In today's digital age, a primary point of concern for individuals is breach of their privacy and personal data. India has recognized this concern, however a little late, through its Data protection bill.  In a billion-strong nation, there are nearly 500 million active internet users and India’s online market is second only to China. Internet penetration has grown exponentially in the last five years, thanks to the growth of startups, e-commerce companies and technology offerings across industries. The implementation of this bill will largely impact how consumer data is protected and kept private.

User awareness towards their privacy has been on the rise lately and consumers would be seen making more privacy-conscious decisions and associating certain brands that provide greater privacy controls as better options. The personal data protection bill intends to confer controlling power in the hands of the data principles and has hence provides them with the right to access and correction, the right to data portability and right to be forgotten. It attempts to provide its citizens with comprehensive data protection rights and create a trust-based relationship between the data principal and the data fiduciary.

Jaspreet Singh, Partner - Cyber Security at EY

Exemptions To The Bill
Although compared globally, several countries have already implemented similar data protection laws, however, this is a ground-breaking step for the nation towards building the significant base of ‘trusted’ digital India. The data protection bill is like a double-sided sword, on one hand it protects the personal data of Indians by empowering them with data principal rights and on the other hand it bestows the central government with exemptions which are against principles of processing. The state can process even sensitive personal data when required, without an explicit consent from the data principals. However, the government will need to show that any processing of personal data is necessary and processing of sensitive personal data is strictly necessary for the exercise of any function of the State authorized by law for the provision of service or benefit. These are broadly-worded carve-outs can be misused and hence need to be carefully examined.

The bill proposes that data fiduciaries are obligated to take necessary measures and implement policies to ensure privacy should be embedded and built into all the systems, applications and architecture at each stage of processing-collection, processing, usage, transmission, storage and disposal. Additionally, it requires data fiduciaries to implement appropriate safeguards to ensure security of the personal data, such as encryption and de-identification. The bill also defines a class of sensitive data fiduciaries for organizations conducting high risk processing. Such sensitive data fiduciaries will be obligated to take additional measures to demonstrate compliance- which includes conducting Data Protection Impact Assessments, appointment of a data protection officer and annual data protection audits by an external auditor.” Jaspreet Singh, Partner - Cyber Security at EY.

BY :  Jaspreet Singh, Partner - Cyber Security at EY