA) will also need to be set up. The DPA will be entrusted with the responsibility of protecting and regulating the use of citizens’ personal data. It is supposed to act as a deterrent against the unconstitutional and illegal use of this data. The DPA will also have extraterritorial powers and will enforce monetary penalties for noncompliance.
Implementation to be done in phases
The Joint Committee of Parliament (JCP) deliberating on the PDPB is expected to submit a report on the bill in the first week of the winter session of Parliament, which usually commences around the last week of November.
Notably, the bill is expected to undergo major changes under the JCP. The draft proposed in 2019 was opposed by many organizations, social media firms, privacy experts, and even ministers, who were of the opinion that the bill had too many loopholes to be effective and beneficial for both citizens and organizations.
However, even after enactment, the law is likely to be implemented in phases.
How can organizations prepare for the PDPB?
If your organization is already compliant with the GDPR, then you’re likely well on the path to achieving compliance with the PDPB when it comes into effect. However, a proactive approach to assessing and, if required, revamping your data privacy posture will go a long way towards preparing for the PDPB. Here are three steps to ensure your organization is well-prepared:
Understand and classify your data: The basis of a strong data security strategy begins with identifying and classifying what type of data you collect and retain. Once you have an understanding of what personal information you process, you’ll have a data inventory ready to help you understand your data-processing activities. Where is the data stored? For how long is it stored? Who has access to it? Is it shared with any third parties? This step ensures that you have the solid foundation needed to achieve compliance.
Detect and prevent leaks: Adopting an effective data loss prevention strategy can help organizations monitor and eliminate potential risks originating from emails, webpages, and endpoints. It allows the flow of information to continue while eliminating risks, protecting critical data, and ensuring compliance. It doesn’t need to become a barrier to business processes if implemented in an adaptive manner that does not put a stop to communication but rather automatically removes any sensitive or malicious data as it enters or exits the network.
Secure personal data: After the organization has ensured that personal data is classified and potential risks are removed, the data then needs to be protected both at rest and when it’s being shared in order to achieve true end-to-end data security. This can be done by implementing encryption at rest, email encryption, a managed file transfer (MFT) solution, or a combination of these technologies. An MFT solution protects sensitive data when it’s most vulnerable—while being accessed by others and while being sent to unmanaged domains, devices, or applications. It creates a secure channel with a central platform for information exchange, while providing audit trails, user access controls, and other file transfer protections.
Compliance is an ongoing journey
In the current age of information explosion, achieving compliance with data privacy standards can be daunting. However, it needn’t be so if organizations can be proactive and plan ahead of the date of enforcement. Businesses in India need to build an effective privacy and compliance strategy, as those that do will experience immense benefits. The time is ripe for organizations who haven’t yet started or are just getting started on their compliance journey, as data privacy is going to play a pivotal role in the years to come. By adopting a layered, comprehensive approach to data security, organizations can confidently embrace the new PDPB, and, once compliant, should view this as a competitive advantage.