Though presenting the Personal Data Protection Bill is a radical step towards India’s data protection journey, there are some pressing issues which are concerning the organizations.
Companies will have to comply with obligations such as establishing grounds of processing personal, sensitive, critical data, provisioning data principal rights, managing cross border transfers, providing notices, maintaining data records, imbibing privacy by design, localizing critical and sensitive data, undergoing data audits amongst other requirements which would require these organizations to refurbish their existing technology, processes and operations.
“To comply with these obligations is certainly going to be a daunting task as organizations would need to tackle challenges such as managing consent, discovering structured and unstructured data spread across the organization, lack of awareness, third party management and even regulatory overlaps,” said Mini Gupta, Partner, Advisory Services at EY.
The data localization section of the bill requires data fiduciaries to store ‘one copy’ of personal data on a server or data centre located in India. Among other challenges, avers Archie Jackson, Head of IT & IS at Incedo, companies such as Facebook, Uber, Google, Twitter, Airbnb, Telegram, WhatsApp may all be required to physically host user data in India to give law enforcement easy access to this data.
Purging Data and Managing Contractors
According to Gartner, almost 30% of data is considered redundant, obsolete or trivial information (ROT), which increases the threat vectors by creating overlapping data stores and multiple channels of a breach through cloud providers and contractors.
“As India Inc awaits a clearer direction and roadmap from the government to re-engineer enterprise systems, companies will eventually need to comb through the data to purge old and redundant information to support smarter decision making, without the harrowing task of wading through unnecessary information”, said Lux Rao, Director – Solutions & Consulting, NTT India.
“Companies working with suppliers must have a clear picture of their data practices along with their partner ecosystem, which will involve audits and risk assessments around data privacy. Contracts with existing and new partners will need to be updated to reflect what data will be shared, how long it can be kept and what happens to it at the end of a contract”, added Rao.
The Bill is necessary and a big step in the right direction, believes Shejale but given the ground realities, compliance will not be straightforward. continuous industry feedback will help make the bill more effective and business-friendly.
Punam Shejale, Head Process Excellence & Information Risk Management, CitiusTech believes that vendor contracts will need to be amended to reflect this aspect, along with other compliance needs like data localization.
Some companies are however confident that the impact of the bill would be minimal given the amount of compliance they already follow. Sourav Sinha, CIO at Indigo Airlines, for example, believes that adhering to the new Data Protection Bill would not be that big of a challenge for enterprises.
“This would only lead to the rise in the number of audits & checks which were not earlier happening at many firms. It is definitely not something that the companies would need to spend huge amounts of money”, said Sinha.