The Era of Taking Data For Granted Is Over

By: Shivangi Nadkarni, Co-Founder & CEO, Arrka


Wondering why there is so much discussion in the media around the Data Protection Bill? Why is it a game-changer for India? Here is how it impacts every business and why you need to pay attention.

‘Data is the new oil’, ‘Data is power’ and other similar paradigms have powered our thinking in the last decade. Swept up in these realities, we have often chosen to ignore the human being at the centre of much of this data – who has had absolutely no say in what data about her you collect, how you use it, how you spread it and how you protect it. In most circumstances, the hapless soul whose life has become increasingly ‘digital’ – especially in the last few years – has NO CONTROL whatsoever over the data that is almost ‘sucked out’ of her.

This Bill resets this ‘imbalance’, requiring every business – big and small – to amend their business practices, bringing back the focus on the individual.

In essence, here is what every business needs to gear up for:


Other key points from the bill that are of direct relevance to a business:

How Personal Data has been defined and categorized:

This Bill applies to businesses outside India as well - who sell to Indians or who track and profile Indians who are online.

Businesses focused on Children or who process a lot of Children’s data have special caveats. For eg, you cannot do targeted advertising towards children or track/profile/do behavioral analysis of children.

Certain businesses who process large volumes of personal data or their nature of business is such that it can have an impact on a large number of individuals or are otherwise considered risky are being categorized as ‘Significant Data Fiduciaries’, requiring them to put a whole lot of extra controls and processes in place.

There are a host of obligations that businesses have to carry out. These include:

What if you don’t do any of this?

Well, the penalties are steep. For serious offences/ non-compliances, the fines can be upto Rs. 15 Crores/ 4% of global turnover while for others they can be upto Rs. 5 Crores/ 2% of global turnover. Besides there are a host of ‘smaller’ offences inviting lesser fines and penalties.

How much time do you have for compliance?

You will get 2 years from the date of notification of the Law (remember – this is just a bill. It is yet to be passed in Parliament for it to become a law). However, remember that actually translating all of the above into organizational realities takes a LONG TIME – years, not months. Looking at how organizations in other countries have fared gives us a fair indication of this. For eg, the GDPR in the EU was passed in 2016, came into effect in 2018 and organizations are still trying to comply.

So folks, time to gear up and get going!

Give us a shout once you decide to get going ( | ). Arrka’s decade long experience in empowering organizations to implement Privacy with India’s first and only Privacy Management Platform (APMP), Arrka Academy (India’s only Privacy training academy exclusively focused on Privacy) and Arrka Lab (India’s only Privacy Testing Lab) can get you going with ease and efficiency.