Search

What is India’s Personal Data Protection Bill?

The EU’s GDPR paved the way for data privacy and protection laws around the world, and one of the latest is the emerging Personal Data Protection Bill in India. While organizations in India already adhere to international data privacy laws, including GDPR when serving overseas customers, as well as the restrictions set out in 2000’s Information Technology Act, neither directly and specifically addresses the personal data of consumers within India’s borders.

The EU’s GDPR paved the way for data privacy and protection laws around the world, and one of the latest is the emerging Personal Data Protection Bill in India. While organizations in India already adhere to international data privacy laws, including GDPR when serving overseas customers, as well as the restrictions set out in 2000’s Information Technology Act, neither directly and specifically addresses the personal data of consumers within India’s borders.

What is India’s Personal Data Protection Bill?

The proposed law is called the Personal Data Protection Bill, or PDP for short. The core principle of the forward-looking bill is that “the right to privacy is a fundamental right,” and it largely focuses on the intersection of the digital economy and personal data security. Like the GDPR, the PDP aims to protect the personal data of Indian citizens. It does this by:

  • Restricting companies to collecting only necessary information
  • Limiting the reasons for why data can be collected and processed
  • Ensuring consent is given for data use

Protecting Personal Data in India

Initially researched in 2017 and proposed in 2019, the PDP could be passed in Parliament’s current session, with portions coming into effect as early as the first half of 2022.
Data protection is made up of the steps a business takes to ensure data is private and secure. While data protection is the overarching umbrella that covers A) what data is being collected and B) how it’s being secured, data privacy is one segment of keeping data protected.

India does not currently have any dedicated laws on cybersecurity aside from the Indian Cyber Law, which refers more to e-commerce and government e-filing than data protection and privacy. As such, many of the frameworks that keep personal data safe are lacking.

Says Aditi Chaturvedi, Head of Legal at Koan Advisory Group, “The purpose of a data protection act would be to outline how data should be handled in order to protect a citizen’s fundamental right to privacy.” The new law’s goal is to ensure that organizations get consent by citizens to collect and store personal information, whether or not it is personally identifiable or sensitive.”

While the bill would be applicable to organizations, it also is intended to ensure that citizens know what data is being collected, what it is being used for, and understanding that they have a right to expect that their data is being protected and only used as intended.

A Highly Debated Data Protection Regulation

While the bill has not yet been passed—and may in fact be replaced by an entirely new bill that, critics say, must better address data protection requirements in a growing tech ecosystem that has fostered dozens of successful startups in recent years—proponents of data privacy say time is of the essence.

The bill as-is could eat into tech industry profits, but leave India without a regulatory framework in what is now one of the world’s largest Internet markets puts data at risk. According to estimates, India saw a 120 percent increase in ransomware attacks in 2021, which still only made up a portion of the 1.15 million reported cyberattacks across industries.

Mahesh Shanmugasundaram, Information Security industry veteran at HelpSystems, agrees. “While companies in India already adhere to regulations like GDPR and CCPA when working with overseas customers, they have only recently started to look seriously at privacy and data protection frameworks and ensure that such frameworks are enforced. This is not just because it enables the nation to trade with overseas customers but because it is good business practice to protect data and have the customers’ best interests at heart.”

How to Prepare for the Data Protection Bill in India

The PDP includes requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to an individual is collected. It also includes requirements for data localization and the appointment of Data Protection Officers within organizations, and a Data Protection Authority of India.

What Information is Covered?

Three categories are covered in the bill to date:

  1. Personal data that is about or relates to a person
  2. Sensitive data, such as health or genetic data, passwords, caste or tribe, and others
  3. Other critical data as specified by the central government

Processing data about children is also restricted.

Who Must Comply?

Both data fiduciaries and data processors, the equivalent of GDPR’s controllers and processors, will be responsible for data protection. Further, the PDP Bill is written to include persons both within and outside India if business was conducted in India, including offering goods and services or profiling individuals in India.

What are the Penalties?

Organizations that fail to meet requirements laid out in the PDP – including reporting requirements, data notices, and processing data unlawfully – are subject of fines between ₹52 million (730,000 USD) and ₹191 million (USD 2.7 million), or 2 to 4 percent of the company’s global revenue.

Businesses can additionally face criminal penalties, for instance if the sale of personal data results in “significant harm” or if anonymized data is able to be re-identified.

What Data Security Systems Should You Have in Place?

Data protection requires both an understanding of the data your organization has on hand and systems to keep that data secure: accessible only to the right people, protected from breaches, and flagged as internal-only or not. Solutions that can help with both important steps include:

  • Data classification: This technology helps avoid the human error of inadvertent data sharing by flagging how sensitive the content of a certain file is. It also provides a high-level view of the types and sensitive of data collected.
  • Data loss protection: These solutions are often two-pronged and keep sensitive data in while keeping threats out. They detect and prevent unauthorized sharing, redact sensitive information before sending, and scan incoming files for threats.
  • Digital rights management: One key to minimizing data exposure is to put secure parameters around it – specifying exactly who is authorized to view, use, and manipulate it, wherever that data is ultimately transferred.
  • Secure file transfer: If data is the lifeblood of an organization, keeping it well-guarded during transfers, whether internally or externally, is paramount. Secure file transfer solutions like MFT employ encryption both at rest and in motion, role-based access, and automation for reduced human error.

Subscribe to our RSS feed

Archived under:

How protected is your data?

Meet with one of our experts to assess your needs, and we'll walk you through our solution.

Request a Demo
Hide

Upcoming webinar: Webinar name goes here

Join us on Monday, August 32nd where we talk about this, that, and the other thing.

Details + register

Don't show again