India’s Data Protection bill looks to provide the legal framework for the right to privacy to Indian citizens. But with suggested fines of Rs 15 crore or as much as 4% of your annual revenues, lack of compliance could be a costly affair.
But what are some of the key points that one needs to be cognizant of while preparing for the law?
“If you look at whatever is there in the draft bill, everything is new, for an organization in India, if you look at most of the provisions which are there in the bill, we haven’t practiced it in the past and this is what we have to take care of,” Anirban Sengupta, Partner – Cyber Security & Data Privacy, PwC said.
He further explained his point by comparing the bill with GDPR (General Data Protection Regulation), adding that there were ‘stringent regulations’ in Europe and even then, organizations faced a lot of challenges in adopting it, which are still prevalent. He also added that there are new concepts whenever talking about the bill such as the Data Principal Rights, that haven’t been followed in the past which is something the organizations need to focus on.
“The next part which organizations should focus on is about consent. If the entire thing on consent management is taken care of, a lot of aspects of the bill will be addressed. Now, of course, it is easier said than done because, typically, if you look at consent, we have to take explicit consent, the consent has to be clear & concise, so we really have to look at how do we set out a system which is easy, easy for end-users to understand and to give consent, and then what are the business rules that I should set up,” Sengupta added.
According to Sengupta, data governance as a practice has to be evolved, which should be the focus for organizations, and the last aspect that they should focus on is ‘beyond their boundaries’ i.e. the data that is going to third parties, or the data processors.
Talking about the issues faced by organizations, Ayan De, CTO, Exide Life Insurance talked about the challenges that this Bill will usher. He said that while the BFSI & Telecom sector may be in a better position to deal with this, due to their own regulations such as the data residency & how data is to be processed, there are other aspects that will need fine-tuning.
“Starting from processes to technologies, to compliance, the legal aspects, the legal framework will have to be taken a fresh look on, the smaller things, like the contracts that we draw with our third parties, they have to be double-clicked and seen now what exactly goes in it, why the vendor contracts alone, we also have to start looking at the hiring offer letters to people who are supposed to join the organization, so these are some of the things that we have to be very very careful about,” De said.
Another aspect that he glossed upon is how many organizations have adopted cloud infrastructure, so do the security guidelines apply equivalently to the cloud architecture as well as it is managed by a third party as well. With many clauses being added to the Bill, De stated that the initial draft, which focused on personal data, is quite different from the current state.
On how long it will take for organizations to be fully compliant with the Bill, Prashant Deshpande, VP IT, Shriram Value Services added that the major challenge that exists today is the pandemic.
“Because during the pandemic, a lot of these digital lending firms came in the picture and practically, you know, they started saying a Maggi moment, ‘Take a loan within 2 minutes’ kind of thing, and in that process what they have done is that effectively they have got the access of your mobile phone and they can read all your information,” Deshpande said.
“So, yes, we are a traditional financing organization but still, we are also on digital, we are also on the mobile application, so what has happened is that the other side of the technology team always talks about AI, ML, and all those things, where they want more and more data to be collected, and they want decision-making to happen, and in that process, what we have done, we have collected humongous data,” he added.
Deshpande further explained that now that the Data Protection Bill will come into the picture, organizations will have to spend most of their time discovering ‘For what they have collected this data?’, ‘For what purpose we have used it?’, ‘How to erase it?’, and what is the impact that it will have on the lifecycle of that particular loan.
“The major challenge, what we’re going to get, once we collect a lot of data for decision-making is going to be the erasure of that data. So, based on the guidelines, if the customer says, ‘The process is over, or the project is over, please erase my information’, that time, it’s going to be a major challenge,” Deshpande said.