Know all about the Personal Data Protection Bill

Introduction

PDP Act or Personal Data Protection Act is India's first comprehensive data protection act that ensures privacy & security of Indian citizens' personal data when used by a business. The Act also establishes a regulator where consumers can make a complaint against any business processing their data & can put huge fines on businesses upto 15 Crore or 4% of their global turnover. PDP Act applies to businesses processing personal data right from a grocery chain running a loyalty program to an e-commerce company. 

History of Privacy in India:

In 2017, the Supreme Court in the landmark Puttaswamy judgement guaranteed Right to Privacy as a fundamental constitutional right & PDP Act is the legal framework to protect the fundamental right.

After this judgment, the Government of India constituted a committee under judge Sri Krishna to formulate a data protection bill for India. The committee did public consultation in multiple cities and met businesses, and invited comments. In 2018, Sri Krishna committee published a white paper on data protection.

Who does the PDP Act apply to?

Section 2 of the PDP Act defines the applicability of the Act to both Indian & International companies based on the following criteria;

Location:

1. If you are collecting, sharing, or processing personal data within Indian territory
2. If your company, entity, or body is incorporated in India

Targeting:

1. If you are offering goods or services to Indian citizens, then PDP Act applies
2. If you are profiling Indian citizens, then PDP Act applies

Example:

1. IT Services company has customers outside India and are processing data of foreign nationals. Even though they are not processing data of Indian citizens, PDP Applies to their processing because IT company is incorporated in India.
2. Media website based out of USA is accessible in India and also advertises to Indian citizens, PDP Act will apply because the media website is offering goods or services to Indian citizens.
3. An Indian retail chain buys a product from a US company which allows them to profile people who visit the retail outlet. PDP Applies to Indian retail chain because of the location & US company providing profiling product as well.

Key Terms in PDP

Data Fiduciary: Anyone who decides the purpose of data processing, Examples include, E-Commerce companies, Media Websites, Schools, Hospitals, Banks, Insurance Companies

Data Processor: Anyone who processes data on behalf or instructions of data fiduciary. Examples include SaaS applications, Technology Consultants, Audit Firms.

Data Principal: Individual whose data is processed. Examples include customer, employee, applicants.

Data Processing: 

• Personal data which is linked or related to an individual which can be directly or indirectly be identified.
• Sensitive Personal Data: Categories of personal data which can cause harm to the individuals and require more protection.

Include: 

1. Financial Data
2. Health Data
3. Biometric Data
4. Official Identifiers like Aadhar
5. Genetic Data
6. Transgender status
7. Intersex status
8. Caste or Tribe
9. Religious Beliefs or Political affiliations

Critical Personal Data: Categories of data which require most protection as defined by the PDP Act

Data Protection Officer(DPO): An employee designated to ensure compliance with the PDP Act and provide guidance to the data fiduciary and processor

What data is covered under the PDP Act?

The first thing to remember is that the PDP Act applies to all natural persons whose data you are processing, some common examples of Data Principals are:

1. Customer: Someone who has purchased a product from you in the past
2. User: A registered user of your product
3. Employee
4. Job Applicants: 
5. Contractors or Freelancers
6. Website Visitors
7. Shop Visitors

The second thing to remember is that definition of personal data is quite wide in the PDP Act, follow the steps below to see if you are processing personal data:

Can you identify a data principal Directly via emails, name, aadhar number Indirectly via unique identifiers of your system, employee id, applicant id If Yes, all data that you can relate to the above data principal is personal data

Example 

1. An online business records a video session of a product usage of his customer and can search the video sessions of that user with a customer id, and video is personal data to the user.
2. During annual appraisals, managers give feedback on the performance of the employee, which is saved in an HRMS system against employee id; these feedbacks and opinions are personal data of the employee.

Some common personal data that you might be using are:

User Profile Data: Name, Emails, Unique Identifiers, Phone Number, Address, Date of Birth, Age

Government Identifiers: Aadhar Card, PAN Number

Contact Information: Phone Number, Email Address

Browsing Information: Clicks, Video Recordings, Time spent

Financial Information: Bank Account Numbers, VPA Address, Credit or Debit Card Details, Wallet Tokens

Transaction Information: Product Purchased, Order History

User-Generated Content: Comments, Feedback, Support Chat, Support Phone recordings

What do I need to do to comply?

Find out what data you are processing: 

‍A good starting point for PDP Compliance is by data mapping. Data Mapping is a process where you answer these questions about your organization:

Why do I process data: Start by defining your business's key processing activities where personal data is processed to achieve a business goal or purpose. Your processing activity should have these details:

1. Name: Account Management for our product or service
2. Purposes: To provide business feature or service, Prevent Fraud
3. Owner: Who owns this process?

What data do I process: Once you have the processing activity, link the data you are processing to achieve the purpose.

1. Individual Type & Data Processed: Customer & First Name, Email, Phone Number
2. Categorizing into Personal Data & Sensitive Personal Data: Personal Data

Where do I process data: Link systems or applications where you are processing the data. You should also know the locations of these systems in order to determine any cross-border data transfers.

Some examples are:

1. Database hosted on AWS USA
2. The server hosted on-premise, India
3. CRM, SaaS application by Salesforce in the USA
4. SMS Gateway application by Gupshup in India

Find a legal basis of processing in PDP Act:

Choose the appropriate legal basis based on which you are processing the data:

1. Consent
2. Employment Purposes
3. Reasonable Purposes

Apply Security Measures: Once you have determined the systems or applications that are processing data ensure you have put in security measures to protect the data from unauthorized access or breaches. 

Update your privacy notices: It's mandatory for you to inform the users at the time of collection of what data you are collecting and purposes of use with other information. Ensure your privacy notices at all data collection points, be it online or offline for customers or employees are updated and fulfil Section 7 requirements.

Ensure Privacy By Design: Compliance with the PDP Act is not a one time exercise, as your companies make changes to existing data processes or introduce new ways of processing data you have to ensure that an individual's privacy is taken into account right from the start. Create policies & procedures to ensure you achieve Privacy By Design.

Process for answering Rights requests by individuals: PDP Act gives individuals the right to access, port, correct & delete their personal data. Once you get a request, you have to honour the same within a specified time period. 

Breach Management Process: In case there is a breach of personal data, you need to report to the regulator in a short period of time. Globally these breach requirements are 72 hours, and Indian regulators might follow suit.

Appoint a Grievance Officer: You should have a method for individuals to submit complaints against your company and a grievance officer appointed to ensure they are resolved within 30 days. In case you do not resolve the complaint within 30 days or individual is not satisfied with the response, they can approach and file a complaint with the regulator.

What are Individual's Rights under PDP?

Under the PDP Act, individuals are the primary owners of the data and hence have controls over their data by the following rights:

1. Right to Confirmation & Access: A confirmation of the individual data being processed by your company and a summary of data processing, including the categories of data being processed, processing activities, recipients of data.
2. Right to Correction & Erasure: Individuals have the right to ask your company to correct or delete some personal data that you hold. 
3. Right to Data Portability: In case data was processed using automated means, individuals have the right to get a copy of their data in a machine-readable format(excel, pdf) or ask you to transfer to another company of their liking.
4. Right to be Forgotten: Individuals have the right to restrict disclosure of their personal data under certain circumstances, this right can be exercised via an order of an adjudicating officer. 

What are the fines for non-compliance?

1. Upto 15 Crore or 4% of Global Turnover: For violating data protection principles like Purpose Limitation, Data Minimization, Retention Limitation, notice requirements, consent requirements, special consent requirements for children data, failing to adhere to security safeguards or cross-border transfer requirements.
2. Upto 5 Crore or 2% of Global Turnover: For violating breach requirements, Data Protection Impact Requirements, Data Audits and appointing a DPO(for significant data fiduciary)
3. 10 Lakh per individual rights request violation: Starts at Rs. 5000/day and can go upto ten lakhs.
4. 20 Lakh for failure to furnish reports: Starts at Rs. 10,000/day and can go upto 20 lakhs.
5. Upto 1 Crore for any provision of the Act where a penalty has not been specified

Consumers can seek compensation for harms caused by companies by making a complaint to the Adjudicating Officer. In case multiple consumers have been harmed, they can file a joint complaint with the Adjudicating Officer.

Who should be responsible for compliance in your company?

It's a good idea to have one person or team responsible for PDP Compliance. A person who is familiar with the law and understands technology will be perfect. Here are some recommendations:

1. Startups/SMBs: Privacy Experts(consultants) and Founders can tie up to become compliant. Depending on the industry you can have this person full time or act as an external consultant
2. Mid-Sized companies: It would make sense to have someone work dedicatedly as a Privacy Manager or even make someone a Data Protection Officer to take care of PDP compliance. They can collaborate with security, IT, business teams and lawyers to drive compliance.
3. Enterprises: You will have to build a team for data protection reporting to the DPO. The team should comprise members from IT, Legal, Security, and even privacy leads for each department like HR, Product, Marketing.

Where to Start with PDP Compliance?

Data Mapping should be the first step of your PDP Compliance. It will give you a birds eye's view on the use of personal data by your company and the compliance obligations. Join call with our compliance expert to evaluate your PDP Act compliance readiness.