What You Need to Know About India’s Data Protection Bill

Since the EU GDPR took effect in 2018, many countries around the world have followed suit and either revamped or introduced new data protection and privacy regulation. India, too, is taking steps to enact a data protection framework that incorporates many elements of the GDPR. The new law, the Personal Data Protection Bill (PDP), is currently in front of parliament and was proposed to effect a comprehensive overhaul of India’s current data protection regime, which today is governed by the Information Technology Act of 2000.  

What Does the New PDP Bill Include?

The PDP Bill includes requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. In addition, it includes data localization requirements and the appointment of data protection officers within organizations.

India has not yet enacted this specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) to include section 43A and section 72A, which gives individuals a right to compensation for improper disclosure of personal information. 

Rules for the Collection and Disclosure of Sensitive Personal Data

The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules under Section 43A of the IT Act. The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information, which have some similarities to the GDPR and the Data Protection Directive.

Companies in regulated sectors, such as financial services and telecoms, are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them only for prescribed purposes, or only in the manner agreed with the customer.

PDP Phased Implementation

The government of India and a joint parliamentary committee proposed the draft PDP bill which would repeal section 43A of the IT Act. However, even after enactment, the law is likely to be implemented in a phased manner. Currently, there is no information about that implementation timeline.

Additionally, India does not have a national regulatory authority for the protection of personal data. The Ministry of Electronics and Information Technology is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The PDP bill proposes creating a Data Protection Authority of India that will be responsible for protecting the interests of data principals, preventing misuse of personal data and ensuring compliance with the new law.

What is a Data Fiduciary?

The PDP Bill proposes the concepts of a ‘data fiduciary’ and a ‘data processor.’ A data fiduciary and a data processor are equivalent to the concept of controller and processor under the GDPR. The PDP bill will not only apply to persons in India but also to persons outside India in relation to business conducted in India, the offering of goods or services to individuals in India or the profiling of individuals in India.

Organizations must therefore implement appropriate measures to prevent unauthorized access to sensitive and confidential information and to prevent malicious cyberattacks, accidental loss or the deletion of any confidential data. This involves putting in place a robust data security strategy that centers on people, processes and technology. Organizations need to ensure that employees are trained and understand the importance of securing sensitive and confidential information. Therefore, security should be embedded into the culture of the business and processes put in place to support this. This also involves implementing the right technology to guard against both the malicious and accidental loss of data. Here, data security is only as robust as the various elements that support it, therefore, we recommend layering proven solutions to ensure your sensitive and confidential data remains secure from start to finish.

Achieving Compliance Requires People, Process and Technology

Ultimately, in today’s highly regulated data environment, organizations in India need to embrace and build an effective compliance strategy, as those that do will experience positive business benefits and undoubtedly reap the rewards. Those with low levels of data privacy protection and data governance software adoption need to change—and change quickly. But, more broadly, companies need to obtain better visibility into their data before they can consider themselves compliant with any relevant data protection regulations. By taking a layered approach to data security and adopting a people-, process- and technology-centric approach, organizations in India can confidently embrace the new PDP bill and, once compliant, should view this as a competitive advantage.

Avatar photo

Mahesh Shanmugasundaram

Mahesh is an Information Security industry veteran with over two decades of experience across a range of security technologies and processes. A technologist at heart, Maheswaran has a real ability to understand the commercial and operational requirements of businesses across a wide range of vertical markets He has a wealth of experience supporting the deployment of key data protection projects in a number of leading enterprises across APAC. 

mahesh-shanmugasundaram has 1 posts and counting.See all posts by mahesh-shanmugasundaram