Personal Data Protection Bill
The scope of the Bill
The Personal Data Protection Bill isn’t focused on localisation, whereas data transfer policies are designed to protect personal data which is identified as sensitive or critical.
Search for content
SearchInform solutions perform search for sensitive content in documents and classify files by tagging and applying specific policies to them. Significant data fiduciaries will be notified by the Data Protection Act based on the amount and confidentiality of the stored and processed information.
The Bill assigns the higher accountability requirements to the data fiduciaries who will be required to:
1. Conduct data protection impact assessment. 2. Employ a DPO. 3. Keep the records of data processing. 4. Audit the processing activities.
SearchInform solution helps you obtain insight into the relevancy of taken security measures and current policy evaluation as well as assess the level of audit conducted. Social media intermediaries will be defined as significant data fiduciaries not without recourse to the Data Protection Act. They should allow users in India to verify their accounts. Reasonable purposes of processing will be among legal grounds for working with data without consent. The examples of such purposes will be listed by the Bill. Although data fiduciaries would no longer be permitted to process sensitive personal data for employment purposes.
These exclusive purposes demand that companies and organisations implement proper internal risk management program and ensure accurate compliance. Proper software helps you review data use cases and make sure that the purpose is legitimate.
Processing and detection
SearchInform solution alerts to suspicious events, supervises user communication and data transfer detecting unsanctioned usage of confidential information. Deployment of the software in your system will allow you to assess whether the introduced controls and policies are sufficient and meet security standards.
Classification of vulnerable data
Anonymised data definition gets introduced in the Bill. The anonymisation standards will allow to render data non-personal. The attention to the data anonymisation and further processing initiated by the regulator and government in order to strengthen the competitiveness of India’s e-commerce sector should positively impact safety of the anonymisation process.
As for the violations committed by the company and fines defined in the Bill, the regulation can impose penalties on any person who “was in charge of and was responsible to the company for the conduct of the business of the company.” Anyone who is involved in a crime is liable for the incident and should respect security policies the configuration of which can be automated with the help of the internal activity monitoring.
Individual rights and regulatory sandboxes
The GDPR and the “right to be forgotten” vs. the Bill “personal data disclosure restriction”. The regulation doesn’t demand the data to be deleted but introduces norms for restriction and prevention of continuing disclosure of personal data.
The right to erasure and correction is applicable in case the data “is no longer necessary for the purpose for which it was processed.”
Data fiduciaries that have their policies certified by the DPA will be able to participate in the sandbox.
Such sandboxes would exclude data fiduciaries from obligations to have a “specific, clear and lawful purpose” for processing as well as from certain purpose and storage limitations.