Data Privacy Newsletter- India: The Data Protection Bill, 2021 – The Key Compliances (Part 2) – March 2022

In our previous newsletter (Key Compliances Part 1 ) we touched upon aspects such as Consent, Privacy Notice, Purpose Limitation, Data Minimisation, Data Retention and Accountability as prescribed under the proposed Data Protection Bill, 2021 (the “DPB, 2021”). In Part 2 of the Key Compliances under the DPB, 2021, we present below the key compliances for businesses and entities (collectively “Organisations”) which are collecting and processing personal data of individuals in India. India is in a transitionary stage for privacy regulations, the current Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 require a revamp to address the increasing human engagement in the digital space, growing quantum of personal data processed digitally and increasing awareness regarding privacy as a concept. Organisations in India must start the process of imbibing ‘privacy’ as a part of its culture and processesto ensure a smooth and cost-effective transition for the impending of privacy laws in India.

KEY PRIVACY COMPLIANCES IMPACTING BUSINESS

1. Privacy by Design Policy

The DPB, 2021 makes it mandatory for Organisations to create a Privacy by Design Policy. Privacy by Design requires Organisations to factor in privacy as one of the key business considerations and implement dedicated technical and organisational measures. Essentially, privacy must be embedded into a business’s practices right from the design phase throughout the entire lifecycle. Additionally, Organisations have an option to apply for a Privacy by Design Certification, which would be awarded by the Data Protection Authority (“DPA”).

2. Transparency in processing

Transparency in processing of personal data requires Organisations to mandatorily disclose and publicly publish certain information which can be communicated through a website privacy policy, pop up, email notification, etc. The DPB, 2021 provides specific requirements regarding the information that needs to be disclosed to individuals, such as categories of data, the purpose of processing, significant risks, guidance for individuals to exercise rights, rating or data trust scores, fairness of algorithms or AI based processing, etc.

3. Security Safeguards

The DPB, 2021 requires Organisations to implement security safeguards that are necessary for protecting personal information based on likelihood and severity of harm attached with the data processing activities. While the specific requirements have not been prescribed, in future, the DPA would issue specific technical standards for information security. Further the DPB, 2021 explicitly identifies the need to implement (1) de-identification, encryption methods, (2) measures to protect integrity of data and (3) measures to prevent misuse, unauthorised access, modification, disclosure and destruction of data.

4. Reporting of data breach Reports

‘Data Breach’ (including personal data and non-personal data breaches) includes unauthorised activities such as disclosure, acquisition, sharing, use alteration, destruction, loss of access etc. Any activity that compromises the confidentiality, integrity or availability of data would constitute a Data Breach. In case of Data Breaches, Organisations must mandatorily send a ‘Data Breach Notice’ to the DPA. Breach Notice: The Data Breach Notice to the DPA must be in a specific format. It must contain information about the nature of personal data, number of individuals affected, the possible consequences of the breach and the remedial actions taken. Report Timelines: The Data Breach must be reported to the DPA within 72 hours of the Organisation becoming aware of the breach. Mitigation: The DPA after considering the overall facts and severity of the breach, may direct the Organisation to inform the affected individual to help mitigate any harm. The DPA also has powers to direct the Organisation to take any urgent measures to mitigate the harm caused to individuals.

5. Grievance Redressal Mechanism

The DPB, 2021 provides a detailed Grievance Redressal Mechanism that must be implemented by the Organisation. Grievance officer and response timeline: A grievance redressal officer must be appointed by the Organisations to address and resolve any complaints, not later than thirty days from the date of receipt of such complaint. If the complaint is not resolved within the specified time the individual may file a complaint with the data Protection Authority.