Data Protection Compliance By Data Fiduciaries
The Bill terms personal data as any data which includes characteristics or traits about an individual which can be used to identify such individual.
Photo Credit :
DATA PROTECTION COMPLIANCE
The Personal Data Protection Bill, 2019 (“Bill”) is significant legislation which seeks to regulate how personal data is treated by the entities collecting such data and establishes a statutory authority to regulate and enforce the data protection regime in India. The Bill governs the processing of personal data by the government; entities incorporated in India, and foreign companies collecting personal data of individuals in India. The Bill terms personal data as any data which includes characteristics or traits about an individual which can be used to identify such individual. Such data includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government. Under the Bill term Data Fiduciary means anyone who collects the above mentioned personal data, which makes social media platforms, banks or even the local RTO offices, a Data Fiduciary. Data Principal is any person to whom the said personal data relates to.
OBLIGATIONS OF DATA FIDUCIARIES
The Bill places certain obligations on the Data Fiduciary which includes, that personal data should not be collected or processed without consent of the data principal; such collection of data should be for a specific, clear and lawful purpose and; that the processing of such data should be fair and reasonable at all times in order to ensure privacy of the data principal.
The bill mandates that explicit consent from the Data Principal must be taken in respect of the data to be processed. The consent is only considered adequate under the Bill if it is free of coercion, with due information, specific to the purpose, clear in wording and fully capable of being withdrawn at all times. Further, the Data Fiduciary is supposed to maintain the data in the most accurate and up to date form and in case any discrepancy is found, the same is to be reported to the data principal for amendment or correction. The Bill also mandates that if the purpose has been achieved, the data should be immediately deleted unless the same is required to be maintained by any law or judicial orders.
The Bill seeks to enforce the above by way of heavy penalties like fine of five crore rupees or 2% of total worldwide turnover, whichever is higher in case of failure to fulfil the obligations and fine of 15 crore rupees or 4% of total worldwide turnover, whichever is higher in case of processing or transferring personal data in violation of the bill.
All Data Fiduciaries are required to comply with the provisions of the Bill once it’s passed by the parliament. The organisations in order to comply with provisions of the Bill should follow certain best practices which may include:
A) DATA PROTECTION IMPACT ASSESSMENT
B) COLLECTION AND PURPOSE
Have legal justification of data collection and processing. Under the Bill, data can be collected for purposes which are clear, specific and lawful. Data should only be processed for a specified purpose. Data collected should be stored in a secure manner as any breach can have severe implications.
Consent should free, unambiguous, informed, specific and capable of being revoked by data principal. Consent cannot be the condition to using a particular service by data principal. The onus to prove that the consent by data
principal is free and without coercion is on the Data Fiduciary. Specific consent is required to be taken in case of sensitive personal data. Sensitive Personal Data will be defined by the data protection authority.
D) DATA SECURITY
It is advisable to lay emphasis on the security of the data collected. Employees should be sensitized about the importance and mechanisms for data protection employed by the organization. It is important to have clear protocols to report a data breach within organizations.
E) AGREEMENTS WITH THIRD PARTIES
It is important that clear agreements be entered into with data processors and third parties who may handle the data collected by the Data fiduciaries. The agreements should impose the highest data protection obligations and guarantee sufficient data protection.
F) DATA OFFICER
Appoint Data protection or grievance officer and provide their contact details prominently on the company website and other significant places which can be accessed by data principals.
G) DATA MINIMALISATION
Make it easy for data principals to delete their data or to ask Data Fiduciaries to stop the processing of their data. It is advisable that no data is retained beyond what is necessary
Besides the above steps, it is also important that companies adopt a sound defence strategy in case of a data breach involving legal, technical and public relations aspects.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.