PERSONAL DATA PROTECTION BILL, 2018: KEY COMPLIANCE POINTS

Apart from the requirement of obtaining consent and display of privacy notice, the following are certain key compliance required to be followed under the Personal Data Protection Bill, 2018 (“Bill”):

– Security Safeguards: Both data fiduciary and data processor are required to implement “appropriate security safeguards”.There is no prescribed ‘appropriate’ security safeguard under the Bill. Given that the “privacy by design” provision (Clause 29) has a broad requirement for technology used in the processing of personal data to be in “conformity with commercially accepted or certified standards”, it is advisable to rely on market-standard.

In looking for a market standard, it is relevant to note that under the current regime i.e. the Information Technology Act, 2000, it is IS/ISO/IEC 27001 on “Information Technology -Security Techniques – Information Security Management System -Requirements” which is the prescribed security safeguard. The security safeguards are to be reviewed “periodically” and are to be audited annually by an independent auditor in case one is registered as a significant data fiduciary.

– Privacy by design: Data fiduciaries are required to implement “policies and measures” within the organisation at different managerial level to anticipate and avoid any harm to data principal. As mentioned earlier, the technology used in the processing of personal data has to conform with commercially accepted or certified standards.

– Grievance Redress: All data fiduciaries are required to the have proper procedures in place to address the grievances of data principals effectively and in a speedy manner. Any grievance of a data principal is required to be “resolved” by the data fiduciary within 30 days of receipt of the grievance. Post expiry of 30 days, the data principal will have the right to file a complaint with the adjudication wing of the Data Protection Authority (“Authority”).

– Data breach notification: It is mandatory for a data fiduciary to notify the Authority of any personal data breach relating to the data processed by such data fiduciary. The notification is required to be made as soon as possible. The Authority also has the power to direct the concerned data fiduciary to report such data breach to the data principal, take remedial action and post the details of the breach on the website of the data fiduciary.

Significant Data Fiduciary: Additional Compliances

Under the Bill, the Authority has the power to notify certain data fiduciaries or class of data fiduciaries as significant data fiduciaries which then have to be registered with the Authority. Following are the additional compliances required to be followed by such notified significant data fiduciaries:

Data Protection Officer: A significant data fiduciary is required to appoint a data protection officer to carry out the functions laid down under the Bill such as aiding and cooperating with the Authority regarding compliance of the data fiduciary. The foreign company to which the Bill is applicable to is also required to appoint a data protection officer who will be based in India.

Data Protection Impact Assessment: Significant data fiduciaries are also under obligation to undertake a formal data protection impact assessment before commencing any processing which involves new technologies or large-scale profiling or use of sensitive personal data such as genetic data or biometric data. The data protection officer is required to review and submit the report to the Authority.

Record Keeping: It is mandatory for significant data fiduciaries to maintain records of: (a) important operations in the data life-cycle such as collection, transfers and erasure of personal data, (b) periodic review of security standards, (c) data protection impact assessment and (d) any other aspect prescribed by the Authority.

Data Audit: An annual data audit is required to be conducted by a significant data fiduciary by an independent data auditor (registered with the Authority) to evaluate compliance with the Bill. The data auditor may also assign a rating in the form of a data trust score to the data fiduciary pursuant to the data audit.