After a long wait, India’s Digital Personal Data Protection Bill is passed. There’s still time for the bill to be converted into law, but we must start looking into its finer requirements and implementation challenges.

Here are some of the challenges and points to be considered while implementing:

Applicability of the Act:

The bill applies to the processing of digital personal data.

• Data collected online within the Indian territory.

• Data collected offline but digitized within Indian territory.

• Processing outside India in cases where there is an offering of goods and service Data Principals within the territory of India.

Challenges and Approach:

• Identification of the data collected and processed by various services, products, and internal functions itself will be a huge task for the organizations.

• There could also be certain services that are not fully digitized – the data is collected through paper-based forms and later keyed into the systems – Organizations will have to identify such processes and data as well.

• Systematic identification of each business process, data source, purpose, and flow of the data would be the key to building a robust data inventory. This could be the basis for further implementation.

Privacy Notice and Consent:

Other than the requirement of using ‘clean and plain language, the bill also states the following:

• Data Fiduciary shall give the Data Principle the option to access the privacy notice and request for Consent in English or any language specified in the 8th schedule of the Constitution of India.

Challenges and Approach:

• Communication design is the key challenge here – Clear and concise privacy notices and requests for consent in English and other languages may not be easy.

• Using a ‘Consent Management Platform’ may help. But even these organizations will have to make a language setting feature available to obtain consent.  

Processing the Personal Data of Children:

The requirement mandates obtaining verifiable parental consent before processing any personal data of a child.

Challenges and Approach:

• Organizations need to identify if they process any data of a child (an individual who has not completed eighteen years of age).

• Implementing verifiable consent by a lawful guardian could be another challenge.

Rights of Data Principles:

The Data Principal shall have the rights for access, correction and erasure, grievance redressal, and nominate another individual to exercise the rights in the event of death or incapacity of the data principal.

Challenges and Approach:

• Receiving and tracking such requests would be time-consuming and error-prone.

• While many organizations, would have already developed systems for grievance redressals, they will have to consider automating data subject request management.

Penalties:

The bill speaks about hefty penalties for failure to take reasonable security safeguards to prevent data breaches as well as non-fulfilment of certain obligations.

The challenge is to identify the risks and accordingly implement the safeguards. Identifying a Data protection officer, training the data protection team, and detailed data protection impact and risk assessment would help.

Conclusion

While we await assent to the bill and further guidance; it’s time for the organizations to re-think their approach to personal data processing based on the risks involved.

With our expertise in risks and compliance services, Riskpro can be your Compliance Partner as you embark on this journey. To know more contact us at info@riskpro.in