Personal Data Protection Bill 2018 and its impact

The advent of technology has irreversibly changed how people and businesses interact with each other. Today, businesses worldwide are digitally transforming their operational models to stay relevant to the times and consumers have embraced an always-on mode of living where smartphones and apps have become an integral part of their daily lives. This approach has made life extremely convenient in a lot of cases but it comes with a catch.

The huge digital footprint each and every one of us leaves behind in the process includes a bevy of information that is personal, financial, and personal in nature. Recent data leaks by major Internet companies have brought to light the impact of the data we share and generate. Taking these factors into consideration, governments and regulatory bodies worldwide have started putting checks and balances in place to ensure that end users’ privacy is not compromised.

For most Internet-based companies, harnessing the power of customer data is crucial for innovation and growth. However, recent data breach incidents have raised concerns about the integrity and safety of customer data and subsequently, the privacy of individuals.

Companies and governments alike are waking up to the fact that loss or misuse of data is synonymous to loss of not just money, but also reputation. Similarly, frequent headlines of identity thefts and other forms of Internet-based attacks have resulted in a growing demand amongst consumers for the privacy and protection of the information they share.

At a time when India is becoming a major economic power, it is mandatory that there exists robust data protection laws, especially in sectors that deal with sensitive data. The cornerstone for a strong data privacy regime in India was laid last year when the Supreme Court held ‘Right to privacy’ as a fundamental right.

Further, the recent data protection framework, proposed by the Committee of experts under the chairmanship of former Supreme Court judge Justice B N Srikrishna, is the first step in India’s data privacy journey.

Introduction of the Bill

To address the fragmented legislative landscape of data protection across the European Union, the GDPR was introduced to protect data and privacy for all individuals within the EU and the EEA. The regulation impacts any organisation that does business with citizens of the EU and EEA, even if they don’t hold an office there.

This has forced organisations across the world working hard towards being 100% GDPR compliant because failure to comply implies reputational losses and a fine that could run into millions of Euros. The Personal Data Protection Bill 2018 in India aims at an approach that adopts aspects of data protection regulations put forward by the US, the EU and China, and to apply it in a way that best suits the largest democracy in the world.

However, introduction of India’s Personal Data Protection Bill 2018 adds to the number of challenges companies would have to tackle in order to business in addition to the one created by GDPR. The bill introduces a framework for India’s data protection laws, prescribing how organisations should collect, process, and store citizens’ data; it essentially makes individual consent central to data sharing. Predictably, the introduction of Personal Data Protection Bill 2018 in India took several sectors by surprise as many were still working towards GDPR compliance.

Impact on BFSI/FinTech sector

While the deadline for organisations to become GDPR compliant has passed, several sectors in India are still lagging; BFSI and FinTech being two prominent sectors that need to ensure compliance quickly; both sectors collect and / or process sensitive personal data in various forms including biometrics thus making it critical for them to take data protection seriously.

However, recent studies show that 68% of BFSI organisations have just begun preparing for GDPR changes. BFSI is among the three least responsive sectors in terms of starting their GDPR journey and preparedness. If the Personal Data Protection Bill becomes a law today, then a majority of BFSI and FinTech companies may struggle to be compliant to both the regulations, further delaying the overall process.

The proposed bill has been extensively compared with EU’s GDPR leading to several discussions about its impact across sectors. While most of the areas such as having a clear purpose of processing of personal data, consent, other rights and appointing of Data Protection Officers in organisations are taken directly from GDPR provisions, there are still a few significant differences.

• Unlike in GDPR, Indian draft legislation does not require the data fiduciary (a person, state, company, or any entity that decides why data should be processed and how it should be processed) to share the names and categories of other recipients of the personal data with the data principal (the person, company, or entity whose information is being collected).
• There is no obligation on data fiduciary to share with the data principal for how long the data will be stored while collecting or at any time, as GDPR mandates.
• The data fiduciary does not need to share the source of the personal data to the data principal in case the data has not been collected from him/her which is an explicit requirement in GDPR.
• One of the biggest differences is that in India, a citizen has not been given the right to demand his/her data to be erased. Data reassure, which is an article in itself in GDPR, does not even find a mention in the Indian draft bill.

In case of a breach, there’s no requirement by the Indian draft bill to share it with the data principal; rather, the data protection Authority shall determine whether such breach should be reported to the data principal. This is also in contrast to GDPR provisions. In the FinTech industry, this difference is critical as information involves credit card data, personal transaction history and other personal data.

In the last few years, the government has time and again sensitised the BFSI sector about adopting better cyber security postures. In 2016, RBI’s advisory to banks was to beef up security architectures and had mandated the formulation of a Cyber Crisis Management Plan (CCMP) which will address the aspects of detection, response, recovery and containment of cyber threats.

Again, this year, the Reserve Bank of India (RBI) directed international financial companies that all payments data should be stored locally in India within six months. With less than two months to go, this may get extended due to overlap with the Personal Data Protection Bill. This also impacts Indian companies that store data of Indian citizens on overseas clouds. BFSI and FinTech companies will need to relook at their processes, technologies and third-party contracts to ensure the entire ecosystem understands and abides by the new law. 

The benefits of complying

The likely challenges for BFSI and FinTech companies in India to be privacy-ready are building and maintaining a culture of privacy and allocating budgets to increase technical and administrative procedures to ensure compliance.

Since privacy and data protection requirements aren’t usually one-time actions, continued efforts will be required to sustain a privacy-enabled business environment. Doing so, it is likely to add cost as organisations will need to make investments in order to implement or strengthen operational process to meet regulatory norms.

BFSI and FinTech companies will need to relook at their existing applications, policies, and external contracts to ensure the entire ecosystem understands, abides and is able to quickly adhere to any changes in the privacy law. But as it stands, an effective data privacy policy in place serves as a great tool to build trust and while compliance might add to operational costs in the beginning, it will be good for business in the long run.

(The writer is Executive Director, i-exceed)