<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, research, and analysis. The bill, while not a certainty but likely to pass, would replace what some consider to be archaic data protection regulations. Although not finalized, the biggest obstacle if implemented as envisioned is strict data localization. India has been in the group of countries legislating data privacy for decades, culminating in the 2021 JPC report submission. Here’s a look at the history of data privacy legislation in India.

 

The History of Data Privacy Legislation in India

  • 2000 – Information Technology Act is passed by parliament and signed by President K.R. Narayanan addressing electronic documents, e-signatures, and record authentication.
  • 2017 – The Indian Supreme Court hears Justice KS Puttaswamy vs Union of Indiaand passes a historic judgment affirming the constitutional right to privacy.
  • 2019 – Introduction of the Personal Data Protection Bill and immediately sent to the JPC to be examined.
  • 2021 – JPC submits report on PDP to Indian Parliament revisions.

 

The long-awaited report submitted December 16, 2021 by the JPC has provided necessary clarification and modifications that seek to enhance the syntax and governance of the bill.

 

The recommended amendments are as follows:

  • Scope – The bill has a proposed name change to Data Protection Bill and will cover both personal and non-personal data which is unusual as distinction of data type can be difficult when managing mass amounts of data. Clauses also address the deceased and transfer of minor rights (see Clause 16 below).
  • Implementation Timeline – The report outlines a timeline with a 24-month implementation period for data processors to comply.
  • Definitions – The following terms have been defined or revised: consent manager, data auditor, data breach, data fiduciary, data processor, data protection officer, harm, and non-personal data.
  • Clauses 13 & 14 – These clauses apply to consent of personal data processing for employment and legitimate interest, marrying the interests of both the data principal and data fiduciary.
  • Clause 16 – Entities dealing with the data of children must register with the DPA and are required to communicate with the subject 3 months prior to adult age to regain consent and “must continue providing the services to the child unless the child withdraws consent.”

 

The implementation timeline for the Data Protection Bill is still unknown but will likely be a phased approach. Like California, there is discussion of an oversight committee called the Data Protection Authority of India that would supervise compliance with the proposed law. With the notable amendments to the bill, it’s unlikely we’ll see this come to fruition quickly. Not unlike most proposed privacy legislation, it has been met with dissent and opposition and will have to make its way through the courts of India before becoming law.

 

All Posts

GDPR: Key components of the regulation

The General Data Protection Regulation (GDPR) is one of the most robust individual privacy rights frameworks enacted to date. The regulation contains 99 articles, but it is a handful of those that have upended the traditional privacy paradigm.

 

Those paradigm-shifting components include:

  • The Data Protection Officer (DPO) mandate
  • A broader-than-ever-before view on individual rights
  • An actually clear opt-in requirement
  • A breach disclosure mandate

To support these new responsibilities, most enterprises will have to automate their privacy rights management processes.

 

The Data Protection Officer (DPO)

Like any change initiative, the first step is to create a sense of urgency. The possibilities of large fines and a concrete launch date should hopefully achieve that. The next step is to identify a “champion” to lead the change. GDPR guidelines actually impose the need for a Data Protection Officer who is responsible for regulatory compliance and reports to the President or CEO. This responsibility can no longer be delegated to a mid-level manager within the IT or data science departments who the CEO can claim was not aware of any shortcomings around data governance. As of May 25th, it is clearly explained that responsibility lies within the C-suite.

 

It should be noted that the DPO role can be filled by an outside entity. Since qualified DPOs tend to be both expensive and difficult to find, fractional DPOs and DPO-as-a-Service offerings from professional services companies may be a more viable alternative.

 

Here are some of the main responsibilities of the DPO, as outlined by ITGovernance.co.uk:

  • Inform and advise the organization and its employees of their data protection obligations under the GDPR
  • Monitor the organization’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
  • Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation, and outcomes.
  • Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.
  • Serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.

 

The DPO’s success in achieving these objectives will require support from all levels and functions within the organization, presenting a major opportunity to develop a unification process that transcends silos and builds company-wide efficiencies. This, in turn, could be viewed as one of the first competitive advantages that will be discussed in the next section. It is also important to note that technological solutions exist to support these compliance initiatives.

 

Data subject rights

The most complex requirement in this new regulation is likely Article 17, the data subject’s rights, which include the rights to opt-out of processing, view data and understand its use, and to be forgotten (or contest or move data).

 

At the center of the GDPR is the data subject’s right to have visibility into the data any company has tracked or processed for them, as well as how that data is being used by the company. For smaller companies with a single data source like a CRM, this is simpler to address. It may involve development to expose that data to an individual in a way that ensures the person’s identity can be validated, the interaction is time-stamped and that these items are demonstrable to third-party auditors and regulators at a later date. For larger companies with multiple data repositories, however, this requirement can be more challenging. Most companies have at least four different data sources, between CRM, ERP, billing, analytics, human resources, applicant tracking, e-commerce, ticket management, help desk, and websites.

 

While many companies may be able to handle responding to a few requests manually each month, processing hundreds or even thousands can quickly become overburdening, particularly since the regulation mandates compliance with a request within one month. In these situations, companies will need to investigate solutions for centralizing data and automating the processing of subject access requests and associated individual rights.

 

In addition to better visibility, under the GDPR the data subject gains new powers over what can be done with their data. This includes the right to be forgotten and to contest or move data. The right to be forgotten, for example, allows a data subject to request that certain data be deleted, which can include a single data point such as their email address or a particular transaction, or the user’s entire data record with a company. From a business standpoint, keep in mind that “forgetting” a data subject does not necessarily mean deleting the record, but in many cases, it involves anonymizing it. Anonymizing effectively removes the data subject’s association with a particular transaction, for example, which your business may have a legitimate reason to retain a transaction for proper billing records.

 

Deleting or anonymizing the data is the easy part, however. Knowing where all the data points are located, and then proving that they have all been deleted, is exponentially more challenging. This is accentuated by the fact that many organizations are unaware of all the past and present data collecting initiatives that various internal departments may have in place. An example of such an initiative might be a special “shadow IT” project whose existence may only be known to a handful of employees. These often circumvent the more formal IT approval processes in favor of speed to market, and are therefore often developed without the full knowledge of the IT department. For instance, a marketing department seeking real-time consumer data might create its own solutions to measure and track customers in its stores. These often run outside of existing IT networks.

 

Companies must also be aware of—and are somewhat responsible for—their vendors, partners, and third-party software platforms, many of which may be serving as data processors for customer information. Ultimately companies and their vendors share in the GDPR compliance duties, but this does not eliminate an organization’s responsibility to ensure those data subjects’ rights are properly managed across the data supply chain.

 

It is also important to note that data subjects’ protection rights are not solely applicable to customers. As David Dadoun, Head of global shoe retailer Aldo Group’s Business Intelligence and Data Governance organization, shared: “...sensitive HR employee data must also be treated with the same care. There is obviously fiscally regulated data such as income tax reporting and the like that cannot be deleted upon request, but otherwise, employees benefit from many of the data subject privileges as consumers.”

 

Right to Erasure Stats

 

Clear opt-in

When it comes to terms and conditions, consumers click “accept” almost daily while rarely taking the time to read the multiple pages of small print detailing what it is they are accepting. The new regulations demand that the portions of data being collected and the reason behind the collection be written in “clear terms.” The GDPR also requires that the option to opt out of communication or processing be just as clear and easy as opting in.

 

Breach disclosure

Many data breaches go for weeks, months, or even years before being disclosed. According to a Bitdefender report, the average breach runs over 37.9 days before detection or reporting. Within Article 33 of GDPR, disclosure of a “material breach” to all stakeholders must occur within 72 hours of occurrence - not discovery. This will force organizations to pay much closer attention to breach signals or risk large fines for non-compliance.

 

Fines that have real impacts on the company’s bottom line are intended to instill a heightened sense of urgency and overcome “Breach Fatigue.” It seems consumers are becoming so accustomed to data breaches that what used to be outrage (e.g., Target 2013 breach) has almost fizzled to indifference. Going forward, when an EU data subject’s personal and sensitive data is compromised, apathy should no longer be the typical response.

 

Compliance with the GDPR will not guarantee a full stop to breaches, particularly as technologies both for attacking and defending databases continue to advance. However, it should greatly boost a company’s motivation to respond to breaches in a quick, effective manner.

 

Automation

Though not explicitly a requirement of the GDPR, the practical effect of all these new elements is the sheer scale at which data discovery, data monitoring, breach management and Subject Access Requests will affect each business. As Chris Babel, CEO of TrustArc said, "The GDPR is driving a fundamental shift in how companies manage privacy.  In addition to requiring the development of new processes, companies need to operationalize their program in order to efficiently manage compliance on an ongoing basis. The only way to do this at scale is by using technology to automate the process versus just relying on hiring more people."

 

For many companies, May 25, 2018 marked the end of the “assessment period” and the beginning of the “operationalizing period” within which platform adoption will likely take center stage.

Truyo
About Truyo
Powered by IntelⓇ, Truyo is the automated answer for enterprises seeking to deploy truly integrated SAR, consent, and other data privacy rights processing capabilities that scale with your needs, deliver conspicuous compliance, and adapt to new privacy regulations as they emerge.
Recent Posts

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, ...

Log4J Vulnerability Update

At Truyo we take data privacy and security very seriously. Recently a security vulnerability was reported in the open-source Java library “Log4J” that...

Forrester Wave Announcement: Truyo Named Strong Performer

Report notes Truyo’s “management and fulfillment of individual privacy rights capabilities are some of the best in the market ” PHOENIX (Dec. 09, 2021...

Human Error: The Pitfalls of Manual SAR Response

In the age of information, organizations have increased the amount of consumer data housed in structured and unstructured environments. As consumers b...