top of page
Search
Writer's pictureShrreyans Mehta
Sep 3, 20207 min read

WHAT DOES COMPLYING WITH PDPB MEAN FOR YOUR BUSINESS?

Updated: Mar 16, 2021

-Shreya Deb


Introduction:


India’s privacy law framework – Personal Data Protection Bill (PDPB) is currently in its draft form and expected to become a law once it is reviewed by the Joint Parliamentary Committee (JPC). This privacy regime will impose obligations on almost all data-driven businesses operating not just in India, but also on non-Indian businesses based outside of India, offering goods and services to individuals in India, or profiling individuals within India. This means companies are going to have a busy time reassessing its data processing practices and safeguards implemented to comply with the Bill once it becomes a law. This Article discusses what actions companies need to take to become compliant with PDPB. Before moving ahead let’s get familiar with these important terms.


Key Definitions:


  • Personal Data: Refers to any data from through which an individual can be directly or indirectly identified – Section 2(28). Example – name, characteristics etc.


  • Sensitive Personal Data: Refers to financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe etc. – Section 2(36).


  • Data Principal: Refers to a natural person to whom the personal data relates to – Section 2(14).


  • Data Fiduciary: Refers to any person, including the State, a company, any juristic entity or any individual who determines the meaning and purpose of processing personal data. – Section 2(13). For example, Uber is a data fiduciary and collects its customers' personal data for providing, personalizing, maintaining and improving its ride sharing services. Likewise, if your business collects data for rendering goods or services or even for profiling, you must comply with PDPB.


  • Processing: Refers to operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction – Section 2(31).


  • Data Processor: Refers to any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary – Section 2(15). The distinction drawn between Data Fiduciary and Data Processor is important to delineate responsibility as data moves from group to group. For Instance, in the U.S., Facebook, being the Data Fiduciary, was hit by controversy over the actions of a third-party data processor, Cambridge Analytica.


  • Significant Data Fiduciary: The classification of significant data fiduciary is based on the volume and sensitivity of data, fiduciary’s annual turnover, risk of significant harm to the data principal and type of technology used to process data. The Data Protection Authority is given the power to classify a certain set of data fiduciaries as significant data fiduciary based on the above grounds. Further, the Central government can classify certain social media intermediaries as significant data fiduciaries on the basis of a certain threshold which varies according to the nature of the social media intermediary – Section 26.


  • Profiling: Refers to any activity that analyses or predicts an individual’s traits, attributes or interests – Section 2(32). For example – target advertisements.


  • De-identification: Refers to the process of removing or masking identifiers from personal data. This process is carried out by a data fiduciary or data processor. – Section 2(16).





Obligations of Data Fiduciary under the PDPB:


There are certain proactive steps required to be taken by Data Fiduciaries to protect customers’ personal data and give foremost importance to their privacy throughout its business activities.


  1. Data cannot be processed without a clear, specific and lawful purpose.

  2. Data fiduciaries may process personal data only to the purpose consented to by the data principal or which is incidental or connected thereto. Thereby, where the data principal can reasonably expect processing of their data, considering the context in which their personal data has been collected, is counted as consent.

  3. Personal Data must not be collected unless it is needed for a specific purpose.

  4. Data fiduciaries must ensure good quality of Personal Data processed. This includes ensuring that the personal data is complete, accurate, updated and not misleading.

  5. Personal Data must only be retained till it is necessary. This means that data fiduciaries should regularly review the personal data collected to determine if the purpose of the data has been served and whether it is necessary to retain.

  6. Data fiduciaries must serve a notice to the data principal for collection or processing of personal data. This notice must include information about the following–

  7. Purpose of collection;

  8. Nature and categories of personal data collected;

  9. Source of collection, if data is not directly obtained;

  10. Basis of data processing;

  11. Period for retaining the data;

  12. Individuals or entities with whom the data may be shared;

  13. Cross border transfer of data, if applicable;

  14. Identity and contact details of the data fiduciary and Data Protection Officer, if required;

  15. Grievance redressal system;

  16. Any other information as specified by the regulations.

However, there are certain circumstances where data fiduciaries need not serve a notice and can process personal data without consent such as, in medical emergencies, disasters and public order situations and in compliance with an order of a court or the state.

  1. Data fiduciaries must ensure that personal data is processed in accordance with the data processing obligations.


The burden of proof lies on the data fiduciaries to demonstrate compliance with these obligations even in circumstances where any data processor has been employed to process data.


Complying with the data protection standards of PDPB:


Apart from the aforementioned obligations, the PDPB imposes a significant amount of compliance and data protection standards to process data. Such as –


  1. Maintaining Privacy by Design Policy: It refers to a document which must state information about data processing practices in an entity and shall imply that:

  2. The privacy of a data principal is ensured throughout the data fiduciaries’ managerial, organisational, and business activities, from data collection to data deletion.

  3. Obligations of the Data Fiduciaries which are enlisted in the previous section.

  4. The technologies employed to process personal data are either commercially accepted or of certified standards.

  5. Business interest including any innovation does not come with the cost of privacy of a data principal.

  6. Data should be processed in a transparent manner. This means that the categories of data collected, purpose and the manner by which data is collected, rights of the data principal i.e. right to confirmation and access, right to correct, complete, update and erase, right to data portability, right to be forgotten, the right to file complaint to the Data Protection Authority and the procedures to make such complaint must be communicated to the data principal. And any information related to cross border data transfers, if applicable should also be mentioned.

The Privacy by Design Policy may need to be certified by the Data Protection Authority or any other officer authorised by Regulation. The Privacy by Design Policy shall be uploaded on the website of the data fiduciary as well as of the Authority.


  1. Security Safeguards: Data Fiduciary must implement certain security safeguards to prevent personal data from being misused, unlawfully accessed, modified or destroyed, to protect the integrity of personal data, and to eliminate the harm that may be incurred during data processing activities. These safeguards may include measures such as De-identification or Encryption of personal data. The data fiduciaries must regularly review their security safeguards and take appropriate measures, if needed.

  2. Reporting personal data breach: Data fiduciaries are obliged to report any sort of data breaches to the Data Protection Authority clearly stating the nature of the personal data breached, number of data principals affected, consequences of the breach and actions taken by the Data fiduciary to remedy the breach.

  3. Grievance redressal: Immediate grievance redressal procedures are to be followed by Data fiduciaries to remedy any sort of data breaches. A data principal can file a complaint against the Data Fiduciary or Data Protection Officer, in case of significant data fiduciary, when there is a data breach or non-compliance with the provisions. Such complaints must be resolved within 30 days of receipt of complaint.


The PDPB imposes a higher degree of compliance and security standards for data protection on the Significant Data Fiduciaries as the undermentioned regulations of the draft applies only to the significant fiduciaries, such as –


  1. Data Protection Impact Assessment (DPIA): The PDPB obliges significant data fiduciaries to conduct a DPIA, wherein it undertakes data processing activities, involving complex technologies and sensitive personal data. The DPIA shall include a detailed list of processing activities including the nature and purpose of activities, assessment of potential significant harm that may be caused while processing and measures for mitigating or removing such harm. The DPIA needs to be reviewed by the Data Protection Officer, who shall submit a report of the same to the Data Protection Authority. If the Authority believes that there is a probability for any harm to the data principal, the Authority can cease such data processing or mandate other conditions for such processing.

  2. Auditing and Record-Keeping: A significant data fiduciary should engage an independent auditor to audit all its conducts and policies and provide a data trust score. The records of data processing practices such as DPIA, periodic review of security safeguards must be maintained up-to-date.

  3. Data Protection Officer: A significant data fiduciary is required to appoint a Data Protection Officer who shall be responsible for:

  • Maintaining records and conducting DPIA;

  • Advising on data protection issues;

  • Assisting with Grievance Redressal Mechanism;

  • Monitoring the company's compliance with PDPB;

  • Liaising with the Data Protection Authority


Exemptions for Small Businesses:


There are some limited exemptions laid down for small businesses or entities. Under the framework a small entity is one which has turnover less than 20 lakhs INR, volume of personal data processed is less than 100 data principal records per day and less than 100 data principals on any day in the past year and is engaged in manual processing. For e.g. small retailers and kirana stores. Here, manual processing refers to a form of data processing that is performed without a computer or any automated device. These small entities are exempted from:

  1. The obligation to serve notice, maintaining the quality of data processed and limitation to data retention;

  2. Ensuring rights of data principal except for providing right to correction and erasure and basic information under right to confirmation and access;

  3. Maintaining Privacy by Design Policy, security safeguards and transparency in processing and;

  4. Being accountable for processing.


However an entity is unlikely to fall under this category if it engages in online advertising, or communicates via email or other digital platform to its customers or takes online orders for rendering its product or services.


Conclusion:


The PDPB is extensive and businesses (data fiduciaries/ processing entities) are going to have a hard time ensuring compliance with the data privacy regime. Considering the proposed thresholds for exempting small businesses which are too low indicates that a notably high number of businesses would fall under the purview of the law. If your business collects personal data, it is advisable to review your data processing activities, security mechanisms and technology used in order to ensure compliance with the PDPB's data protection obligations. Also understanding the mode of receiving consent from your customers and reviewing the information your business provides to your customers while collecting their personal data is crucial, since non-compliance with the law can result in heavy penalties.


Ending the note, with the comparison drawn by Hon’ble Justice B.N. Srikrishnan.

“Complying with this law is like buying new shoes – It will be tight in the beginning but will be comfortable later.”

23 views0 comments

Recent Posts

See All

Comments

bottom of page