Now withdrawn by the central government, the Personal Data Protection (PDP) Bill was an upcoming law aimed at bringing about a complete change to India’s current data protection regime, which the IT Act of 2000 governs today. It is a first-of-its-kind landmark law that would enforce regulations on how various organizations use individual users’ data within the country. The bill, first proposed in 2019, was withdrawn to allow time for exploring the need for a new “comprehensive legal framework” as a parliamentary panel’s review of the bill had suggested 81 amendments.
What does the bill say?
The PDP bill focused on ensuring the digital privacy of an individual’s data while establishing trust amongst the organizations or users processing the data. This bill was equivalent to the European General Data Privacy Regulation and would set the standards for how massive tech organizations operate in the country.
The bill classified data into three brackets:
This classification has attracted the resistance of social media firms which are likely to be affected by the country’s proposed stricter regulations and compliance for the technology sector.
Why is the timing for such a bill crucial, and how can organizations benefit?
- Lack of a well-defined and dedicated data protection law and regulation in the country
- Increased number of users working from home due to the global lockdown, calling for robust and fast digital transformation initiatives. The lack of action and awareness by corporations makes the bill more critical.
- Frequent and severe data breaches demand tighter regulation to curtail long-term consequences. Here are a few instances of significant data breaches in recent history:
- Organizations acting as thought leaders and implementing this change in their environment to comply with this bill will have a competitive advantage and appear as one of their differentiators
What should this PDP bill include?
- Notice: Informing users and stakeholders of the policies and mechanisms built in place to safeguard their personal information
- Prior Consent: Offering the users choice and asking for consent around the usage, processing, and management of the personal information collected
- Access: Ensuring that policies are defined to allow only the authorized users to access data they are entitled to and restrict any unauthorized access
- Data Collection: Ensuring that an organization collects only the bare minimum data required from the users to offer a service
- Data Localization: Data collected from users should be classified under specific brackets, and the sensitive and critical data should be stored and processed only in the defined geography
- Appointment of Data Protection Officers: Organizations must appoint dedicated personnel for the management and adherence to the regulation, which must be made responsible for any anomalies from the defined framework
How to achieve compliance by leveraging your data security solutions?
A robust data security strategy that revolves around people, processes, and technology must be implemented. The organization and its people must impress the importance of safeguarding sensitive and critical information, which would require inculcating security into the culture of the business. We must also leverage the right technology to protect against data theft and accidental leakage. The idea is to formulate a layered approach to data security using multiple tools to support the same.
- Understand the data’s location and identify what is sensitive: The foundation of your security strategy begins by locating, identifying, and classifying your data assets appropriately. This helps in developing control mechanisms and security policies which can be the inputs for further layers of data security
- Control data movement and analyze risks: Often, it is inevitable to prevent the accidental sharing of sensitive information to the wrong recipient or the external sharing of sensitive and critical data by any user without prior approvals. Scenarios like these can put the boundary of your organization at risk. It is vital to have a solution that performs real-time detection and scrutiny before any data is shared externally or uploaded to the cloud. To achieve this, an adaptive DLP solution that can identify risks from email, web, and endpoints while still allowing information flow can prove helpful. Unlike the traditional DLP with a “stop and block” approach, this does not hinder business or attract significant admin overhead.
- Protect data while ensuring least-privilege access and use: After identifying and classifying the data and controlling the risks associated with data sharing, it is time to protect the data as it is shared or transferred to achieve data security over its lifecycle. This can be achieved using email encryption tools and IRM solutions that integrate with classification tools, DLP tools, enterprise applications, etc. Such tools and their centralized platforms also offer an audit trail for all the activities performed on your data, enabling you to plug the security gaps over time.
While we await this landmark law to be passed, Indian organizations must embrace and build an effective data security strategy. Ones with low levels of data protection and weak data governance need to change quickly. Taking a layered approach to data security while adopting a people-, process-and tech-centric approach is the way to approach the new and upcoming regulatory norms, and once compliant, it would eventually prove a competitive advantage for organizations.