By: Shivangi Nadkarni, Co-Founder & CEO, Arrka
Wondering why there is so much discussion in the media around the Data Protection Bill? Why is it a game-changer for India? Here is how it impacts every business and why you need to pay attention.
‘Data is the new oil’, ‘Data is power’ and other similar paradigms have powered our thinking in the last decade. Swept up in these realities, we have often chosen to ignore the human being at the centre of much of this data – who has had absolutely no say in what data about her you collect, how you use it, how you spread it and how you protect it. In most circumstances, the hapless soul whose life has become increasingly ‘digital’ – especially in the last few years – has NO CONTROL whatsoever over the data that is almost ‘sucked out’ of her.
This Bill resets this ‘imbalance’, requiring every business – big and small – to amend their business practices, bringing back the focus on the individual.
In essence, here is what every business needs to gear up for:
- Collect only what you need to provide a particular product or service – and nothing more.
- So, no more forcing the individual to “tell me what car you own” while, say, buying a magazine subscription.
- Have a clear purpose for every bit of personal data you collect and use that data only for that purpose.
- So, no more of routinely using data an individual has given you while purchasing Product A to send her mailers about Product B.
- Get the individual’s consent for the purposes you plan to use her data for and give her the freedom to make a choice where possible.
- So, no more of a default assumed ‘Yes’ to ‘you can share all the data you collect about me when I use your mobile app with advertisers and data brokers as you wish’.
- Delete the data as soon as it has served its purpose.
- Get ready to cater to several rights that she can call upon you to exercise at will. Some of these are:
- ‘Could you confirm to me if you have any of my data in your custody?’
- She doesn’t even have to be your current/past customer to demand this from you.
- ‘Could you give me a copy of all my data lying with you?’
- This includes data that you have may collected directly from her, or by observing her while she visited your website or outlet, or data generated about her as part of your operations (like an account statement) or even data about her that you may have procured from other entities.
- ‘Could you give me a list of all other entities you have shared my data with?’
- This includes all your vendors, marketing partners and even those entities whose plug-ins you have in your website or app.
- ‘Could you stop processing or disclosing my data to others?’
- This could be for specific types of activities (like, say, not tracking or profiling her) or for all activities if she is no longer your active customer.
- ‘Could you erase all the data you have about me?’
- This includes data in your custody as well as what you may have shared with others.
- Ensure the security of the data in your custody.
- And if any data is leaked, lost, stolen, damaged, etc - deliberately or by mistake – you will need to notify the Data Protection Authority (the regulator) within 72 hours who, in turn, may require you to notify the affected individual too.
Other key points from the bill that are of direct relevance to a business:
How Personal Data has been defined and categorized:
- It includes any data that can identify an individual – directly or indirectly. So, data like IP Addresses, data collected via Mobile App Permissions, data collected via cookies & trackers on websites, etc., is all considered Personal Data.
- Some Personal Data like health data, biometrics, financial data, transgender status, caste, etc., is categorized as ‘Sensitive Personal Data’.
- There are extra curbs and controls around how Sensitive Personal Data needs to be treated by an organization. Also, if this data is sent outside India, a copy needs to be retained in India.
- Some Personal Data may be categorized as ‘Critical Personal Data’. While the data under this is yet to be defined by the government, it would contain data that is of national importance.
- Such data cannot be sent outside India - except under certain very special circumstances
This Bill applies to businesses outside India as well - who sell to Indians or who track and profile Indians who are online.
Businesses focused on Children or who process a lot of Children’s data have special caveats. For eg, you cannot do targeted advertising towards children or track/profile/do behavioral analysis of children.
Certain businesses who process large volumes of personal data or their nature of business is such that it can have an impact on a large number of individuals or are otherwise considered risky are being categorized as ‘Significant Data Fiduciaries’, requiring them to put a whole lot of extra controls and processes in place.
There are a host of obligations that businesses have to carry out. These include:
- Adopting several accountability & transparency measures like putting up a detailed Privacy Notice on websites, adopting a Privacy by Design Policy, maintaining various records pertaining to processing activities, demonstrating the fairness of algorithms deployed, carrying out Data Protection Impact Assessments, etc.
- Designating a senior person as a Data Protection Officer (DPO).
- Carrying out Data Audits and getting a Data Trust Score – to be displayed in the privacy Notice - for certain types of Organizations.
What if you don’t do any of this?
Well, the penalties are steep. For serious offences/ non-compliances, the fines can be upto Rs. 15 Crores/ 4% of global turnover while for others they can be upto Rs. 5 Crores/ 2% of global turnover. Besides there are a host of ‘smaller’ offences inviting lesser fines and penalties.
How much time do you have for compliance?
You will get 2 years from the date of notification of the Law (remember – this is just a bill. It is yet to be passed in Parliament for it to become a law). However, remember that actually translating all of the above into organizational realities takes a LONG TIME – years, not months. Looking at how organizations in other countries have fared gives us a fair indication of this. For eg, the GDPR in the EU was passed in 2016, came into effect in 2018 and organizations are still trying to comply.
So folks, time to gear up and get going!
Give us a shout once you decide to get going (email@example.com | www.arrka.com ). Arrka’s decade long experience in empowering organizations to implement Privacy with India’s first and only Privacy Management Platform (APMP), Arrka Academy (India’s only Privacy training academy exclusively focused on Privacy) and Arrka Lab (India’s only Privacy Testing Lab) can get you going with ease and efficiency.