In the first part of this three-part series on the soon-to-be-launched Indian Data Protection Bill (the bill) in India, we covered basic fundamentals like the bill’s stated objectives, interpretations of ‘personal data’ and ‘sensitive personal data’ as defined in the bill, entities responsible for protecting users’ personal data, compliances that these entities need to adhere to and penalties for non-compliance.
In the second part of this series, we will delve further on the 10 key components that organisations need to keep in mind to adhere to the bill’s stringent compliance guidelines.
Let’s begin!
1. Data Principal
‘Data Principal’ refers to any natural person whose personal data is being referred to.
A natural person includes:
a) An Individual
b) A Hindu Undivided Family (HUF)
c) A Company
d) A Firm
e) An association of persons or a body of individuals, whether incorporated or not
f) The State, and
g) Every artificial juridical person, not falling within any of the preceding sub-clauses.
2. Data Fiduciary
‘Data Fiduciary’ refers to any person, including the State, a company, any juristic entity or any individual who alone, or in conjunction with others, determines the purpose and means of processing a Data Principal’s personal data.
3. Data Processor
‘Data Processor’ means any person, including the State, a company, any juristic entity or any individual who processes a Data Principal’s personal data on behalf of any Data Fiduciary, but does not include an employee of the Data Fiduciary.
4. Data Processing
‘Data Processing’ refers to any operation, or set of operations, that are performed on a Data Principal’s personal data.
These includes operations like:
• Collecting
• Recording
• Organising
• Structuring
• Storing
• Adapting
• Altering
• Retrieving
• Using
• Aligning or Combining
• Indexing
• Disclosing by transmitting
• Disseminating or otherwise making available
• Restricting, and
• Erasing or Destructing.
5. Anonymisation
‘Anonymisation’ refers to the irreversible process of transforming or converting a Data Principal’s personal data to a form in which the Data Principal cannot be identified.
The process of Anonymisation should meet the standards specified by the Data Protection Authority for Anonymised Data.
6. Pseudonymisation
Unlike Anonymisation (which is an irreversible process), ‘Pseudonymisation’ is a reversible process, where a Data Principal can be identified again.
7. De-identification and Re-identification
‘De-identification’ refers to the process by which a Data Fiduciary or Data Processor may remove, or mask the identifiers of a Data Principal’s personal data, or replace them with such other fictitious name or code that is unique to the Data Principal but does not, on its own, directly identify the Data Principal.
‘Re-identification’ refers to the process by which a Data Fiduciary or Data Processor may reverse the process of De-identification.
8. Consent & Notice
The bill comprehensively defines where a Data Principal’s consent is required and the notice that Data Fiduciaries need to give Data Principals before processing their personal data.
1) Notice
At the time of data collection, the Indian data protection bill mandates Data Fiduciaries to provide the below information to the Data Principals with regards to their personal data:
a) Categories of the personal data that is being collected and the purposes for which the data will be processed
b) Data Fiduciary’s identity and contact details, along with the contact details of their Data Protection Officer (if applicable)
c) Data Principal’s ‘Right To Withdraw Consent’ and the procedure for such withdrawal
d) If the personal data is not collected directly from the Data Principal, then the source of such collection
e) Details of individuals or entities, including other Data Fiduciaries or Data Processors, with whom a Data Principal’s personal data may be shared
f) Information about any cross-border transfer of a Data Principal’s personal data that the Data Fiduciary intends to carry out
g) The period for which a Data Principal’s personal data will be retained or where such period is not known, the criteria for determining such period
h) Grievance redressal procedure, and
i) The existence of a right to file complaints to the Data Protection Authority.
2) Consent
At the time of commencement of data processing, the bill mandates Data Fiduciaries to obtain the consent of Data Principals.
For the Data Principal’s consent to be valid, the consent must be:
a) Free – having regard to whether it meets the standards laid down under section 14 of the Indian Contract Act, 1872 (9 of 1872)
b) Informed – having regard to whether the Data Principal has been provided all the required information
c) Specific – having regard to whether the Data Principal can easily determine the scope of the consent in respect to the purposes of processing of their personal data
d) Clear – having regard to whether it is indicated through an affirmative action that is meaningful in a given context, and
e) Capable of being withdrawn – having regard to whether the consent can be as easily withdrawn as it was given.
The bill further mandates that a Data Fiduciary shall bear the burden-of-proof to establish that Data Principals had given their consent for processing their personal data.
9. Processing of personal data and sensitive personal data of children
The Indian data protection bill mandates that:
1) Every Data Fiduciary shall process the personal data of children in a manner that protects and advances the rights and best interests of the child, and
2) Appropriate mechanisms are put in place by Data Fiduciaries for age verification and parental consent in order to process children’s personal data.
10. Data ownership and user rights
The bill outlines that the Data Protection Authority or the Data Protection Officer will decide the extent of ownership a Data Principal has over their personal data and the rights that follow from such ownership.
Below are some important data protection rights Data Principals have over their personal data:
1) Right to withdraw consent for their personal data that is collected and used
2) Right to restrict processing of the personal information (data) that Data Principals have provided to Data Fiduciaries
3) Right to be forgotten/de-indexed whereby Data Principals can insist Data Fiduciaries to restrict or prevent continuing disclosure of their personal data, and
4) Right of Portability through which Data Principals can compel Data Fiduciaries to return back their personal data in a way that can meaningfully allow the Data Principals to switch to a different service provider.
To Sum It Up
With the launch of the Indian Data Protection Bill, organisations can no longer take their users’ personal data for granted. In the inadvertent case of data leak, apart from suffering hefty financial penalties that can go up to Rs. 15 Crore or 4% of a company’s total worldwide turnover, organisations risk a massive loss of face and a lack of customers’ trust that are ominous signs for the sustenance of any business.
In the next and last part of this three-part series, we will elaborate in detail how Gemalto can help organisations foolproof themselves from any data breach and ensure adherence to the Data Protection Bill’s stringent mandates.