Data Privacy Newsletter:India: The Data Protection Bill, 2021 – The Key Compliances (Part 1) – Feb 2022

The Joint Parliamentary Committee (“JPC”) inDecember, 2021 released the latest version of the Data Protection Bill, 2021 (“DPB, 2021”), refer to our newsletter on the highlights of the latest version of the data protection law in India. (DPB 2021 – JPC Report Highlights). The DPB Bill, 2021 has an impact on all businesses and entities collecting and processing personal data of individuals in India. Once the DPB, 2021 becomes a law, any business handling personal data and having operations that are dependent on personal data will have to revamp their workflows. Businesses need to approach privacy as an inherent cost of conducting business. To reduce the monetary and operational impact, organisations now need to start preparing for implementing the required processes and policies to meet the mandatory compliances. The DPB 2021 and the European Union’s, the General Data Protection Regulation (the “GDPR”) have certain common and basic privacy principles. The GDPR is the first and most extensive privacy law worldwide, the DPB, 2021 has many similarities including the core compliances and privacy principles. In a two-part newsletter, we are providing a summary of compliances proposed by the new privacy law in India.

KEY PRIVACY COMPLIANCES IMPACTING BUSINESS

1. Consent Necessary for processing of personal data

“Consent” is a critical precondition for processing the personal data of individuals. The DPB, 2021 like the GDPR requires entities to obtain consent from individuals before starting the processing activities. Consent has to be free, informed, specific, clear and capable of being withdrawn. If the personal data collected is categorised as sensitive, then the potential for significant harm must be communicated to the individual. Granular control for providing consent for specific purposes must be provided to individuals.

2. Notice

All entities processing personal data must at the time of collection of personal data or if the data is not collected directly,then as soon as reasonably possible, provide a “Notice” or “Privacy Statement” or “Privacy Policy”. The DPB, 2021 contains specific requirements regarding the details required in the Notice. Broadly the notice must contain the purpose, types of data, the identity of the entity processing the data, contact details, rights of individuals, information on data transfers, grievance redressal, etc. A properly drafted Notice is required to obtain valid Consent from individuals.

3. Purpose Limitation

“Purpose Limitation” as a privacy principle prescribes that every organisation should process personal data (i.e. uses, discloses and transfers) only for the purposes that the individual has provided consent.

4. Limitation on the collection of personal data

“Collection Limitation” or “Data Minimisation” as a principle, prescribes that personal data should be collected only to the extent necessary for processing such personal data.

5. Quality of personal data processed

“Quality of Personal Data” as a principle, requires the entity processing personal data to take steps to ensure that the personal data processing is complete, accurate and updated. Additional care is required when such data is used for profiling, to form an opinion and take decisions based on the personal data; and if the personal data is to be shared with other entities.

6. Storage Limitation

“Storage Limitation” or “Data Retention” requires entities processing personal data to restrict retention of data, beyond the period necessary to satisfy the purpose. Such personal data should be deleted once the period is complete. However, the personal data can be retained for longer periods if appropriate consent is obtained from the individual or if it’s a legal requirement. Data Retention is closely linked with Data Minimisation and periodic review of databases is a legal requirement. Obsolete data must be identified and deleted.

7. Accountability

The “Accountability” principle establishes that all entities that process personal data will be responsible for complying with the DPB, 2021 and any other rules, regulations that are subsequently passed. The Accountability principle has the sweeping effect of fixing the responsibility of complying with the regulatory framework on all entities processing personal data.