1/n <thread>
A quick, first-cut list of implications & ‘what lies ahead’ for organizations from the Personal Data Protection Bill 2019.
Note: This thread only looks at this from a regular Indian organization’s perspective – not beyond.
#PDPBill 2019 #DataPrivacy
A quick, first-cut list of implications & ‘what lies ahead’ for organizations from the Personal Data Protection Bill 2019.
Note: This thread only looks at this from a regular Indian organization’s perspective – not beyond.
#PDPBill 2019 #DataPrivacy
2/n
<Acronyms used:
PD: Personal Data
DP: Data Principal – the individual whose PD we are talking about
DF: Data Fiduciary – the orgn who collects & processes PD
DPA: Data Protection Authority – the regulator to be set up>
<Acronyms used:
PD: Personal Data
DP: Data Principal – the individual whose PD we are talking about
DF: Data Fiduciary – the orgn who collects & processes PD
DPA: Data Protection Authority – the regulator to be set up>
3/n
Personal Data categorized as PD, Sensitive PD (SPD), Critical PD. Children’s PD also looked at separately.
Personal Data categorized as PD, Sensitive PD (SPD), Critical PD. Children’s PD also looked at separately.
4/n
Key to remember:
1) Collect only what you need – minimize the Personal Data you collect.
2) Use only for the purpose(s) stated and not beyond.
Key to remember:
1) Collect only what you need – minimize the Personal Data you collect.
2) Use only for the purpose(s) stated and not beyond.
5/n
#SomethingNew
“Data is kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments”.
Implies another facet to classifying and categorizing your data within the orgn.
#SomethingNew
“Data is kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments”.
Implies another facet to classifying and categorizing your data within the orgn.
6/n
Consent primary ground for processing.
Other Grounds: ‘reasonable purposes’ for:
prevention & detection of any unlawful activity/ fraud;
whistle blowing;
M&A;
N/w & Info sec;
credit scoring;
recovery of debt;
processing of publicly available PD;
ops of search engines
Consent primary ground for processing.
Other Grounds: ‘reasonable purposes’ for:
prevention & detection of any unlawful activity/ fraud;
whistle blowing;
M&A;
N/w & Info sec;
credit scoring;
recovery of debt;
processing of publicly available PD;
ops of search engines
7/n
#SomethingNew
If processing Children’s PD: To verify age and obtain the consent of parent or guardian
#SomethingNew
If processing Children’s PD: To verify age and obtain the consent of parent or guardian
8/n
#SomethingNew
Orgns operating commercial websites/online services for children or processing large volumes of children’s PD to be classified as Guardian Data Fiduciaries.
CANNOT profile, track, do behavioural monitoring of or do targeted advertising directed at children
#SomethingNew
Orgns operating commercial websites/online services for children or processing large volumes of children’s PD to be classified as Guardian Data Fiduciaries.
CANNOT profile, track, do behavioural monitoring of or do targeted advertising directed at children
9/n
Privacy Notice required
To have:
WHAT PD is being processed
WHERE have you got it from (if from a 3rd party)
WHY
on WHAT BASIS
WHOM is it shared with,
is it crossing borders,
how long will you keep it,
how to withdraw consent,
whom to complain to,
your Data Trust Score
Privacy Notice required
To have:
WHAT PD is being processed
WHERE have you got it from (if from a 3rd party)
WHY
on WHAT BASIS
WHOM is it shared with,
is it crossing borders,
how long will you keep it,
how to withdraw consent,
whom to complain to,
your Data Trust Score
10/n
Retain Data only for how long it is required and not beyond, unless specifically consented to by the DP or required by some other law.
Retain Data only for how long it is required and not beyond, unless specifically consented to by the DP or required by some other law.
11/n
Right to Confirmation & Access:
Inform DP:
WHETHER you are processing or have processed the DP’s PD,
WHAT data and WHAT PROCESSING activity has been undertaken (brief summary),
with WHOM it has been shared and
what PD categories are they
Right to Confirmation & Access:
Inform DP:
WHETHER you are processing or have processed the DP’s PD,
WHAT data and WHAT PROCESSING activity has been undertaken (brief summary),
with WHOM it has been shared and
what PD categories are they
12/n
Right to Correction & Erasure:
Enable DP to correct/update her PD and erase if no longer required for the purpose.
Ensure 3rd Parties who have this data also update/erase.
Right to Correction & Erasure:
Enable DP to correct/update her PD and erase if no longer required for the purpose.
Ensure 3rd Parties who have this data also update/erase.
13/n
Right to Data Portability:
For processing via automated means
DP can ask for following in a ‘structured, commonly used and machine-readable format’:
PD collected,
obtained from elsewhere,
generated or part of DP’s profile info.
Can ask to be transferred to other DF
Right to Data Portability:
For processing via automated means
DP can ask for following in a ‘structured, commonly used and machine-readable format’:
PD collected,
obtained from elsewhere,
generated or part of DP’s profile info.
Can ask to be transferred to other DF
14/n
Right to be Forgotten:
DP can ask to restrict or prevent “Continuing Disclosure” of her PD when it has served its purpose or consent has been withdrawn.
For actioning this, DP needs to apply to the Adjudicating officer who can issue an order to this effect
Right to be Forgotten:
DP can ask to restrict or prevent “Continuing Disclosure” of her PD when it has served its purpose or consent has been withdrawn.
For actioning this, DP needs to apply to the Adjudicating officer who can issue an order to this effect
15/n
Rights to Confirmation & Access and Correction & Erasure to be serviced free.
Fees (to be specified by regulations) can be charged for the other two.
Response time for requests to be spelt out in regulations
Rights to Confirmation & Access and Correction & Erasure to be serviced free.
Fees (to be specified by regulations) can be charged for the other two.
Response time for requests to be spelt out in regulations
16/n
#SomethingNew:
(part 1)
A ‘Privacy by Design’ (PbD) policy.
Needs to be submitted to the DPA for certification. To be published on your website and the DPA’s. Apart from the Notice.
#SomethingNew:
(part 1)
A ‘Privacy by Design’ (PbD) policy.
Needs to be submitted to the DPA for certification. To be published on your website and the DPA’s. Apart from the Notice.
17/n
(part 2)
PbD policy to contain (key aspects):
practices & tech sys designed to ‘anticipate, identify and avoid harm’ to the DP,
if tech used is as per accepted/certified stds,
protection of privacy thru the PD lifecycle,
processing is transparent
(part 2)
PbD policy to contain (key aspects):
practices & tech sys designed to ‘anticipate, identify and avoid harm’ to the DP,
if tech used is as per accepted/certified stds,
protection of privacy thru the PD lifecycle,
processing is transparent
18/n
#SomethingNew
DP can use a ‘Consent Manager’ to manage her consents - an entity that ‘enables a DP to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform’.
#NewBusinessOpportunity
#SomethingNew
DP can use a ‘Consent Manager’ to manage her consents - an entity that ‘enables a DP to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform’.
#NewBusinessOpportunity
19/n
#SomethingNew
Breach Notification
Any breach to PD likely to cause harm to the DP to be reported to the DPA.
Time period to report to be specified by regulations.
DPA to determine if DP needs to be informed or not.
#SomethingNew
Breach Notification
Any breach to PD likely to cause harm to the DP to be reported to the DPA.
Time period to report to be specified by regulations.
DPA to determine if DP needs to be informed or not.
20/n
#SomethingNew
Some DF’s to be categorized as ‘Significant Data Fiduciaries’(SDFs) – based on volume, sensitivity, risk of hard to DP, new techs used and/or turnover.
Extra Obligations include: (1) Conduct DPIA (2) Maintain Records (3) Appoint DPO <See details below>
#SomethingNew
Some DF’s to be categorized as ‘Significant Data Fiduciaries’(SDFs) – based on volume, sensitivity, risk of hard to DP, new techs used and/or turnover.
Extra Obligations include: (1) Conduct DPIA (2) Maintain Records (3) Appoint DPO <See details below>
21/n
#SomethingNew
Social Media Intermediaries - ‘primarily or solely enable online interaction b/w 2 or more users & allows them to create, upload, share, disseminate, modify or access info using its services’.
ISPs, search, onine e'paedias, mail or online storage excluded
#SomethingNew
Social Media Intermediaries - ‘primarily or solely enable online interaction b/w 2 or more users & allows them to create, upload, share, disseminate, modify or access info using its services’.
ISPs, search, onine e'paedias, mail or online storage excluded
22/n
#SomethingNew:
‘Data Protection Impact Assessment’ (DPIA) to be carried out by an SDF.
To have:
description of processing opn,
nature of data being processed,
purpose,
assmnt of potential harms,
measures to manage/minimize/mitigate/remove these harms
#SomethingNew:
‘Data Protection Impact Assessment’ (DPIA) to be carried out by an SDF.
To have:
description of processing opn,
nature of data being processed,
purpose,
assmnt of potential harms,
measures to manage/minimize/mitigate/remove these harms
23/n
DPA to specify
(a) When a DPIA needs to be carried out and (
b) Whether it needs to be done by a Data Auditor.
DPIA to be reviewed by your DPO and submitted to the DPA.
DPA has the power to stop/ put conditions on your processing operations subject to the DPIA
DPA to specify
(a) When a DPIA needs to be carried out and (
b) Whether it needs to be done by a Data Auditor.
DPIA to be reviewed by your DPO and submitted to the DPA.
DPA has the power to stop/ put conditions on your processing operations subject to the DPIA
24/n
#SomethingNew
Data Auditors to be ‘registered’ by the DPA.
Criteria for Data Auditors to be specified.
Data Auditors to conduct audits to check compliance of DFs to the Act – details to be specified by DPA.
Also, they will assign a Data Trust Score <see below>
#SomethingNew
Data Auditors to be ‘registered’ by the DPA.
Criteria for Data Auditors to be specified.
Data Auditors to conduct audits to check compliance of DFs to the Act – details to be specified by DPA.
Also, they will assign a Data Trust Score <see below>
25/n
#SomethingNew
Data Trust Scores.
A metric for rating a DF based on a Data Audit conducted by a Data Auditor.
Criteria to be specified by the DPA. Score to be displayed on DF’s Privacy Notice
#SomethingNew
Data Trust Scores.
A metric for rating a DF based on a Data Audit conducted by a Data Auditor.
Criteria to be specified by the DPA. Score to be displayed on DF’s Privacy Notice
26/n
#SomethingNew
Data Protection Officers (DPOs) need to be appointed by SDFs.
They need to be based in India and would represent the organization under this Act.
#SomethingNew
Data Protection Officers (DPOs) need to be appointed by SDFs.
They need to be based in India and would represent the organization under this Act.
27/n
Cross Border Transfers:
SPD CAN be transferred outside India but copy to be in India.
Criteria:
-Explicit Consent
-Contract/intra-group scheme approved by DPA
-Country or Entity/Group approved by DPA
-SPD/Class of SPD approved for Xfer by DPA for a specific purpose
Cross Border Transfers:
SPD CAN be transferred outside India but copy to be in India.
Criteria:
-Explicit Consent
-Contract/intra-group scheme approved by DPA
-Country or Entity/Group approved by DPA
-SPD/Class of SPD approved for Xfer by DPA for a specific purpose
28/n
Critical PD cannot be transferred outside India except
(1) for provision of health services or emergency services or
(2) Country or Entity/Group has been approved by the Central Govt (not DPA)
Critical PD cannot be transferred outside India except
(1) for provision of health services or emergency services or
(2) Country or Entity/Group has been approved by the Central Govt (not DPA)
29/n
Exemptions from this Act for (a) processing for research, archiving, or statistical purposes (b) manual processing done by small entities
Sandbox creation by the DPA for encouraging innovation in AI, ML or any other emerging technology in public interest
Exemptions from this Act for (a) processing for research, archiving, or statistical purposes (b) manual processing done by small entities
Sandbox creation by the DPA for encouraging innovation in AI, ML or any other emerging technology in public interest
30/n
Codes of Practice to promote good practices and facilitate compliance can be
(1)specified by DPA
(2) developed by Industry bodies or sectoral regulators, Statutory Authorities, Govt Depts or Ministries and approved by DPA
Codes of Practice to promote good practices and facilitate compliance can be
(1)specified by DPA
(2) developed by Industry bodies or sectoral regulators, Statutory Authorities, Govt Depts or Ministries and approved by DPA
31/n
Penalties & Liabilities:
Upto 5 Cr/2% of global turnover- for failure to comply with some obligations/ not take action in case of a breach.
Penalties & Liabilities:
Upto 5 Cr/2% of global turnover- for failure to comply with some obligations/ not take action in case of a breach.
32/n
Penalties & Liabilities
Upto 15 cr/ 4% of global turnover- violations wrt
-privacy principles,
-grounds of processing,
-PD of Children,
-transfer of PD outside India &
- not adhering to security safeguards.
Smaller fines for smaller violations/ contraventions
Penalties & Liabilities
Upto 15 cr/ 4% of global turnover- violations wrt
-privacy principles,
-grounds of processing,
-PD of Children,
-transfer of PD outside India &
- not adhering to security safeguards.
Smaller fines for smaller violations/ contraventions
33/n
Offences:
Imprisonment upto 3 years and/or fine upto 2L for re-identification of de-identified data or further processing of re-identified data
Offences:
Imprisonment upto 3 years and/or fine upto 2L for re-identification of de-identified data or further processing of re-identified data
34/n
So what now?
(part 1)
- DISCOVER, IDENTIFY & MAP your PD. How much of it is PD, SPD, Critical PD, Children’s PD. How is it flowing in & flowing out. What is crossing borders. Ask ‘why’, ‘who’, ‘how’. This takes TIME!
So what now?
(part 1)
- DISCOVER, IDENTIFY & MAP your PD. How much of it is PD, SPD, Critical PD, Children’s PD. How is it flowing in & flowing out. What is crossing borders. Ask ‘why’, ‘who’, ‘how’. This takes TIME!
35/n
So what now?
(part 2)
-Do a Gap Assessment vis a vis this Bill … plus all other laws/regulations applicable to you
-Develop Remediation Plan
-Execute in phases. DO NOT bite off big chunks!
Need Help? Call us :)
So what now?
(part 2)
-Do a Gap Assessment vis a vis this Bill … plus all other laws/regulations applicable to you
-Develop Remediation Plan
-Execute in phases. DO NOT bite off big chunks!
Need Help? Call us :)
