Data Protection laws in Globe are for purpose of Empowering citizens, while giving organisations power to re-orient for its basic purpose building citizens trust while making themselves more organised. the presentation is basic introduction of Indian data protection Bill proposed on 27th July 2018 by Justice SriKrishna Report

1. Personal Data Protection
Bill (India): Highlights
dataprotection@itsimple.in

2. Legal Disclaimer
The information contained in this presentation is provided for general information purposes only, in the interests of public service. While every
effort has been made to ensure the accuracy of the information contained itSimple and authors give no guarantees, undertakings or warranties in
this regard, and do not accept any liability arising from any errors or omissions. Errors or omissions brought to the notice of the itSimple will be
corrected as soon as practicable.
Any views, opinions and guidance set out in this presentation are provided for general information purposes only, and do not purport to be legal
advice or a definitive interpretation of the law in anyways
dataprotection@itsimple.in

3. Coverage
What & Who
• What data is covered
• Covers personal information (data) of all residents of India
• Who is covered?
• Organizations doing significant processing of personal data of Indian residents
• Any such Indian
• Any organization present across world
• Any individual or body (registered or otherwise) doing processing of personal
information of Indian residents
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
3

4. Coverage
Exemptions
• Anonymized data
• Data where no additional information can get it to be linked with specific user
• Small Organizations
• Global organization outside India who have Indian residents data, but
volume is low
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
4

5. User’sRights
• Right to Confirmation / Access
• Can ask organization whether they have his/her data?
• Can seek data stored by Providers
• Right to Correction
• Can request to get his/her data corrected, completed and updated
• In case request not entertained, Provider to provide justification
• If user contest, data to be marked as Disputed by User
• If accepted, take steps to provide updates to relevant entities
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
516-08-2018

6. User’sRights
• Portability
• User can request provider to provide data in portable format (machine
readable)
• May have specific use cases in long term, example Medical Data
• Provider may charge fee for service
• Forget Data
• In specific cases (decided by DPA), organizations to provide facility for
discarding / erasure of data
• Others
• Grievance and Escalation mechanism, timelines have been setup to ensure
convenience to users
• Such mechanisms to be clearly shared
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
6

7. ProviderObligation's
• Notice: All aspects related to data handling to be shared prior to capturing of
data, including
• Category of Data, Purpose, Timeline for storage
• Whether cross border transfer happening
• Individual and Entities with whom data is shared
• Process for consent with-drawl
• Address and contact of appropriate contact & authority
• Grievance and escalation procedure
• Provider’s Trust Score (if applicable)
• Data Quality
• Provider to put effort to ensure correct, complete and updated data
• In case of Gap detection, appropriate intimation to third parties with whom data has
been shared.
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
7

8. ProviderObligation's
• Data retention
• Data to be only kept till required for purpose or as per legal requirement
• In case no longer required, to be discarded / deleted
• Accountability
• Need to have institutionalize mechanisms for full life cycle of PI captured
• Capturing, Safe-keeping, Purposeful usage, protection, secure discarding
• Define & implement organizational structure, policies as per regulation need
• Data Protection Impact Assessment for any major change / addition in
system
• Data Audits on regular basis
• DPO mandatory for significant providers
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
8

9. BreachandPenalties
• Breach intimation
• Provider to notify the Authority of any breach (if likely to cause harm) asap
• Breach notification to include
• Nature of personal data
• Number of users affected
• Possible consequences
• Measures being taken by Provider for remedy
• Authority to decided whether to intimate Users
• Maximum Penalties (any of following that is higher)
• Five Crore Rupees
• 2% of its total worldwide turnover of the proceeding financial year
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
9

10. BreachandPenalties
• Offences
• Processing of personal / Sensitive personal / children data in violation of Norms
• Gaps in security safeguards
• Transfer of personal data outside India in violation of Act
• Impact due to business relationship and usage of data among Provider entities
• Maximum Penalties (any of following that is higher)
• Fifteen Crore Rupees
• 4% of its total worldwide turnover of the proceeding financial year
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
10

11. BreachandPenalties
• Obtaining, transferring or selling of personal data contrary to the Act
• If Any person / group of person
• Knowingly / intentionally / recklessly
• Obtain / disclose / transfer / sell personal data
• Resulting In
• Significant harm to user.
• Such a person shall be punishable with:
• imprisonment for a term not exceeding five years or
• shall be liable to a fine which may extend up to rupees three lakhs or
• both
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
11

12. Offences&Penalties
Offence
• Cognizable and Non-Bailable
• under this Act offence shall be cognizable and non-bailable.
• Investigation
• Any offence under this act can be investigated by a police officer not below the
rank of Inspector
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
12

13. OrgImplementation
Compliance Journey…
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
13
• Awareness
• Evaluation of existing system (from PI perspective)
• Re-enforcement required in Security, protection and safety aspects (Infra,
process, people)
• Structure to handle (people, process, tools)
• Ensuring Protection, Safety, Protection & Security
• Workflow & system updates for handling regulatory needs
• Training & Audits
This slides summarizes few services that all organizations will need. Feel free to contact authors regarding
service needs (Consulting, implementation, trainings etc)

14. Contact Us
• In case of
• Queries, feedback, or comments
• Consulting requirements
• Training / Audit requirements
• Please write back to
• kamal.gulati@itsimple.in
• khelender.sasan@itsimple.in
16-08-2018
Data Privacy Bill Draft Highlights (Khelender
Sasan, Kamal Gulati, itSimple.in )
14

15. Legal Disclaimer
The information contained in this presentation is provided for general information purposes only, in the interests of public service. While every
effort has been made to ensure the accuracy of the information contained itSimple and authors give no guarantees, undertakings or warranties in
this regard, and do not accept any liability arising from any errors or omissions. Errors or omissions brought to the notice of the itSimple will be
corrected as soon as practicable.
Any views, opinions and guidance set out in this presentation are provided for general information purposes only, and do not purport to be legal
advice or a definitive interpretation of the law in anyways
dataprotection@itsimple.in