Currently, we are living in a digital age where data is the most valued and critical aspect. Data is driving the entire digital world and it gives us a clear picture of the past so that we can identify the learnings. All types of data are important as it helps in decision making, identify the mistakes, understand individual needs etc. So, protecting the data from misutilization is important. It is not only the bad-actors of the digital world who can misutilized it but also the data fiduciaries can manhandle the data.
In order to protect data and prioritize privacy of an individual, the Ministry of Electronics and Information Technology has prepared a draft bill named the Digital Personal Data Protection Bill 2022 which sets out the rights and duties of the citizen (Digital Nagrik) and the obligations of the Data Fiduciary to use the collected data lawfully.
The proposed bill is not to prevent the usage of personal data but acknowledges the importance of it in the expansion of the digital economy. The bill intends to bring a balance by safeguarding the rights of an individual and addresses the concerns of businesses that depend on using and processing of personal data. It is believed that this bill will also strengthen the cybersecurity landscape of the country. The upcoming act ensures two things, one it emphasizes on notice and content which means that data sharing will require consent and the responsibility lies with the entities. Second, it ensures greater control on personal data.
The new bill will be presented in the Monsoon session of the Parliament. If passed by the Parliament, the bill will replace the current Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, which was notified in 2011.
In this regard let’s take a look at how the custodians of organizational data view this bill.
Effective implementation of PDP Bill to enhance user privacy and organization accountability
Prof. Triveni Singh, IPS, SP - Cyber Crimes, UP Police
The Digital Personal Data Protection Bill 2022, which is still under draft, I believe it will have a significant impact on the cybersecurity landscape in India. The bill aims to strengthen the protection of personal data and establish a framework for its processing. If implemented effectively, it can enhance user privacy, increase accountability of organizations handling personal data, and provide individuals with greater control over their information.
I believe that the Digital Personal Data Protection Bill 2022 is a positive step towards improving cybersecurity in India. The bill would help to protect the privacy of individuals and would give them more control over their personal data. It would also help to create a more secure environment for businesses to operate in.
The Act to include data privacy as fundamental right
Sanjay Kumar Das, WBCS (Executive), Managing Director, Webel; State Information Security Officer & Joint Secretary, Department of Information Technology & Electronics, West Bengal
Digital Personal Data Protection Bill 2022 will change the information security landscape pertaining to personal data in cyberspace – Tomorrow’s necessity with today’s ramifications. The soon to be Act will ensure many but primarily two most important things – firstly, Notice & Consent i.e., the explicit consent-based sharing of data and onus on the fiduciaries. And the second is, My Data – My Right. The Act is going to bring data under the ambit of privacy as one of the Fundamental Rights already enshrined by the landmark judgment of the Supreme Court of India in 2017. In this regard it is pertinent to mention that most perhaps our State is the first State in the Country to introduce the concept of “Data Anonymization” and running “Data Anonymiser Hackathon” across the country towards protection of data.
PDP bill to transform the compliance landscape
Dr. Pavan Duggal, Chairman, International Commission on Cyber Security Law
Currently, India does not have a dedicated law on cybersecurity. The Digital Personal Data Protection Bill 2022 will not be a Bill on cybersecurity and hence expecting the said Bill to work as a miracle for cyber security may not necessarily be the right step forward. The proposed Bill at best, is only a Bill for enhancing some level of protection of data, though the same could also have an ultimate impact upon cyber security.
India needs to quickly come up with dedicated new legal provisions and frameworks to deal with cybersecurity. However, there is no denying the fact that Digital Personal Data Protection Bill 2022 is going to change the compliance landscape for stakeholders. It will definitely help organisations in protecting data and also in limiting their liability and in adopting more and more proactive processes, procedures and practices for protection of all kinds of data including third party data.
A strong data privacy policy and procedures to help mitigate the risk of data breaches
Sanjeev Sinha, President - IT & Digitization, India Power Corporation
Digital Personal Data Protection Bill will enhance data privacy and security, which aligns with the goals of IPCL (India Power Corporation Ltd.) and the sector. It is the need of the hour today because of the frequent misuse of data that we see every day. It would protect individuals’ personal data and the process of organisations to collect, use or disclose personal data for legitimate purposes will get streamlined.
An organization may face legal and financial losses for data breaches. Yes, data privacy helps avoid data breaches. Data breaches can be costly for companies’ finances and reputation. A robust data privacy policy and complementary procedures give companies the security to reduce the risk of data breaches and associated costs. Also, consumers’ data is today floating so freely and there seems to be quite a misuse of this data.
Hence, the new Digital Personal Data Protection Bill will bring about significant changes to the way the data is being used.
The Act will be beneficial to both individuals and organizations
Dr. Sushil Kumar Meher, CIO, Department of Computer Facility, All India Institute of Medical Sciences (AIIMS)
The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.
This bill will help the individual and organizations both. The guidelines are clear regarding the role and responsibilities of an organization to protect the individual data. There will be dedicated staff to safeguard the data and the clause of penalty in case if someone is held responsible for data misuse or leak.
• The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
• Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
• Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
• The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
• The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
• The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
The PDP Bill to direct companies to invest in cybersecurity measures to abide by the regulations
Kaustubh Dabral, Global CIO, Dabur India
The Digital Personal Data Protection Bill 2022 (PDP Bill) as per draft stage would regulate the collection, processing, and use of personal data by businesses and government agencies. It is expected to have a significant impact on the cyber security landscape in India such as increasing accountability for data controllers, establishing a Data Protection Authority to oversee data protection and enforcement, setting out restrictions on cross-border transfers of personal data, CERT-In notification requirements and many more things.
This would lead companies to invest in better cybersecurity measures to comply with the regulations and protect personal data.
We believe it will help in enhanced Customer Trust, Improved Data Management, Better Compliance and increased transparency.
The cybersecurity landscape to undergo a sea change if the Bill gets introduced
Subroto Panda, CIO, Anand and Anand
The Digital Personal Data Protection Bill 2022 is a proposed legislation which would change the way Data is being presently held, stored, used, and transferred. The Cybersecurity landscape is going to change by the introduction of new rights and obligations with respect to data subjects and data fiduciaries. As every digital action has a foot print so also with the introduction of the Bill, there would be the obligation to provide itemized notice to the data subjects about the purpose, nature, source and categorisation of the data so collected. With so much of logs being already generated and the CERT-In guidelines which are already in force, this would lead for mammoth security compliance.
We, being a Law firm, can utilize the best breed of cyber resilient application which would help us to experiment and propose the legal implications and solutions required to carry out the day-to-day operations for our clients.
Implementation of the bill to provide a legal framework for data protection, privacy, and cybersecurity
Avneesh Vats, GM (IT), EESL and HEAD (IT), CESL
If the Digital Personal Data Protection Bill, or any similar legislation, is enacted in India, it is likely to have a significant impact on the cybersecurity landscape in the country. Here are some potential ways it could affect organizations:
Enhanced Data Protection: The bill is expected to introduce stricter regulations for the collection, storage, and processing of personal data. Organizations will need to adopt stronger data protection measures, such as encryption, access controls, and data minimization, to comply with the requirements. This would help improve the overall cybersecurity posture by safeguarding personal data from unauthorized access or misuse.
Mandatory Data Breach Reporting: The bill may introduce mandatory data breach reporting requirements, mandating organizations to promptly notify authorities and affected individuals in the event of a data breach. This would lead to improved incident response and facilitate better coordination in addressing cyber threats.
Accountability and Consent: The bill emphasizes the importance of obtaining explicit consent from individuals for data processing activities. Organizations will be required to demonstrate accountability in handling personal data and ensuring compliance with data protection principles. This would lead to a stronger focus on transparency, privacy, and responsible data handling practices within organizations.
Data Localization: The bill proposes the storage and processing of sensitive personal data within India, subject to certain exemptions. This requirement aims to protect sensitive data from unauthorized access and ensure data sovereignty. Organizations will need to evaluate their data storage and processing practices, potentially leading to changes in infrastructure and data management strategies.
Penalties and Enforcement: The bill introduces significant penalties for non-compliance, including fines and imprisonment for certain offenses. This can serve as a deterrent and encourage organizations to invest in robust cybersecurity measures to avoid legal consequences.
For our organization, if such a bill is enacted, being an entity under the government of India, it would provide a clearer legal framework for data protection, privacy, and cybersecurity. We would align our practices with the requirements of the legislation, implementing necessary controls and processes to ensure compliance.
The Bill to help organizations to enhance data protection practices, build customer trust and reduce risk of cyber attacks
A Shiju Rawther, CTO, SBI Mutual Fund
The Digital Personal Data Protection Bill 2022, which is still under draft, is expected to have a significant impact on the cybersecurity landscape in India. The bill aims to strengthen the protection of personal data and establish a framework for the collection, storage, and processing of personal data by businesses and the government. Here are some ways it is expected to help my organization:
Increased Accountability: The bill establishes clear guidelines for businesses to collect, store, and process personal data, making them more accountable for the protection of this data. This will help us ensure that our organization is compliant with the data protection regulations, reducing the risk of data breaches and associated penalties.
Enhanced Data Protection: The bill requires businesses to implement appropriate security measures to protect personal data, such as encryption and access controls. This will help us improve our data protection practices and reduce the risk of cyber attacks.
Improved Transparency: The bill mandates that businesses must provide individuals with clear and concise information on the collection and use of their personal data. This will help us build trust with our customers and demonstrate our commitment to protecting their privacy.
Increased Consumer Rights: The bill gives individuals greater control over their personal data, allowing them to access, correct, or delete their data. This will help us build stronger relationships with our customers by respecting their privacy preferences and expectations.
Standardized Data Protection Practices: The bill establishes a regulatory framework for data protection, making it easier for businesses to understand and comply with data protection regulations. This will help us streamline our compliance efforts and reduce the risk of legal and financial penalties.
In summary, the Digital Personal Data Protection Bill 2022 is expected to have a significant impact on the cybersecurity landscape in India. By establishing clear guidelines for businesses to protect personal data, the bill will help us improve our data protection practices, build trust with our customers, and reduce the risk of cyber attacks and associated penalties.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
