Data Security in India: How the PDP Bill Can Help Protect Businesses

by | Sep 3, 2021

PDP Bill, data privacy, data protection

34797930 - personal data - data security

Since the EU GDPR came into force in 2018 many countries around the world have followed suit and have either revamped or introduced new data protection and privacy regulation. India, too, is taking steps to enact a data protection framework which incorporates many elements of the GDPR. The new law, the Personal Data Protection Bill (PDP), is currently in front of parliament and was proposed to effect a comprehensive overhaul of India’s current data protection regime, which today is governed by the Information Technology Act, 2000.

By PDP Bill, Mahesh Shanmugasundaram, Regional Director of South AsiaMahesh Shanmugasundaram, Regional Director of South Asia at HelpSystems


 

 

So, what does the new PDP Bill include?

The PDP Bill includes requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. In addition, it includes data localization requirements and the appointment of data protection officers within organizations.

India has not yet enacted this specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information.

Rules around the collection and disclosure of sensitive personal data

The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules under Section 43A of the IT Act. The Rules have imposed additional requirements on commercial and business entities in India, relating to the collection and disclosure of sensitive personal data or information, which have some similarities with the GDPR and the Data Protection Directive.

Companies in regulated sectors such as financial services and telecoms are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes, or only in the manner agreed with the customer.

PDP will be implemented in a phased manner

The government of India and a joint Parliamentary Committee have proposed the draft PDP Bill on data protection which will be India’s first law on the protection of personal data and will repeal 43A of the IT Act. However, even after enactment, the law is likely to be implemented in a phased manner. Currently, there is no information about that implementation timeline.

Additionally, India does not have a national regulatory authority for protection of personal data. The Ministry of Electronics and Information Technology is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The PDP Bill proposes creating a Data Protection Authority of India that will be responsible for protecting the interests of data principals, preventing misuse of personal data and ensuring compliance with the new law.

What is a data fiduciary?

The PDP Bill proposes the concepts of a ‘data fiduciary’ and a ‘data processor’. A ‘data fiduciary’ and a ‘data processor’ are equivalent to the concept of controller and processor under the GDPR. The PDP Bill will not only apply to persons in India but also to persons outside India in relation to business conducted in India, the offering of goods or services to individuals in India, or the profiling of individuals in India. 

Organizations must therefore implement the appropriate measures to prevent unauthorized access to sensitive, and confidential information, and to prevent malicious cyber-attacks, accidental loss, or the deletion of any confidential data. This involves putting in place a robust data security strategy that centers on people, process and technology. Organizations need to ensure that employees are trained and understand the importance of securing sensitive and confidential information. Therefore, security should be embedded into the culture of the business and processes put in place to support this. This also involves implementing the right technology to guard against both the malicious and accidental loss of data. Here data security is only as robust as the various elements that support it, therefore, we recommend layering proven solutions to ensure your sensitive and confidential data remains secure from start to finish.

Achieving compliance requires a combination of people, process, and technology

Ultimately, in today’s highly regulated data environment, organizations in India need to embrace and build an effective compliance strategy, as those that do will experience positive business benefits and undoubtedly reap the rewards. Those with low levels of data privacy protection and data governance software adoption need to change – and change quickly. But, more broadly, companies need to obtain better visibility of their data before they can consider themselves compliant with relevant data protection regulations. By taking a layered approach to data security and adopting a people, process, and technology-centric approach, organizations in India can confidently embrace the new PDP Bill and, once compliant, should view this as a competitive advantage.

To find out more on the achieving optimum data compliance with India’s personal data protection bill, download Titus’s latest whitepaper.

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles

How CASB Addresses Security Policy Concerns
How CASB Addresses Security Policy Concerns

Organizations are increasingly adopting CASB to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control.