<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, research, and analysis. The bill, while not a certainty but likely to pass, would replace what some consider to be archaic data protection regulations. Although not finalized, the biggest obstacle if implemented as envisioned is strict data localization. India has been in the group of countries legislating data privacy for decades, culminating in the 2021 JPC report submission. Here’s a look at the history of data privacy legislation in India.

 

The History of Data Privacy Legislation in India

  • 2000 – Information Technology Act is passed by parliament and signed by President K.R. Narayanan addressing electronic documents, e-signatures, and record authentication.
  • 2017 – The Indian Supreme Court hears Justice KS Puttaswamy vs Union of Indiaand passes a historic judgment affirming the constitutional right to privacy.
  • 2019 – Introduction of the Personal Data Protection Bill and immediately sent to the JPC to be examined.
  • 2021 – JPC submits report on PDP to Indian Parliament revisions.

 

The long-awaited report submitted December 16, 2021 by the JPC has provided necessary clarification and modifications that seek to enhance the syntax and governance of the bill.

 

The recommended amendments are as follows:

  • Scope – The bill has a proposed name change to Data Protection Bill and will cover both personal and non-personal data which is unusual as distinction of data type can be difficult when managing mass amounts of data. Clauses also address the deceased and transfer of minor rights (see Clause 16 below).
  • Implementation Timeline – The report outlines a timeline with a 24-month implementation period for data processors to comply.
  • Definitions – The following terms have been defined or revised: consent manager, data auditor, data breach, data fiduciary, data processor, data protection officer, harm, and non-personal data.
  • Clauses 13 & 14 – These clauses apply to consent of personal data processing for employment and legitimate interest, marrying the interests of both the data principal and data fiduciary.
  • Clause 16 – Entities dealing with the data of children must register with the DPA and are required to communicate with the subject 3 months prior to adult age to regain consent and “must continue providing the services to the child unless the child withdraws consent.”

 

The implementation timeline for the Data Protection Bill is still unknown but will likely be a phased approach. Like California, there is discussion of an oversight committee called the Data Protection Authority of India that would supervise compliance with the proposed law. With the notable amendments to the bill, it’s unlikely we’ll see this come to fruition quickly. Not unlike most proposed privacy legislation, it has been met with dissent and opposition and will have to make its way through the courts of India before becoming law.

 

All Posts

Privacy rights compliance management: The new competitive differentiator

In the face of continued consumer distrust over data privacy and a regulatory environment that remains uncertain, forward-thinking companies are building best practices for data stewardship – and creating a competitive advantage in the process.

 

Consumers are more concerned about data privacy than ever before. It is the No. 1 social issue that Americans would like businesses to address. Even ahead of healthcare.

 

Regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act 2018 (CCPA) – and a host of other new regulations being developed around the world – are attempts to calm those fears and force companies to be better stewards of their customers’, or users’, data.

 

Yet the new regulations don’t seem to have had an immediate calming effect. Several months after GDPR was enacted, a Global Web Index survey found that 70% of internet users in the UK and U.S. were more concerned about their online privacy than a year earlier.

 

In this kind of environment there is a tremendous opportunity for forward-thinking companies to build a competitive advantage based on good data stewardship.

 

Data privacy is the No. 1 social issue that Americans would like businesses to address. Even ahead of healthcare. 

Click to tweet

 

Opportunities for forward-thinking companies

We have entered a new privacy paradigm. Privacy rights compliance management used to mean protecting your customers’ data. Today also means enabling your customers to exercise control over their data.

 

The basic idea, in this new privacy paradigm, is this: When a user gives personal, sensitive information to a company in order to get a service, that company should have a duty to exercise care in how it collects, analyzes, manipulates, and shares that information. India McKinney, a legislative analyst for the Electronic Frontier Foundation, reflected the popular consensus well: Companies should “serve as fiduciaries for their consumers' data, and to satisfy duties of loyalty, confidentiality, and care for their users.”

 

We have entered a new privacy paradigm. Privacy rights compliance management used to mean protecting your customers’ data. Today also means enabling your customers to exercise control over their data.

Click to tweet

 

Personalization and privacy can coexist

There’s a valid concern that rigid privacy rights rules could stifle innovation – just as companies are increasingly able to turn data into competitive advantage. As Gartner analyst Saul Judah explains it, “Effective governance is a critical success factor for data and analytics initiatives, and one of the most difficult challenges that organizations face.”

 

Yet it’s a misconception that personalization and privacy are conflicting efforts. In fact, they’re symbiotic opportunities to deliver business value. Leverage customers’ data to deliver more personalized products and services to them, and at the same time be a good steward of that customer data.

 

It’s a misconception that personalization and privacy are conflicting efforts. In fact, they’re symbiotic opportunities to deliver business value.

Click to tweet

 

Best practices for data trust and business success

Being an effective steward of your customers’ data can be a key differentiator as you acquire new and deepen existing customer relationships. Delight your customers with clarity, speed, and education.

 

There are three best practices that will take you a long way toward establishing that competitive advantage:

1. Privacy portal

This is the number one way to deliver transparency to your data subjects. Unlike a basic web form, a privacy portal is a space in which your users can self-administer some or all of their privacy requests. A portal enables the secure transfer of sensitive information with a password and SSL encryption. You can communicate disclosures, past consent(s), and open and closed requests. Intelligently designed workflows make the process easier and more understandable.

 

2. Matrix of consent

A matrix of consent helps manage complexity by tying data categories (profile data, social data, contact info, income data, etc.) to data uses (app, new account, loan application, etc.). The matrix shows the type of data used by service. It shows what data subjects have agreed to, what they have specifically revoked access to, and what data does not apply to a particular service. It provides easily understandable transparency into the ways your access to a customers’ data enables you to provide their services.

 

3. Automating for fast response

For most organizations, best practice privacy rights compliance management demands at least some automation. If you expect to receive a lot of subject access requests or you have a very complex data environment to extract the data from, automation is key to fulfilling requests quickly and transparently. (What’s more, organizations in that position often find that the cost of automating some or all of the process is less than the operational overhead required to manually manage the requests.)

 

There are other best practices in privacy rights compliance management of course, including practices that reduce operational overhead by automatically deleting or anonymizing records across hundreds of back-end systems. But these three are the key ones to delight customers and thereby gain competitive advantage.

 

Being an effective steward of your customers’ data can be a key competitive differentiator. Delight your customers with clarity, speed, and education.

Click to tweet

 

Now what?

None of this is easy. For most businesses, managing data, alerting users to their rights, and responding to data subject access requests is an overwhelming amount of work. Making it more difficult is the fact that data privacy regulations continue to change.

 

The ideal solution is a complex piece of software that can navigate through the different regulations and render a complex web of rules into a platform that can be easily understood.

 

The Apples and Microsofts of the world are building their own such software. For most companies, that’s not the best approach.

 

There are reasons why most enterprises license Salesforce rather than building their own customer relationship management system … why Oracle’s fastest growing products are as-a-service solutions:

  • You get much faster time to benefit (just license and configure, which takes weeks rather than months)
  • Typically, the all-in costs are much lower over time
  • It is, by definition, highly scalable
  • You get new releases and upgrades as soon as they’re rolled out

 

A software-as-a-service solution for privacy rights compliance management has all those same benefits, which go a long way to delivering flexibility for today’s uncertain privacy rights environment.

 

Indeed, in their July 2018 survey, TrustArc found that 87% of companies are looking to a third party to help meet GDPR compliance requirements. More than half use third-party technology and tools to automate and operationalize data privacy.

 

87% of companies are looking to a third party to help meet GDPR compliance requirements, according to TrustArc.

Click to tweet

 

By turning to a purpose-built SaaS solution, you can focus on building trust with your users and customers and understanding what the data means. And that can be a huge competitive advantage to the business that is your primary focus.

 

New call-to-action

Truyo
About Truyo
Powered by IntelⓇ, Truyo is the automated answer for enterprises seeking to deploy truly integrated SAR, consent, and other data privacy rights processing capabilities that scale with your needs, deliver conspicuous compliance, and adapt to new privacy regulations as they emerge.
Recent Posts

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, ...

Log4J Vulnerability Update

At Truyo we take data privacy and security very seriously. Recently a security vulnerability was reported in the open-source Java library “Log4J” that...

Forrester Wave Announcement: Truyo Named Strong Performer

Report notes Truyo’s “management and fulfillment of individual privacy rights capabilities are some of the best in the market ” PHOENIX (Dec. 09, 2021...

Human Error: The Pitfalls of Manual SAR Response

In the age of information, organizations have increased the amount of consumer data housed in structured and unstructured environments. As consumers b...