Data protection in an organisation is a legal mandate to be executed and companies are expected to appoint data officers. These and other data challenges are being debated and dealt with by experts.
By Na Vijayashankar
India is on the threshold of entering the data protection era. The Personal Data Protection Bill 2019 is ready to be cleared by a Joint Parliamentary Committee, after which it is expected to be passed and notified during the budget session sometime in February 2021.
While there are several views on the provisions of the Bill, the sheer momentum building globally on the need for an “Indian Personal Data Protection Act” is too strong to resist and the Bill will have to be passed with whatever compromises that may be accommodated.
There was a need for the industry to have a national debate in the form of a “Data Protection Summit”. This need is being fulfilled by the Foundation of Data Protection Professionals in India (FDPPI) in the form of a virtual summit–“Indian Data Protection Summit 2020” (IDPS 2020)—from November 19-21. This will be the first of such events that will be regularly held in the years to come.
IDPS 2020 represents a new generation of conferences which are conducted entirely on the virtual platform with speakers and delegates coming from different parts of the country or abroad. FDPPI has many experts on its forum and hence, putting together an event like IDPS 2020 with a treasure of knowledge became feasible.
For the first time in the country, the summit will address the provisions of the current and emerging data protection law in India, how it compares with international laws such as General Data Protection Regulation (GDPR), a regulation in EU law, and the critical issues of cross-border transfer of personal data. It will also discuss the challenges of developing a new career of data protection officers (DPOs), which is a techno-legal position to which both chief technology officers/chief information security officer (CTOs/CISOs) and corporate legal counsels would be competing. The summit specifically addresses the innovative data audit concept involving computation of a data trust score which is a unique provision of Indian law.
The conference is also set to discuss the indigenous solution of a new unified compliance framework called Personal Data Protection Standard of India which is meant to meet the needs of simultaneous compliance with multiple data protection laws. This is a unique problem of Indian data processing companies.
Though the industry has ignored the Information Technology Act 2000 as amended in 2008 (ITA 2000/8), it has already provided a framework for personal data protection through the concepts of “Reasonable Security Practice” under Section 43A of ITA 2000/8 applicable for the handling of sensitive personal information. Additionally, Section 72A and Sections 79, 43, 66, 67C, 69, 70B, etc., handled different aspects of privacy and data protection, data retention and permitted exemptions for state surveillance, which are part of all data protection laws.
The new Personal Data Protection Act of India, which will become effective after the Bill is passed, (referred as PDPA 2021) will replace Section 43A of the ITA 2000 and also introduce the concept of “Right of a Data Principal” along with a mechanism for a data protection authority to supervise the compliance and impose significant fines if necessary.
This will make a fundamental difference to data protection aspects under ITA 2000/8 and PDPA 2021 and make them more effective. Hence, organisations and professionals cannot ignore the law like what they did with ITA 2000/8.
As the industry is already familiar with GDPR, there is a tendency among many professionals to think that PDPA 2021 will be a copy of GDPR and hence, those who know GDPR also know PDPA. But in practice, PDPA 2021, going by the current draft, will have many significant differences with GDPR. And those who rely only on GDPR knowledge and look at PDPA 2021 compliance as a clone of ISO 27701 framework will perhaps face serious difficulties.
It is, therefore, essential for Indian data protection professionals to unlearn at least part of their GDPR concepts such as data controller, privacy by design, etc, and re-learn the Indian concepts of data fiduciary, privacy by design policy, etc. FDPPI, being the premier knowledge partner for the data protection industry, is best placed to bring the emerging legal landscape of the Indian data protection era to the industry through this summit.
The data protection obligation of an organisation, which includes large and small IT companies, non-IT companies as well as government departments, is a legal mandate to be executed in a technical environment. Hence, professionals supervising data protection in organisations need to have a techno-legal perspective of data processing, the risks of data breach, the auditing of data protection measures, etc.
The law will expect many organisations to designate a person as a DPO and he will deal with the grievances of the public who may be data principals for it. The DPO will also deal with the data protection authority representing his organisation. He will, therefore, be a senior professional with multiple skills and report to the top management in the organisation. His designation will require some internal re-groupings which will pose man-management challenges to the governance system in the organisation.
Developing the concept of data protection professionals was pioneered by organisations such as FDPPI in the form of new certification programmes.
A recent European Court judgement, called the Scherms II judgment, has created a legal crisis to most data processing organisations as GDPR is forcing a “data localisation regime” by insisting on impossible contractual conditions to be followed by data processors. Additionally, there are more than 130 countries having their own data protection laws.
Indian data processing companies trying to harness global business are, therefore, confronted with the un-enviable task of being in simultaneous compliance with multiple data protection laws. Hence, managements are in search of appropriate compliance frameworks that provide a “unified system of compliance framework” that is superior to GDPR specific frameworks such as ISO 27701. Such frameworks are the new innovations in the Indian data protection management landscape and FDPPI is helping in this regard.
This framework incorporates the principles of “privacy protection through data protection”, along with information security principles applied to personal data with appropriate classification of data. It also measures compliance in the form of a Data Trust Score which is unique to the Indian system. It also recommends a gateway level pseudonymisation and distributed responsibility for compliance within the organisation, which is specifically relevant in the work from home architecture presently being used by the entire industry.
Read Also: 1995 bomb blast death row case hearing in SC
Additionally, the industry has to keep in mind that personal data when anonymised as per the standards to be specified by the data protection authority would open up new avenues for revenue generation through exchange of value of non-personal data. Companies implementing data protection through the PDPSI framework will be half ready to meet the requirements of the planned data governance act which will be coming up for discussion next year. Hence, this summit could be a significant breakthrough in the field of compliance of data protection laws.
IDPS 2020 will discuss these different aspects of data protection management, many of which are under evolution. More than 25 experts from the industry will be debating through six sessions and will provide a wealth of knowledge on a scale unprecedented in the Indian scenario.