The introduction of a new Data Protection Bill in India (Addressing Privacy Concerns for a Digital Future) marks a significant development in safeguarding individual privacy and enhancing data security. As technology continues to advance at an unprecedented rate, the need for stronger regulations to protect personal information has become paramount and protection restricts to only digital personal data.
One of the primary objectives of the Data Protection Bill is to establish a comprehensive legal framework that governs the collection, storage, and usage of personal data making companies accountable for handling of sensitive information requiring explicit consent from individuals for data processing activities.
The obligations of Data Fiduciary in the bill is to balance between the rights to protect their personal data and the need to process personal data for lawful purpose such as
- Maintain the accuracy of data
- Prevent data breaches and send notifications to relevant stakeholders
- Retain data for only as long as required
- Publish details of person of contact (Employees) to address concerns of data principal
- Effective grievance redressal mechanism
The data principal rights are limited to below along with certain exceptions as per judicial/legal/investigation purposes. The data principal has no rights on portability and restriction on processing like GDPR.
- Right to access information about personal data
- Right to correction and erasure of personal data
- Right of grievance redressal
- Right to nominate
Approach to DPDPB compliance can be achieved in phases. The timeline for data protection bill compliance adherence is not set forth by the government. The different phases are defined below and each phase can be segregated into subphases or as the individual project plan
Phase 1: Current Privacy Posture
- Gap Assessment
- Data Discovery and identification
- Policy Analysis and update
- Training and Awareness
Phase 2: Standards and Processes
- Records and processing activities
- Consent management
- Data Subject request management
- Privacy by design principle (SDLC)
- Privacy Impact Assessment (PAI)
- Cross Border Transfer Mechanism
Phase 3
- Gap re-assessment
- Vendor/Third Party Assessment
- Roles and Responsibilities (R&R for governance model)
- Privacy Metrics
The non-compliance for Data protection bill and penalties for different areas are mentioned below
- Consent management (Penalty 50 crores to 250 crores),
- Incident Management (250 crores)
- Data retention and deletion (50 crores)
- International data transfer (50 crores)
- Data Principal request (50 crores)
- significant data fiduciary obligations (150 crores)
In conclusion, the new Data Protection Bill in India represents a necessary and progressive step forward in safeguarding personal information. By establishing comprehensive rules and regulations which seeks to address the challenges posed by rapid technological advancements. As India takes its place among global leaders in data protection, it sends a strong signal that individual privacy and data security are priorities in the digital age.