Data Protection Bill: How Should Businesses Prepare For A New Privacy Law?
The Digital Personal Data Protection Bill may compel businesses to rethink the way they treat consent, suggest experts.
The government has finally come out with its latest version of the privacy law—the Digital Personal Data Protection Bill, 2023.
The bill, tabled before Parliament on Thursday, confers rights on individuals to protect their personal data, places obligations on entities processing such data, and lays down a complex compliance mechanism.
Although contentious, the bill—if enacted—would have implications for businesses and entities operating in the country. This will force businesses to rethink the way they treat user data, according to experts.
The bill will force businesses to put in place mechanisms to obtain and withdraw consent, provide users access to any details about the processed data, and deal with the grievances of the users. They would also need to put in place a mechanism to deal with the existing personal data and measures to secure the data.
Here are some ways for businesses to prepare for the proposed law :
Map Out Personal Data
The present bill only purports to regulate digital personal data, which basically refers to any data that helps identify an individual.
The primary task before businesses, according to experts, would be the determination of what constitutes personal data, as the bill doesn't provide an exhaustive classification of the same.
It could mean anything from an email address to a mobile number, according to Shreya Suri, a partner at Indus Law. However, it may not include anonymised data or data related to profiling as it does not contain any personal elements, she said.
Businesses will have to classify the data available to them as personal or non-personal as a primary step towards compliance once the bill comes into force.
Put In Place Consent Mechanism
The proposed privacy law puts forward a robust consent mechanism. According to it, a notice outlining the specifics and reason for the data collection must come before every request for consent.
The notice should be itemised and must not only be in English but also in Indian languages. Once collected, the data can only be used for the specific purpose for which it was collected. Further, no such data can be processed, even with consent, if such data is not material for the purpose for which it was collected.
For instance, an individual might have given consent to access his contact details while signing up for a telemedicine app. However, such data is unnecessary to provide telemedicine services. In such situations, consent would be limited by law to prevent data misuse.
This is a key provision that might force businesses to change their outlook towards personal data, according to Supratim Chakraborty, partner at Khaitan and Co.
Businesses will have to relook at the way in which they see consent. They will have to ensure that withdrawing consent is as easy as giving it. They will also have to make sure that they have sufficient evidence to prove such consent.Supratim Chakraborty, Partner, Khaitan and Co.
Suri, too, takes a similar stance. According to her, these limitations will require businesses to carefully curate the purpose for which consent is sought, along with the duration for which the consent will be valid.
For this, "businesses would have to put in place robust policies and data governance frameworks". She added that they will also have to limit access to the data within the organisation and actively involve employees in data management.
Install Security Measures
The obligation to take "reasonable security safeguards" to prevent any data breach is one of the key features of the proposed law. A violation of the provision can attract a penalty of up to Rs 250 crore.
However, the bill doesn't explain what these reasonable security measures are or what standards can be deemed reasonable. Suri expects that it could be something similar to the reasonable safeguards for sensitive data under the Information Technology Act, considering its reference in the bill.
Businesses would be expected to put adequate security measures in place once the bill provides further clarity on this.
Set Up Grievance Redressal Mechanism
Under the bill, businesses bear the primary responsibility for addressing individual grievances. They are expected to not only set up a grievance redressal mechanism but also communicate the same to the individuals before obtaining consent for data processing.
Individuals would be allowed to approach the Data Protection Board only after they have exhausted the option. The primary onus is on the business to deal with the user grievances, said Suri.
Businesses themselves will be responsible for responding to the grievances. She said they would have to address the complaints within the time prescribed by the government.
She highlighted that the responsibilities will be even greater for entities classified as significant data fiduciaries, as they would have to not only set up a grievance redressal mechanism but also appoint a Data Protection Officer to act as a point of contact.
Manage Existing Personal Data
The present bill provides individuals with certain rights as to their personal data. Individuals will be able to access their personal data, withdraw consent at any time, or seek erasure of the same at any point. This puts certain obligations on businesses to devise mechanisms to enable the same.
"Businesses will have to put in a mechanism to respond to these requests from data principals (individuals)," said Chakraborty.
According to Suri, they will also have to put mechanisms in place to manage the already available data.
Consent must be freshly obtained for data already available with the business, and once consent is withdrawn, necessary mechanisms should be put in place to withdraw such consent, she said.