Decoding India’s Digital Personal Data Protection Bill, 2022

Data protection has continued to remain in the limelight with compliance being the highest priority for every organization since the adoption of GDPR in May 2018. With the rapid growth in data usage all countries are eyeing at drafting a global compliance needs that will safeguard their citizens data. The Indian Government has long been working on a comprehensive data protection law to meet the global practices for data handling and protection. India has recently introduced a draft Digital Personal Data Protection Bill (DPDPB) that provides a legal framework outlining the rights and duties of citizens and the obligations of data fiduciary to collect and use the data in a lawfully manner. This bill has been released for the public consultation and is expected to be introduced in the parliament in 2023.

• With nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market for global players.
• The need to protect India’s growing start-up ecosystem and smaller companies from the ‘burden’ of compliance costs

It is a comprehensive legal framework, and its purpose is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.

It makes organizations/companies accountable for the data they collect, store, analyze, and use.

Below are the 10 key provisions laid out in the draft bill each representing the importance of the data collection and usage in lawful manner.

The Rights of the Data Principals is of utmost importance for any global data privacy laws. The DPDPB has also laid out the Data Principal rights –

One of the first things organizations look for in the Data Protection Bill is the cost of non-compliance. The DPDPB bill has laid out the penalties in the event of non-compliance as stated below

1. Failure of Data Processor or Data Fiduciary to take reasonable security guards to prevent personal data breach – Penalty up to INR 250 crores
2. Failure to notify the board and affected data principals in the event of data breach – Penalty up to INR 200 crores
3. Non-fulfilment of additional obligations in relation to children – Penalty up to INR 200 crores
4. Non-fulfilment of additional obligations of Significant Data Fiduciary – Penalty up to INR 150 crores
5. Non-compliance with section 16 of this act – Penalty up to INR 10 thousand
6. Non-compliance with provisions of this act other than those listed I 1 to 5 and any rule made thereunder – Penalty up to INR 50 crores

At GS Lab | GAVS, we take a holistic approach on staying compliant with emerging privacy laws. It is important to have a proper understanding of the data flow of any data stored or processed within the organization. This provides a strong base to navigate through managing and implementing complex privacy measures. DPDPB is undoubtedly one of the more comprehensive regulations but is also vague. This leave most organizations having to do the guesswork on interpreting the regulation since it is unchartered territory. Having a robust legal counsel might be one part of the solution to help with law interpretation and avoid speculative approach on the interpretation of the regulation. To go beyond a simple one-size-fits all approach, a company’s privacy leaders must have a strong understanding of the many different privacy laws of relevant jurisdictions. Key areas of difference to focus on include what constitutes sensitive data, limits on automated data processing, legitimate bases for processing data, and the rules of consent, among other things.

An organization must not only strive for external business growth but also look internally to achieve that goal. It is important for a company to encourage innovation and take a holistic view of what would be the best approach in implementing a particular regulation. This will give rise to new ideas and keep the company fueled with what is necessary to achieve the next business goal.