Digital Personal Data Protection Bill, 2023: What it means for your business?

Introduction:

The Digital Personal Data Protection Bill, 2023 (‘The Bill’) serves as a milestone in carving India’s data protection regime. After a prolonged course of over fifteen years, India is soon likely to join the league of countries having dedicated data protection legislation. As the Bill awaits discussions and deliberations in the Parliament, it is important to understand the need for businesses to align operations to comply with the provisions of the Bill. Apart from strengthening existing infrastructure to support data privacy of employees, customers, vendors etc., businesses must also adhere to the requirements stipulated for data transfers, notice and consent requirements etc. As more guidelines and regulations are expected to unravel in the near future, businesses must act swiftly to get compliance ready.

● Knowing where your organisation’s data lives

The Bill stipulates specific regulatory requirements for businesses to develop mechanisms for grievance redressal, query support etc. In order to ensure that compliance requirements are fulfilled, businesses must ensure accountability of data in their possession. The same can be achieved by creating data inventories in a centralised repository. This can further ease processes pertaining to data retention limitations, carry out data subject rights, respond to breach notifications etc. Developing a dedicated data inventory, also known as data mapping, allows organisations to streamline the data which is spread over various departments and teams, which further increases the business’s vulnerability to potential data violations. Having a centralised location for an organisation’s data also facilitates carrying out third party requests related to data, including those by the government. Moreover, creation of data inventories also for effective risk assessment initiatives. Risk assessments are processes for identifying threats and vulnerabilities and prioritizing their resolution. When developed correctly, risk assessments ensure that data protection expenditures reap the best value in terms of budget and time.

● Developing mechanisms to manage compliance requirements

The Bill stipulates several requirements pertaining to the rights of data subjects, data retention and minimisation, obligations of data fiduciaries etc. Developing mechanisms to ensure that all provisions of the Bill are being fulfilled becomes integral to the running of businesses. Developing a strengthened IT infrastructure including secure servers, SaaS enabled security measures, firewalls, backups etc. mitigates risks of data leaks, breaches etc. as well as ensures that businesses are ready to fight against potential data attacks. Apart from developing a strengthened IT infrastructure, businesses must also promulgate policies and regulations that govern personal data management and facilitate risk mitigation support. This includes developing infrastructure for conducting data audits, as well as establishing privacy policies etc.

● Elevated compliance requirements

The Bill proposes compliance requirements in the form of higher standards for seeking consent, notice requirements as well as additional obligations on data fiduciaries. Moreover, companies are also required to adhere to storage limitation requirements, which means that when an individual’s personal information is no longer needed for the reason for which it was gathered, the companies should not keep the data for longer than required. While there are no specific retention periods prescribed, personal data is only permitted to be retained for as long as necessary for legal or business purposes. Further, personal data is not permitted to be retained if the purpose for which such personal data was collected is no longer being served by its retention. This compels organisations to not hoard volumes of data they have since there is so much data and many regulatory standards that require compliance. Moreover, the Bill mandates companies which are data fiduciaries, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. Furthermore, the draft Bill obligates the data fiduciary or the data processor to notify the Data Protection Board and the affected data principals in the event of a personal data breach. The data fiduciary and the processor may contractually determine who is responsible for undertaking the reporting obligation. Further, the draft Bill proposes a penalty which may extend up to INR 2 billion for non-compliance with this requirement. Additionally, Significant data Fiduciaries are required, among other obligations, to implement independent data audits, appoint a DPO, and carry out Data Protection Impact Assessments ('DPIAs'). Non-compliance with these additional obligations may attract a penalty of up to INR 1.5 billion (approx. €17 million). Organisations must comply with these requirements for effective functioning of their businesses.

● Penalties:

The schedule to the Bill specifies penalties for various offences such as: (i) up to INR 200 crore (Approx USD 2,41,88,540) for non-fulfilment of obligations for children and (ii) up to INR 250 (Approx USD 3,02,35,675) crore for failure to take security measures to prevent data breaches. Thus, businesses must ensure watertight compliance with the provisions of the Bill to prevent being subjected to such penalties.