India’s Data Protection Bill – What can businesses expect?

A mere two months after the GDPR (General Data Protection Regulation) was enforced on businesses dealing with data belonging to EU citizens, the BN Sri Krishna Committee submitted their version of a draft bill and report for India’s own Personal Data Protection Bill. The introduction of this possible new regulation in India has sent jitters down the spines of most businesses. While most enterprises are still grasping with the reality of being fully compliant with GDPR, this new Data Protection Law would entail pulling in more resources and IT help to ensure secure and lawful management of data. Having said this, before this law comes into force, organizations need to understand the key provisions of the bill, to judge where they currently stand.

In a backdrop of uncertainty over data management, rampant hackers and data breaches, the BN Srikrishna Committee was set up last year under former Supreme Court judge Justice BN Srikrishna and was tasked with suggesting principles for a data protection law in our country. After several deliberations and meetings, the committee made several suggestions to secure data and protect privacy in the report titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”. This report identifies the data fiduciary – the collector or processor of data and the data principal – the individual who owns the data. Within this framework of a data fiduciary and a data principal the report outlines personal data and sensitive personal data as well as the aspects that revolve around “consent”.

A couple of key provisions of the bill are expected to have a considerable effect on how organizations operate in India. For instance, a major clause outlined in the draft bill is with regard to data localization, necessitating a copy of personal data to be stored on physical servers within the country. Another one being the setting up of a Data Protection Authority (DPA) to impose fines on parties that are found to be non-compliant with any provisions of the bill, which warrants businesses to assess their current policies and procedures to gauge their level of compliance and makes them accountable.

While this report has generated a lot of buzz among establishments in India, its pertinent to look at some of the finer aspects that can have an effect on businesses like IT restructuring, internal reorganization and the need to amplify the importance to security and privacy. The implementation of this bill would require businesses to assess their current IT infrastructure and make concerted efforts toward being fully compliant. This means updating legacy systems and installing or hiring third party help to store data locally. Even with additional revenue investment initially, this will only benefit the organization going forward.

The enforcement of this bill would bring conversations around data security to life and all heads will turn to the C-Suite of an enterprise. 100% compliance is no easy task and therefore, the Chief Information Officer or Chief Privacy Officer or Chief Digital Officer would need all hands-on deck. Refreshed policies, ensuring synchronisation across departments and regular checks would have to be taken up by the top management.  

It is now safe to say that security and privacy of data are the key components of updating IT infrastructure and internal organizational changes. If this bill comes into motion, organizations will have a clear agenda to move forward with. The possible formation of a regulatory body – DPA (Data Protection Authority), enforcement action and penalties will induce businesses to have privacy and secure design and implementation at the core of their operating process. While this would also require a considerable investment of resources to ensure compliance in the short term, this will only lead to positive growth in the long run for organizations in India.

Having understood the various aspects of this bill that can affect businesses, it is important to understand that at the core of business relationships is trust. We build this trust by improving the management and protection of data held on behalf of customers, partners and employees. We therefore believe that this is an opportunity for organisations in India and not a threat. In India, we have been lacking a clear legal framework and have been operating in a grey area in terms of data use. The implementation of this bill can therefore act as a clear guiding outline in the long-run.