The Ministry of Electronics & Information Technology introduced a PDP Bill in Lok Sabha in December 2019. The bill has been referred to a Joint Parliamentary Committee. The final report is still awaited
Penalty
If you fail to comply with the PDP Bill, the penalty for serious violations is INR 15 Crores or 4% of the global annual turnover of the last financial year whichever is higher.
The penalty for failure to conduct a data audit & other similar audits is INR 5 Crores or 2% of the global annual turnover
Who Does It Apply To?
The PDP Bill is applicable to,
- Indian Government
- All the organizations incorporated in India & engaging in Personal Data Processing
- Foreign Organisations which are not present in India but offer Goods or Services to individuals in India
Definitions:
- Personal Data- Any data about or relating to a person or Individual is Personal Data
- Sensitive Personal Data- Data such as Financial Data, Health Data, Transgender Status, Biometric Data, Generic Data, Sex Life & Sexual Orientation, Religious Beliefs, Political Beliefs & Affiliations, Caste & Tribes are considered as Sensitive Personal Data
Key Roles:
- Data Fiduciary- The organization that decides the purpose & means of processing personal data
- Data Processor- The organizations which process personal data on behalf of a Data Fiduciary
- Data Principal- The individual whose data is being processed
Responsibility of an Organisation (Data Fiduciary)
- Process Personal Data in a fair & reasonable manner in line with grounds of processing
- Process personal data only for specific, clear & lawful purposes
- Obtain & Use Personal Data to the extent that is necessary
- Ensure quality of the Personal Data Processed
- Provide Privacy notice to the individuals
- Retain Personal Data only for the purpose for which it is processed
- Implement processes for providing rights to individuals
- Prepare privacy by design policy
- Implement Security Safeguards
- Implement processes for Personal Data Breach
- Have written contracts for Personal Data processing with service providers
- Institute grievance redressal mechanisms to address complaints of individuals
Addition responsibilities of Significant Data Fiduciaries
- Audit policies & conduct of processing of Personal Data annually
- Undertaking data protection impact assessment, wherever necessary
- Appoint a data protection officer
- Audit policies & conduct of processing of personal data annually
- Maintain accurate & up to date records of processing
Data Storage
- Personal Data can be transferred outside India
- Transfer of Sensitive Personal Data outside India allowed subject to certain additional conditions
- Store at least one serving a copy of Sensitive Personal Data, on a server located in India
- Store critical personal data (to be notified by the central government) on a server located in India. It can not be transferred outside India
Data Processing of Children (age < 18 years)
- Mandatory age verification & consent from parent/guardian for children's Personal Data Processing
Grounds of Processing Personal Data
- Consent
- Functions of the State
- Compliance with the law or court or tribunal
- Medical Emergency
- During Disasters
- Treatment of Epidemics
- Employment purposes such as recruitment, termination, attendance & performance assessment
- Reasonable purposes such as fraud prevention, debt recovery, mergers & acquisitions
Rights of Individuals
- Right to Confirmation & Access
- Right to Correction & Erasure
- Right to Data Portability
- Right to be forgotten
To know more email us at info@riskpro.in or visit our website www.riskpro.in