Skip to content
CryptoHub is 2024 Data Protection Solution of the Year!
  • There are no suggestions because the search field is empty.
Check out the CryptoHub press release.

Everything to know about the upcoming Digital Personal Data Protection Bill in India – Part 1

In today’s highly interconnected world with an ever-evolving cybersecurity landscape, governments around the world are framing robust data protection legislations to safeguard the personal data of their citizens.
 

As one of the largest digital economies in the world, India too is slated to soon implement the Digital Personal Data Protection Bill, 2022 to protect its citizens’ personally identifiable information (PII) while fostering a strong trust in its vibrant digital ecosystem. The upcoming Digital Personal Data Protection Bill (“the Bill”) in India is poised to revamp the way organizations collect, store, share, and process the personal data of Indian citizens.

As data security practitioners, it is essential for us to grasp the underlying citizen-centric approach of the Bill, as it aims to empower Indian citizens with greater control over their personal information. By gaining a comprehensive understanding of the Bill, data security professionals can develop robust data protection strategies that not only comply with the evolving regulatory landscape but also meet changing consumer expectations.

In this two-part series, let’s deep dive into the various aspects of the Bill and explore how organizations can seamlessly protect the personal data of their Indian customers.

Key highlights of the bill

1) Personal data

One of the notable highlights of the Bill is its definition of personal data, which includes any data that can be identified with an individual or entity.

This encompasses traditional identifiers like name and contact details, as well as other identifiers like financial and health data, biometric and genetic information, and political affiliations.

2) Data principal, data fiduciary, and data processor

To establish unambiguous accountabilities, the Bill introduces the concepts of ‘Data Principals’, ‘Data Fiduciaries’, and ‘Data Processors’.

A Data Principal is anybody whose personal data is being used or processed. If the individual is a minor, the parents or legal guardians are considered as the respective Data Principals.

On the other hand, a Data Fiduciary is any individual or entity that determines the objective and mechanisms to process a Data Principal’s personal data. Similarly, a Data Processor is any individual or entity that processes the personal data on behalf of a Data Fiduciary.

3) Data protection officer and independent data auditor

The Bill emphasizes that Data Fiduciaries should appoint a dedicated Data Protection Officer based in India to ensure compliance with data protection mandates. This officer serves as the point of contact for grievance redressal mechanisms outlined in the Bill.

Additionally, Data Fiduciaries are required to appoint an Independent Data Auditor to assess their compliance with the mandates of the Bill.

4) Data Protection Board of India

The Bill mandates the Central Government of India to form an independent governing body known as the ‘Data Protection Board of India’ to oversee all regulatory compliances of the Bill.

The Board will possess extensive powers similar to a Civil Court, including the authority to investigate, impose penalties, and adjudicate disputes related to the protection of personal data as outlined in the Bill.

5) Consent and purpose limitation

To prevent misuses, the Bill mandates that Data Fiduciaries should obtain explicit consent from Data Principals before collecting, processing, or storing their personal data.

Furthermore, the Bill mandates that any personal data can only be processed or used for the specific purposes for which the consent was obtained from the Data Principal.

6) Right to access, correct, and erase personal data

The Bill gives Data Principals the right to access their personal data available with the Data Fiduciaries, request corrections to inaccurate or incomplete personal data, and demand Permanent erasure of their personal data under certain conditions.

7) Penalties for non-compliance

The Bill empowers the Data Protection Board of India to impose significant financial penalties on Data Fiduciaries and Data Processors for non-compliance with data protection mandates.

For example, failure to implement adequate security safeguards to prevent personal data breaches can result in penalties up to INR 250 crore. Additionally, failure to notify the Data Protection Board of India about a personal data breach can lead to penalties of up to INR 200 crore.

Summing up

While bills like the upcoming Digital Personal Data Protection Bill in India are crucial for curbing data breaches, organizations should not implement cybersecurity measures solely to meet regulatory mandates. It is essential to integrate privacy principles into all aspects of their operations, from products and services to day-to-day business practices. Data protection should be ingrained in the corporate culture rather than treated as an afterthought.

In the next part of this two-part series, let’s look at the key technologies that organizations can leverage to effectively protect their sensitive data. Stay tuned…

 

FAQ

How does the Digital Personal Data Protection Bill aim to empower individuals’ control over personal information in India’s digital realm?

The Digital Personal Data Protection Bill seeks to empower individuals by enhancing their control over personal information in India’s digital landscape through measures like explicit consent requirements and rights to access, correct, and erase personal data.

What roles and responsibilities do entities like Data Principals, Data Fiduciaries, and Data Processors have under the Bill, and how does this affect businesses?

The Digital Personal Data Protection Bill delineates distinct roles and responsibilities for various entities involved in managing personal data. Data Principals, representing individuals, have rights over their data; Data Fiduciaries, who determine data processing objectives, must ensure compliance and protect individuals’ rights; and Data Processors, entrusted with data handling, must adhere to fiduciaries’ directives while ensuring data security and privacy. These defined roles establish a structured approach to data governance, guiding businesses in upholding privacy standards and fostering trust with their customers.

What penalties does the Bill impose for non-compliance with data protection mandates, and how might this impact organizations?

Penalties for non-compliance with data protection mandates under the Bill include significant financial fines, such as up to INR 250 crore for failure to implement security safeguards and up to INR 200 crore for failure to report data breaches to the Data Protection Board of India, potentially having severe repercussions for organizations.

Share: