Data Protection Compliance By Data Fiduciaries

DATA PROTECTION COMPLIANCE
The Personal Data Protection Bill, 2019 (“Bill”) is significant legislation which seeks to regulate how personal data is treated by the entities collecting such data and establishes a statutory authority to regulate and enforce the data protection regime in India. The Bill governs the processing of personal data by the government; entities incorporated in India, and foreign companies collecting personal data of individuals in India. The Bill terms personal data as any data which includes characteristics or traits about an individual which can be used to identify such individual. Such data includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government. Under the Bill term Data Fiduciary means anyone who collects the above mentioned personal data, which makes social media platforms, banks or even the local RTO offices, a Data Fiduciary. Data Principal is any person to whom the said personal data relates to.

OBLIGATIONS OF DATA FIDUCIARIES
The Bill places certain obligations on the Data Fiduciary which includes, that personal data should not be collected or processed without consent of the data principal; such collection of data should be for a specific, clear and lawful purpose and; that the processing of such data should be fair and reasonable at all times in order to ensure privacy of the data principal.

The bill mandates that explicit consent from the Data Principal must be taken in respect of the data to be processed. The consent is only considered adequate under the Bill if it is free of coercion, with due information, specific to the purpose, clear in wording and fully capable of being withdrawn at all times. Further, the Data Fiduciary is supposed to maintain the data in the most accurate and up to date form and in case any discrepancy is found, the same is to be reported to the data principal for amendment or correction. The Bill also mandates that if the purpose has been achieved, the data should be immediately deleted unless the same is required to be maintained by any law or judicial orders.

The Bill seeks to enforce the above by way of heavy penalties like fine of five crore rupees or 2% of total worldwide turnover, whichever is higher in case of failure to fulfil the obligations and fine of 15 crore rupees or 4% of total worldwide turnover, whichever is higher in case of processing or transferring personal data in violation of the bill.

All Data Fiduciaries are required to comply with the provisions of the Bill once it’s passed by the parliament. The organisations in order to comply with provisions of the Bill should follow certain best practices which may include:

A) DATA PROTECTION IMPACT ASSESSMENT
As a starting point for compliance with the law it is essential to identify what kind of data is collected, from whom it is collected, the purpose for which the said data is processed and for how long such data is preserved and how it is preserved. At the same time, security protocols regarding handing of such data should be reviewed. This is termed as Data Protection Impact Assessment. Based on the results a privacy policy should be created which will be a binding contract between Data Fiduciary and Data Principal and it shall outline the terms under which data principal has granted access to its data to Data Fiduciary.

B) COLLECTION AND PURPOSE
Have legal justification of data collection and processing. Under the Bill, data can be collected for purposes which are clear, specific and lawful. Data should only be processed for a specified purpose. Data collected should be stored in a secure manner as any breach can have severe implications.

C) CONSENT
Consent should free, unambiguous, informed, specific and capable of being revoked by data principal. Consent cannot be the condition to using a particular service by data principal. The onus to prove that the consent by data

principal is free and without coercion is on the Data Fiduciary. Specific consent is required to be taken in case of sensitive personal data. Sensitive Personal Data will be defined by the data protection authority.

D) DATA SECURITY
It is advisable to lay emphasis on the security of the data collected. Employees should be sensitized about the importance and mechanisms for data protection employed by the organization. It is important to have clear protocols to report a data breach within organizations.

E) AGREEMENTS WITH THIRD PARTIES
It is important that clear agreements be entered into with data processors and third parties who may handle the data collected by the Data fiduciaries. The agreements should impose the highest data protection obligations and guarantee sufficient data protection.

F) DATA OFFICER
Appoint Data protection or grievance officer and provide their contact details prominently on the company website and other significant places which can be accessed by data principals.

G) DATA MINIMALISATION
Make it easy for data principals to delete their data or to ask Data Fiduciaries to stop the processing of their data. It is advisable that no data is retained beyond what is necessary

H) CLARITY OF PRIVACY POLICY
Lastly, Privacy policy should be concise, transparent, unambiguous, easily accessible, using clear and plain language.

Besides the above steps, it is also important that companies adopt a sound defence strategy in case of a data breach involving legal, technical and public relations aspects.