The Personal Data Protection
The Personal Data Protection Bill (PDPB) 2018 is with the jt. parliamentary panel and expected to be passed into an act in the budget session of the parliament in 2020.
This bill, authored by Hon. Justice Shri B. N Srikrishna, is prepared referencing the GDPR legislation passed by the EU Union on 24th May 2018.
The key points from the PDPB are
Cross-border data flows:
-
The bill places restrictions on the transfer of critical personal data outside of India, while sensitive personal data can be transferred with a copy retained in India.
Sensitive personal data attributes:
- a) passwords;
- b) financial data
- c) health data
- d) official identifier
- e) sex life
- f) sexual orientation
- g) biometric data
- h) genetic data
- i) transgender status
- j) intersex status
- k) caste or tribe
- l) religious or political belief or affiliation
Critical personal data attributes: to be defined in the final version of the bill.
Key Terminologies:
- Data Principal → the natural person to whom the personal data referred to
- Data Fiduciary → any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data
- Data processor → any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary
- Penalties: Ranging from 5 crore or 2% of the total worldwide turnover to 15 crore or 4% of the total worldwide turnover
- Consent: Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.
Rights of the individual:
- a. Right to confirmation and access
- b. Right to correction
- c. Right to Data Portability
- d. Right to Be Forgotten
To adhere to PDPB requirements:
• Define your Personal Data Policy
• Create a data inventory.
-
a. Right to confirmation and access
- b. Right to correction
-
c. Right to Data Portability
- d. Right to Be Forgotten
• Evaluate risk and perform gap analysis.
• Identify the adherence of the existing systems to meet the rights of the Consumer.
• Identify/ appoint a Data Protection Officer for all parties and communicate the same to the Supervisory Authority, if necessary.
• Enable data transfer mechanisms & legal basis for every activity where personal data is used
• Finalize process to monitor, log and report data breaches and next steps
• Finalize process to monitor, log and report data breaches and next steps
• Create awareness among the employees/ resources working on the assignment about key PDPB requirements
• Define an approach to manage data principle rights.
- a. Implement data principle rights through establishing a legal basis for processing.
- b. Data principles can provide consent and request access.
- c. The company (Fiduciary/ data owner) must keep a record of data principle rights’ requests.
• Implement a Data Protection Impact Assessment (DPIA)
• Secure personal data transfers.
• Amend third-party contracts (if applicable).
- Amend third-party contracts that include processing of personal data to become compliant with the PDPB.
• Ensure the security of personal and sensitive data.
- a. Implement the necessary organisational and technical measures to protect the personal data of data principles.
- b. Consider privacy and protection when designing new systems and processes.
• Define how to handle data breaches.
- a. Set up the processes to identify and handle personal data breaches.
- b. Prepare for notifications to the Supervisory Authority and data subjects, if required, in the case of a personal data breach.
A consent form should adhere to the following broad guidelines:
-
Use easy, clear language
- Customers should actively opt-in
- Let customers freely choose content, channel and frequency and gain consent for each
- Do not tie consent to other agreements, nor use incentives
- Explain clearly how customers can withdraw consent
Website - should include:
- Positive action to opt in (click a button / tick a box)
- Provide a choice of frequency, content and channel
-
Clear mailing terms and conditions, not bundled with other terms
- Tell customers what you will do with this data and ask for consent
Pop-up box - should include:
- Simple, clear language outlining content, channel, frequency and timings, i.e. ‘sign up for daily emails on the biggest headlines each morning’
- No confusing tick boxes
- Affirmative action to opt in by clicking a sign-up button
- Link to mailing consent terms & conditions
- No incentive
Marketing emails/ SMS - should include:
- a. Unselected box to subscribe to email
- b. Outlines channel, content and frequency expectations
- c. Link to mailing consent terms & conditions, kept separate from purchase terms & conditions
Social media - should include:
- a. Copy outlines channel, content and frequency expectations
- b. Positive action required to subscribe
- c. Includes link to mailing privacy policy and how to unsubscribe
- d. No incentives
Mobile application - should include:
- a. Content, frequency and channel outlined
- b. Positive action required for sign up
- c. Mailing terms & conditions not bundled with services terms & conditions