SlideShare a Scribd company logo
Feedback on Personal Data Protection Bill 2019 (Bill No 373)
submitted to JPC-31 points -23/02/2020
Nanda Mohan Shenoy D
CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in
EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer
Director
1
Background
• Had submitted the feedback in Sep 2018
version
• Was also part of NASSCOM Committee in
Mumbai
• Following three recommendations were
accepted
• (14) "data principal" means the natural person
to whom the personal data referred to in sub-
clause (28) relates;
• (26) “Official identifier” means any number,
code, or other identifier, including Aadhaar
number, assigned to a data principal under a law
made by Parliament or any State Legislature
which may be used for the purpose of verifying
the identity of a data principal
• (23) "in writing" includes any communication in
electronic format as defined in clause (r) of sub-
section (1) of section 2 of the Information
Technology Act, 2000-this definition was added
2
Gap-1 Definition -Data Principal (14)
• Gap:
–Natural Person-What about Living or
Dead
• Impact
–Can lead to lot of litigation
• Remedy
–Definition of Natural Person to clarify the
same
• International examples
–See next slides
3
Gap-1
I. GDPR Recital 27 -This Regulation does not apply to the personal data of
deceased persons. Member States may provide for rules regarding the processing
of personal data of deceased persons
II. Bulgaria recognises that “in event of death of the natural person his/her rights
shall be exercised by his/her heirs", thus extending the right of access to personal
data not only to the natural person, but also to his or her family.
III. The Estonian Data Protection Act goes even further, giving a considerable amount
of freedom to an individual to decide on the use of personal data in the event of
processing personal data with the consent of a data subject In s 12 it states: “The
consent of a data subject shall be valid during the life of the data subject and thirty
years after the death of the data subject, unless the data subject has decided
otherwise.” Furthermore, in s 13 it entitles certain family members to permit
processing of personal data after the death of the data subject, but again for no
more than thirty years after death.
IV. The Swedish Data Protection Act explicitly refers to personal data of the living,
defining personal data as “all kinds of information that directly or indirectly may be
referable to a natural person who is alive.”
V. The UK Data Protection Act defines personal data as “data which relate to a living
individual". Other member states also predominantly use the term “natural person”;
understood generally as a person having legal capacity, starting with the birth and
ending with her death.
Source –II TO V
: https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem-privacy-
potential-alternatives/#_ftn23
4
Gap -2 Definitions – Financial Data(18)
• Gap :
– means any number or other personal data
• Gap
– What is meant by other personal data ? No clarity
• Remedy
– Delete “ or Other personal data”
• Interpretation
– Can it be Customer id
– Can it be UPI Virtual id which is already de-
identified Financial data.
5
Gap -3 Definitions – Financial Data(18)
• Gap :
– Financial Status definition lacks clarity
• Impact
– Lead to interpretation
• Remedy
– Clarity required
• Logic
– If a loan is rejected does it come under the Financial
status?
– If the account turns NPA , is it Financial Status.
– Are Life Insurance Policy number Financial data as
it is issued by Financial Institution
– Are General Insurance policy number financial
data?
6
Gap-4 Definitions- Health Data (21)
• Gap :
– Exclusion of Blood Group needed in definition
• Impact
– Lead to delay in medical emergencies
• Remedy
– Exclude the Blood Group from health data
• Logic
– Many companies have printed the Blood
group on the Employee Id cards. Huge rework
– Medical emergency
7
Gap-5 Definitions- Health Data (21)
• Gap :
–Post Mortem data not covered
• Impact
–Harm and press publicity
• Remedy
–Need Clarity or include
• Logic
–Post mortem reports are often published
in the newspapers which may or may
not cause harm
8
Gap-6 Definitions- Intra-group schemes(22)
• Gap :
– Intra group
• Impact
– Clarity issues
• Remedy
– Need Clarity or include
• Logic
– Used in the context of Transborder .What
constitutes the Intra group is not know. If trans
border intra group is allowed why not domestic
Intra group
9
Gap7-Definitions- Official identifier(26)
• Gap :
– List of Official identifier as schedule
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– A separate schedule
• Example
– EPFO UIN is it Financial data or Official
identifier
– PRAN for NPS is it Financial data or Official
identifier
– Income TAX PAN
– GSTIN ?
10
Gap 8-Definitions- Personal Data
(28)
• Gap :
– Ambiguity in online identifiers
• Impact
– Avoid confusion and subjectivity for data
fiduciaries
• Remedy
– A separate schedule or explanation
• Example
– GDPR Recital 30 is as follows:
– (30) Natural persons may be associated with online identifiers provided by
their devices, applications, tools and protocols, such as internet protocol
addresses, cookie identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular when combined
with unique identifiers and other information received by the servers, may be
used to create profiles of the natural persons and identify them.
11
Gap-9 Definitions- Sensitive Personal
Data(36)
• Gap :
– 4 definitions missing
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Define the same or give note ( has the same meaning as defined
in the xxxx Act)
• Details
(iv) sex life;
(v) sexual orientation;
(x) caste or tribe;
(xi)Religious or Political Belief or Affiliation
12
13
Gap-10 Definitions- Sensitive Personal
Data(36)
Gap :
How to protect SPDI on the cheque given below
Impact
Violation from Day 1 as confidentiality of the data cannot be
ensured as the Cheque passes through multiple layer at
Data Principal end as well as Fiduciaries/Processors
Remedy
Clarity required. May be exception for Physical cheques etc.
But challenge is it can be converted into electronic image
Notice –Sec 7
(1) Every data fiduciary shall give to the data principal a notice, at the time of
collection of the personal data, or if the data is not collected from the data
principal, as soon as reasonably practicable, containing the following
information, namely—
(a) the purposes for which the personal data is to be processed;
(b) the nature and the categories of personal data being collected;
(c) the identity and contact details of the data fiduciary and the contact
details of the data protection officer, if applicable;
(d) the right of the data principal to withdraw such consent, and the
procedure for such withdrawal, if the personal data is intended to be
processed on the basis of consent;
(e) the basis for such processing, and the consequences of the failure to
provide such personal data, if the processing of the personal data is based
on the grounds specified in section 12 to section 14;
(f) the source of such collection, if the personal data is not collected from the
data principal;
(g) The individuals or entities including other data fiduciaries or data
processors, with whom such personal data may be shared, if
applicable;
14
• Gap :
– Cases where Consent is not required
• Impact
– Avoid confusion for data principal
• Remedy
– Modify Clause (1) (e)
• Details
• (e) the right of the data fiduciary to process certain data without the
consent ,the basis for such processing, and the consequences of the
failure to provide such personal data, if the processing of the personal
data is based on the grounds specified in section 12 to section 14
Gap -11 Notice –Sec 7
15
• Gap :
– definition of the nature and the categories of
personal data missing
• Impact
– Avoid confusion for data fiduciaries
– Nature does it mean the data elements like gender ? Does category
mean personal, sensitive personal data critical personal data as
defined in the Bill?
• Remedy
– Explanation or rewording required .
• Details
• (b) the nature and the categories of personal data
being collected;
Gap -12 Notice –Sec 7
16
Notice –Sec 7
(h) information regarding any cross-border transfer of the personal data that
the data fiduciary intends to carry out, if applicable;
(i) the period for which the personal data will be retained in terms of section 9
or where such period is not known, the criteria for determining such period;
(j) the existence of and procedure for the exercise of data principal rights
mentioned in Chapter V and any related contact details for the same;
(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be
assigned to the data fiduciary under sub section (5) of Sec 29 ; and
(n) any other information as may be specified by the Authority.
(2) Shall be clear ,concise and easily comprehensible to a
reasonable person and in multiple languages where
necessary and practicable.
(3) shall not apply where such notice substantially prejudices the
purpose of processing of personal data under section 12.
17
• Gap :
– Standardisation
• Impact
– Avoid confusion for data fiduciaries /Principals
• Remedy
– rewording required .
• Details
• j) the existence of and procedure for the exercise of
data principal rights mentioned in Chapter V in
terms of Section 17 to Section 21 and any related
contact details for the same
Gap -13 Notice –Sec 7
18
• Gap :
– Elements of Notice missing
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Add the same in the Act
• Explanation
– The right of the data fiduciary for anonymising the data and
using it for predictive analysis big data etc should be inserted
– Also the obligation of the Act does not apply to the anonymised
data
– No consent will be required for anonymising the data
– The obligation of the data fiduciary to apply the security
safeguards in terms of Section 24 .(The methods of de-
identification of data as to enhance the transparency and trust
,wherever applicable )
Gap -14 Notice –Sec 7
19
Gap -15 Notice –Sec 7
• (2) The data fiduciary shall provide the information as required under this section to
the data principal in a clear and concise manner that is easily comprehensible to a
reasonable person and in multiple languages where necessary and practicable
• Gap :
– Ambiguous statement
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Clarity required
• Explanation
– Who decides necessary or practicable ?
“multiple languages where necessary and
practicable”
20
Gap 16-Sec-9 - Data storage limitation
(4) Where it is not necessary for personal data to be retained by the data fiduciary under sub-
sections (1) and (2), then such personal data must be deleted in a manner as may be specified
• Gap :
– Implementation hurdle
• Impact
– Penalties at future date for non compliance
• Remedy
– Clarity required in the Act
• Explanation
– Physical deletion or logical deletion?
– Physical deletion ruled out in most of the cases and cost of implementation high
– Logical deletion will give rise to referential integrity checks
– What about deletion from all the backups taken say over the last n years and archived.
How ill that be achieved .
– Any cut off date for deletion related to the passing of the bill needs to be explored and
cannot be retrospective
– Everybody will be non complaint from day 1
– Right of the data fiduciary to store the data even if the service is not provided for
example a loan is rejected or an account opening is rejected , as per regulatory
requirement the data needs to be preserved for Audit purpose and the regulator comes
and checks that as well. This is not under any law
21
Gap-17 Sec 11. Consent
11. Processing of personal data on the basis of consent.—
(1) The personal data shall not be processed, except on the consent given by
the data principal at the commencement of its processing
• Gap :
– Can any person authorised by the Data Principal give the consent
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– Indian Contract Act has the concept of Power of Attorney
– The BFSI segment works on Power of Attorney
– No clarity whether the consent can be given by POA holder.
– In financial services industry there are two approaches
• 1.Banks open account based on the signature of POA
• 2. Depository accounts cannot be opened by POA holder
– Absolute clarity required on the same
22
Gap 18-Sec 11 . Consent
• Gap :
– processing includes ‘use’ of data which can lead to implementation hurdles
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– Four types of processing
1. Account opening (Non Financial Transaction)
2. Transaction (Financial Transaction –one time System generated/Fiduciary
induced )
3. Transaction (Financial Transaction – recurring System generated/Fiduciary
induced )
4. Transaction (Financial Transaction- Customer Induced)
– In case of 2 and 3 will consent be required every time for processing like
Recurring Deposits in Banks, SIP in Mutual Fund
– In case of 4 if the customer is signing a cheque and giving it to the bank ,
can it be construed as implied consent
– Similarly employees monthly salary and statutory payment processing
23
(1)Notwithstanding anything contained in section 11, and subject to sub-section
(2), any personal data, not being any sensitive personal data, may be
processed if such processing is necessary for -
(a) recruitment or termination of
employment of a data principal by the
data fiduciary;
(b) provision of any service to, or
benefit sought by, the data principal
who is an employee of the data
fiduciary
(c) verifying the attendance of the data
principal who is an employee of the
data fiduciary; or
(d) any other activity relating to the
assessment of the performance of the
data principal who is an employee of
the data fiduciary.
24
S13 Employment Related
(2) Any personal data, not being
sensitive personal data, may be
processed under
sub-section (1),
where the consent of the data
principal is
– not appropriate having regard
to the employment relationship
between the data fiduciary and
the data principal ;or
– would involve a
disproportionate effort on the
part of the data fiduciary due to
the nature of the processing
activities under this section.
Gap 19-Sec 13- Employment related
• Gap :
– Clarity required
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– What is disproportionate effort
– Will monthly payroll processing require consent?
– Why specifically attendance record is mentioned?
– Whether one time consent is required from employees?
– The notice to employees we can make it clear that referral checks and
others do not need the consent as per this section. This section is also
part of the notice
– Does termination of an employee tantamount to withdrawal of consent
by default?
– What about Notice at the time of entering into contract. Is Notice
necessary for outsourcing activities like payroll processing to third
party?
– Will a separate notice as per sec 7 will be required for employment?
25
S14. Reasonable Purposes
(2) For the purpose of sub-section (1), the expression
"reasonable purposes" may include—
(a) prevention and detection of any unlawful activity including
fraud;
(b) whistle blowing;
(c) mergers and acquisitions;
(d) network and information security;
(e) credit scoring;
(f) recovery of debt;
(g) processing of publicly available personal data; and
(h) the operation of search engines
Under such circumstances Notice under section 8 would not
apply consent may not be required . Also consent may not
be possible
26
Gap 20-Sec 14- Reasonable Purpose
• Gap :
– The Nominee personal details shared should also be outside the
purview of Consent and treated as Reasonable Purpose. Addition
required
• Impact
– Room for violation and litigation
• Remedy
– Add the following clause
– “the consent of the Nominee is not required where the sharing of the
Nominee details by the Data principal where the nominee is mandated
by statute’
• Explanation
– Consent of the Nominee can lead to a huge social problem in the
country leading to Family disputes.
– Nobody informs the Nominee that he/she has been nominated
– Nominee is very popular in Banking/ Mutual Fund/Insurance
– In employment PF/Gratuity/NPS etc requires nominations
– Even housing societies are now insisting on nominations
27
Gap 21-Sec 14- Reasonable Purpose
• Gap :
– “(e) credit scoring” is very open
• Impact
– Every Fintech /NBFC/Financial Institution in the garb of Credit Scoring
will start collecting data
• Remedy
– Add the following clause
– “ Credit scoring as mandated by The Credit Information Companies
(Regulation) Act 2005 and related Rules and Regulations in this regard”
• Explanation
– Consent of the Nominee can lead to a huge social problem in the
country leading to Family disputes.
– Nobody informs the Nominee that he/she has been nominated
– Nominee is very popular in Banking/ Mutual Fund/Insurance/NBFC
– Even housing societies are now insisting on nominations
28
Gap 22-Sec 14- Reasonable Purpose
• Gap :
– “(h) the operation of search engines” is not correct
• Impact
– This will be a big technical loop hole
• Remedy
– Delete this
• Explanation
– Periodic action based consent will be required
– An off track example is Ola /Uber asking for consent every time
– This is the first step of Profiling by the search engines
29
Gap 23 Sec 16 (2)-Parental Consent
(2) The data fiduciary shall, before processing of any personal data of a
child, verify his age and obtain the consent of his parent or guardian, in such
manner as may be specified by regulations.
• Gap :
– What happens when child attains majority?
• Impact
– Room for violation and litigation
• Remedy
– Clarity required as to what happens to the consent once the child
attains majority ?
– What is the mechanism?
– Is the notice and consent freshly required from the Major?
• Explanation
– Something similar to Aadhaar Act can be implemented where the
minor has the right within 6 months of achieving the majority can
request to delete the Aadhaar
30
Gap 24 Sec 20-Right to be forgotten
• Gap :
– Section heading talks about Right to be forgotten but clause talks
about “the right to restrict or prevent”
• Impact
– Totally out of Sync
• Remedy
– Need to relook at the same
• Explanation
– GDPR Article 17 has more clarity .However the word erasure is
synonymously used there. In our bill erasure is a also mentioned in a
separate context.
– Too much of confusion in our bill regarding erasure. Please bring in
some clarity
31
Gap 25 Sec 26-Right to data portability
• Gap :
– There is no standard interoperable structure in the country to enable
the implementation of the data portability
• Impact
– Will remain good in paper only
• Remedy
– Add sub section 3 as follows:
– “(3) The Authority has the right to define the interoperable standards to
facilitate data portability “
• Explanation
– UIDAI has done a lot of work on the standardisation as far as
demographic standards are concerned. Refer
– http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP_Committee_Rep
ort_v1.0.pdf
– Even for consent MIETY has come out with the Electronic Consent
framework
32
Gap 26 Sec 28- Records of Processing
• Gap :
– Why only Fiduciaries ?It should include processors as well
• Impact
– Confusion
• Remedy
– Add processors as well
• Explanation
– GDPR Art 30 has two sections one for Controller and other for
processor
33
Gap 27 Sec 29. Data Audits Vs
Certification
• Gap :
– THE INFORMATION TECHNOLOGY (REASONABLE SECURITY
PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL
DATA OR INFORMATION) RULES, 2011 which is getting repealed due
to this ACT has provisions for both Audit and certification(refer rule-8
next slide)
• Remedy
– Implement Certification or Audit after necessary modification
• Explanation
– There is a new standard ISO 27701 for Privacy Management System
which is an extension of ISO 27001
34
Rule 8 -SPDI contd..
35
Rule-8
(1) if they have implemented such security practices and standards and have a
comprehensive documented information security programme and information
security policies that contain managerial, technical, operational and physical
security control measures that are commensurate with the information assets
being protected with the nature of business.
In the event of an information security breach, it shall be required to demonstrate,
as and when called upon to do so by the agency mandated under the law, that
they have implemented security control measures as per their documented
information security programme and information security policies.
(2) The International Standard IS/ISO/IEC 27001 on “Information Technology –
Security Techniques –
Information Security Management System – Requirements” is one such standard
referred to in sub-rule (1).
Rules-cont.
(3) Any industry
association or an entity
formed by such an
association, whose
members are self-
regulating by following
other than IS/ISO/IEC
codes of best practices
for data protection as
per sub-rule(1), shall
get its codes of best
practices duly
approved and notified
by the Central
Government for
effective
implementation.
36
(4) The body corporate or a person on its behalf
who have implemented either IS/ISO/IEC
27001 standard or the codes of best practices
for data protection as approved and notified
under sub-rule (3) shall be deemed to have
complied with reasonable security practices
and procedures provided that such standard
or the codes of best practices have been
certified or audited on a regular basis by
entities through independent auditor, duly
approved by the Central Government. The
audit of reasonable security practices and
procedures shall be carried out by an auditor
at least once a year or as and when
significant up gradation of its process and
computer resource
Gap 28 Sec 30. DPO
“30. (1) Every significant data fiduciary shall appoint a data protection officer
possessing such qualification and experience as may be specified by
regulations for carrying out the….”
• Gap :
• On roll or contract basis?
• Can there be a single DPO in case of group companies?
• Reporting structure of DPO-typically to Risk or Compliance
Department
• What about processors? Do they not need DPO? It should be there
also
• Remedy
– Include these aspects as sub clauses
• Explanation
– Refer Article 37 of GDPR which has lot of clarity
37
Gap 29 Sec 35. Exemption
• Gap :
• Fear /perception of the misuse of the Provisions of this Act
• Remedy
– the provision similar to Sec 33 Sub section 1 of the Aadhaar Act
wherein the Judge of the High Court can order the disclosure of
information. Similarly Sub Section (2) of Sec 33 which can be ordered
by the Secretary to the Government of India to be suitably substituted
38
Gap -30 Sec 57 Type of Penalties
• The fiduciary is categorized
– Significant
– Small Entity
– Guardian
– Normal (which does not fall in the three categories )
• The Personal data is categorized
– Personal data
– Sensitive Personal data
– Critical Data
• This means that are 12 types of data
breaches (4 *3)
– The penalty should also be logically split into 12 categories and not one size fits
all
39
Gap 31 Sec 91-Anoymised personal
data
• Gap :
– This anonymised data will be of junk value and cannot be used unless
the entire universe uses a common algorithm for anonymisations.
– Also the anonymisation algorithm will also have to be shared .
– Including Non Personal Data is opening a Pandora’s Box
• Impact
– Totally out of Sync
• Remedy
– Need to relook at the same
• Explanation
– More clarity required
40
https://www.youtube.com/watch?v=eMKieb
YrvhU
nmds@bestfitsolutions.in
09820409261
ধনҝবাদ
നؕിநன் ௣
धÛयवाद
41
Watch capsule module on: https://www.youtube.com/watch?v=eMKiebYrvhU

More Related Content

What's hot

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Startups - data protection
Startups  - data protectionStartups  - data protection
Startups - data protection
Mathew Chacko
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
TrustArc
 
Personal data eng
Personal data engPersonal data eng
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENTDATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
Prof. Jacques Folon (Ph.D)
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
TrustArc
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
TrustArc
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
Annelore van der Lint
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
TrustArc
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I   Feb 5 07Privacy Access Letter I   Feb 5 07
Privacy Access Letter I Feb 5 07
Constantine Karbaliotis
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization  GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
Vishnuvarthanan Moorthy
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
CILIP Ireland
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...
LJ Gilland Real Estate Pty Ltd
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Werksmans Attorneys
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
TrustArc
 
DPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, LondonDPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts
National Alliance to End Homelessness
 

What's hot (20)

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Startups - data protection
Startups  - data protectionStartups  - data protection
Startups - data protection
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
 
Personal data eng
Personal data engPersonal data eng
Personal data eng
 
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENTDATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I   Feb 5 07Privacy Access Letter I   Feb 5 07
Privacy Access Letter I Feb 5 07
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization  GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
 
DPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, LondonDPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, London
 
3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts
 

Similar to Feedback on Personal Data Protection Bill 2019

Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback  on Draft Personal Data Protection Bill 2018 submitted to MEITYFeedback  on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
The Pathway Group
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Data Privacy Laws in Vietnam - The Basics & Guidance For Practical Handling
Data Privacy Laws in Vietnam - The Basics & Guidance For Practical HandlingData Privacy Laws in Vietnam - The Basics & Guidance For Practical Handling
Data Privacy Laws in Vietnam - The Basics & Guidance For Practical Handling
Dr. Oliver Massmann
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
JakeAldrinDegala1
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
Ulf Mattsson
 
GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?
MicheleNati
 
GDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, ManchesterGDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, BirminghamDPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
GDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, NottinghamGDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
Emerson Bryan
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
AltheimPrivacy
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Economic Laws Practice
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 

Similar to Feedback on Personal Data Protection Bill 2019 (20)

Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback  on Draft Personal Data Protection Bill 2018 submitted to MEITYFeedback  on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Data Privacy Laws in Vietnam - The Basics & Guidance For Practical Handling
Data Privacy Laws in Vietnam - The Basics & Guidance For Practical HandlingData Privacy Laws in Vietnam - The Basics & Guidance For Practical Handling
Data Privacy Laws in Vietnam - The Basics & Guidance For Practical Handling
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?
 
GDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, ManchesterGDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, Manchester
 
DPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, BirminghamDPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, Birmingham
 
GDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, NottinghamGDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, Nottingham
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 

More from Nanda Mohan Shenoy

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
Nanda Mohan Shenoy
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
Nanda Mohan Shenoy
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
Nanda Mohan Shenoy
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedback
Nanda Mohan Shenoy
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
Nanda Mohan Shenoy
 

More from Nanda Mohan Shenoy (20)

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedback
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
 

Recently uploaded

Bristol degree offer diploma Transcript
Bristol degree offer diploma TranscriptBristol degree offer diploma Transcript
Bristol degree offer diploma Transcript
geesuk
 
Westminster degree offer diploma Transcript
Westminster degree offer diploma TranscriptWestminster degree offer diploma Transcript
Westminster degree offer diploma Transcript
geesuk
 
MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...
MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...
MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...
Dr. Oliver Massmann
 
Birmingham degree offer diploma Transcript
Birmingham degree offer diploma TranscriptBirmingham degree offer diploma Transcript
Birmingham degree offer diploma Transcript
pehqgou
 
Internal Audit report 80-81 Third Quarter Final.docx
Internal Audit report 80-81 Third Quarter Final.docxInternal Audit report 80-81 Third Quarter Final.docx
Internal Audit report 80-81 Third Quarter Final.docx
NIRAJANSHAHI2
 
Esipf Consultants: Best Epf Consultancy Service In Delhi
Esipf Consultants: Best Epf Consultancy Service In DelhiEsipf Consultants: Best Epf Consultancy Service In Delhi
Esipf Consultants: Best Epf Consultancy Service In Delhi
esipfconsultantsoffp
 
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdfMd_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
bhavenpr
 
Law-Commission-Report-267-on-Hate-Speech.pdf
Law-Commission-Report-267-on-Hate-Speech.pdfLaw-Commission-Report-267-on-Hate-Speech.pdf
Law-Commission-Report-267-on-Hate-Speech.pdf
bhavenpr
 
UNTEC biyezheng degree offer diploma Transcript
UNTEC biyezheng degree offer diploma TranscriptUNTEC biyezheng degree offer diploma Transcript
UNTEC biyezheng degree offer diploma Transcript
qpeqmso
 
California Baptist University degree offer diploma Transcript
California Baptist University degree offer diploma TranscriptCalifornia Baptist University degree offer diploma Transcript
California Baptist University degree offer diploma Transcript
qgoomz
 
The Art Institute of California degree offer diploma Transcript
The Art Institute of California degree offer diploma TranscriptThe Art Institute of California degree offer diploma Transcript
The Art Institute of California degree offer diploma Transcript
qgoomz
 
Occupational Safety and Health Act (Amendment) 2022
Occupational Safety and Health Act (Amendment) 2022Occupational Safety and Health Act (Amendment) 2022
Occupational Safety and Health Act (Amendment) 2022
NguokYingNgu1
 
BCU degree offer diploma Transcript
BCU degree offer diploma TranscriptBCU degree offer diploma Transcript
BCU degree offer diploma Transcript
pehqgou
 
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie LondonDallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
ReggieLondon Lawyer
 
The Role of Police Misconduct Attorneys in Seeking Justice
The Role of Police Misconduct Attorneys in Seeking JusticeThe Role of Police Misconduct Attorneys in Seeking Justice
The Role of Police Misconduct Attorneys in Seeking Justice
Steering Law
 
shwetha case hmt.docx human resouce management
shwetha case hmt.docx human resouce managementshwetha case hmt.docx human resouce management
shwetha case hmt.docx human resouce management
ShwethaGy2
 
cyber law and ethics regulation of the connected world
cyber law and ethics regulation of the connected worldcyber law and ethics regulation of the connected world
cyber law and ethics regulation of the connected world
JeneferAlan1
 
Buckingham degree offer diploma Transcript
Buckingham degree offer diploma TranscriptBuckingham degree offer diploma Transcript
Buckingham degree offer diploma Transcript
geesuk
 
UofT biyezheng degree offer diploma Transcript
UofT biyezheng degree offer diploma TranscriptUofT biyezheng degree offer diploma Transcript
UofT biyezheng degree offer diploma Transcript
qpeqmso
 
Westminster degree offer diploma Transcript
Westminster degree offer diploma TranscriptWestminster degree offer diploma Transcript
Westminster degree offer diploma Transcript
pehqgou
 

Recently uploaded (20)

Bristol degree offer diploma Transcript
Bristol degree offer diploma TranscriptBristol degree offer diploma Transcript
Bristol degree offer diploma Transcript
 
Westminster degree offer diploma Transcript
Westminster degree offer diploma TranscriptWestminster degree offer diploma Transcript
Westminster degree offer diploma Transcript
 
MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...
MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...
MAKING LARGE-SCALE SOLAR PROJECTS VIABLE IN VIETNAM: INNOVATIVE APPROACHES IN...
 
Birmingham degree offer diploma Transcript
Birmingham degree offer diploma TranscriptBirmingham degree offer diploma Transcript
Birmingham degree offer diploma Transcript
 
Internal Audit report 80-81 Third Quarter Final.docx
Internal Audit report 80-81 Third Quarter Final.docxInternal Audit report 80-81 Third Quarter Final.docx
Internal Audit report 80-81 Third Quarter Final.docx
 
Esipf Consultants: Best Epf Consultancy Service In Delhi
Esipf Consultants: Best Epf Consultancy Service In DelhiEsipf Consultants: Best Epf Consultancy Service In Delhi
Esipf Consultants: Best Epf Consultancy Service In Delhi
 
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdfMd_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
 
Law-Commission-Report-267-on-Hate-Speech.pdf
Law-Commission-Report-267-on-Hate-Speech.pdfLaw-Commission-Report-267-on-Hate-Speech.pdf
Law-Commission-Report-267-on-Hate-Speech.pdf
 
UNTEC biyezheng degree offer diploma Transcript
UNTEC biyezheng degree offer diploma TranscriptUNTEC biyezheng degree offer diploma Transcript
UNTEC biyezheng degree offer diploma Transcript
 
California Baptist University degree offer diploma Transcript
California Baptist University degree offer diploma TranscriptCalifornia Baptist University degree offer diploma Transcript
California Baptist University degree offer diploma Transcript
 
The Art Institute of California degree offer diploma Transcript
The Art Institute of California degree offer diploma TranscriptThe Art Institute of California degree offer diploma Transcript
The Art Institute of California degree offer diploma Transcript
 
Occupational Safety and Health Act (Amendment) 2022
Occupational Safety and Health Act (Amendment) 2022Occupational Safety and Health Act (Amendment) 2022
Occupational Safety and Health Act (Amendment) 2022
 
BCU degree offer diploma Transcript
BCU degree offer diploma TranscriptBCU degree offer diploma Transcript
BCU degree offer diploma Transcript
 
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie LondonDallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
 
The Role of Police Misconduct Attorneys in Seeking Justice
The Role of Police Misconduct Attorneys in Seeking JusticeThe Role of Police Misconduct Attorneys in Seeking Justice
The Role of Police Misconduct Attorneys in Seeking Justice
 
shwetha case hmt.docx human resouce management
shwetha case hmt.docx human resouce managementshwetha case hmt.docx human resouce management
shwetha case hmt.docx human resouce management
 
cyber law and ethics regulation of the connected world
cyber law and ethics regulation of the connected worldcyber law and ethics regulation of the connected world
cyber law and ethics regulation of the connected world
 
Buckingham degree offer diploma Transcript
Buckingham degree offer diploma TranscriptBuckingham degree offer diploma Transcript
Buckingham degree offer diploma Transcript
 
UofT biyezheng degree offer diploma Transcript
UofT biyezheng degree offer diploma TranscriptUofT biyezheng degree offer diploma Transcript
UofT biyezheng degree offer diploma Transcript
 
Westminster degree offer diploma Transcript
Westminster degree offer diploma TranscriptWestminster degree offer diploma Transcript
Westminster degree offer diploma Transcript
 

Feedback on Personal Data Protection Bill 2019

  • 1. Feedback on Personal Data Protection Bill 2019 (Bill No 373) submitted to JPC-31 points -23/02/2020 Nanda Mohan Shenoy D CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer Director 1
  • 2. Background • Had submitted the feedback in Sep 2018 version • Was also part of NASSCOM Committee in Mumbai • Following three recommendations were accepted • (14) "data principal" means the natural person to whom the personal data referred to in sub- clause (28) relates; • (26) “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal • (23) "in writing" includes any communication in electronic format as defined in clause (r) of sub- section (1) of section 2 of the Information Technology Act, 2000-this definition was added 2
  • 3. Gap-1 Definition -Data Principal (14) • Gap: –Natural Person-What about Living or Dead • Impact –Can lead to lot of litigation • Remedy –Definition of Natural Person to clarify the same • International examples –See next slides 3
  • 4. Gap-1 I. GDPR Recital 27 -This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons II. Bulgaria recognises that “in event of death of the natural person his/her rights shall be exercised by his/her heirs", thus extending the right of access to personal data not only to the natural person, but also to his or her family. III. The Estonian Data Protection Act goes even further, giving a considerable amount of freedom to an individual to decide on the use of personal data in the event of processing personal data with the consent of a data subject In s 12 it states: “The consent of a data subject shall be valid during the life of the data subject and thirty years after the death of the data subject, unless the data subject has decided otherwise.” Furthermore, in s 13 it entitles certain family members to permit processing of personal data after the death of the data subject, but again for no more than thirty years after death. IV. The Swedish Data Protection Act explicitly refers to personal data of the living, defining personal data as “all kinds of information that directly or indirectly may be referable to a natural person who is alive.” V. The UK Data Protection Act defines personal data as “data which relate to a living individual". Other member states also predominantly use the term “natural person”; understood generally as a person having legal capacity, starting with the birth and ending with her death. Source –II TO V : https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem-privacy- potential-alternatives/#_ftn23 4
  • 5. Gap -2 Definitions – Financial Data(18) • Gap : – means any number or other personal data • Gap – What is meant by other personal data ? No clarity • Remedy – Delete “ or Other personal data” • Interpretation – Can it be Customer id – Can it be UPI Virtual id which is already de- identified Financial data. 5
  • 6. Gap -3 Definitions – Financial Data(18) • Gap : – Financial Status definition lacks clarity • Impact – Lead to interpretation • Remedy – Clarity required • Logic – If a loan is rejected does it come under the Financial status? – If the account turns NPA , is it Financial Status. – Are Life Insurance Policy number Financial data as it is issued by Financial Institution – Are General Insurance policy number financial data? 6
  • 7. Gap-4 Definitions- Health Data (21) • Gap : – Exclusion of Blood Group needed in definition • Impact – Lead to delay in medical emergencies • Remedy – Exclude the Blood Group from health data • Logic – Many companies have printed the Blood group on the Employee Id cards. Huge rework – Medical emergency 7
  • 8. Gap-5 Definitions- Health Data (21) • Gap : –Post Mortem data not covered • Impact –Harm and press publicity • Remedy –Need Clarity or include • Logic –Post mortem reports are often published in the newspapers which may or may not cause harm 8
  • 9. Gap-6 Definitions- Intra-group schemes(22) • Gap : – Intra group • Impact – Clarity issues • Remedy – Need Clarity or include • Logic – Used in the context of Transborder .What constitutes the Intra group is not know. If trans border intra group is allowed why not domestic Intra group 9
  • 10. Gap7-Definitions- Official identifier(26) • Gap : – List of Official identifier as schedule • Impact – Avoid confusion for data fiduciaries • Remedy – A separate schedule • Example – EPFO UIN is it Financial data or Official identifier – PRAN for NPS is it Financial data or Official identifier – Income TAX PAN – GSTIN ? 10
  • 11. Gap 8-Definitions- Personal Data (28) • Gap : – Ambiguity in online identifiers • Impact – Avoid confusion and subjectivity for data fiduciaries • Remedy – A separate schedule or explanation • Example – GDPR Recital 30 is as follows: – (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. 11
  • 12. Gap-9 Definitions- Sensitive Personal Data(36) • Gap : – 4 definitions missing • Impact – Avoid confusion for data fiduciaries • Remedy – Define the same or give note ( has the same meaning as defined in the xxxx Act) • Details (iv) sex life; (v) sexual orientation; (x) caste or tribe; (xi)Religious or Political Belief or Affiliation 12
  • 13. 13 Gap-10 Definitions- Sensitive Personal Data(36) Gap : How to protect SPDI on the cheque given below Impact Violation from Day 1 as confidentiality of the data cannot be ensured as the Cheque passes through multiple layer at Data Principal end as well as Fiduciaries/Processors Remedy Clarity required. May be exception for Physical cheques etc. But challenge is it can be converted into electronic image
  • 14. Notice –Sec 7 (1) Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as reasonably practicable, containing the following information, namely— (a) the purposes for which the personal data is to be processed; (b) the nature and the categories of personal data being collected; (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (d) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in section 12 to section 14; (f) the source of such collection, if the personal data is not collected from the data principal; (g) The individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; 14
  • 15. • Gap : – Cases where Consent is not required • Impact – Avoid confusion for data principal • Remedy – Modify Clause (1) (e) • Details • (e) the right of the data fiduciary to process certain data without the consent ,the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in section 12 to section 14 Gap -11 Notice –Sec 7 15
  • 16. • Gap : – definition of the nature and the categories of personal data missing • Impact – Avoid confusion for data fiduciaries – Nature does it mean the data elements like gender ? Does category mean personal, sensitive personal data critical personal data as defined in the Bill? • Remedy – Explanation or rewording required . • Details • (b) the nature and the categories of personal data being collected; Gap -12 Notice –Sec 7 16
  • 17. Notice –Sec 7 (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (i) the period for which the personal data will be retained in terms of section 9 or where such period is not known, the criteria for determining such period; (j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter V and any related contact details for the same; (k) the procedure for grievance redressal under section 32; (l) the existence of a right to file complaints to the Authority; (m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub section (5) of Sec 29 ; and (n) any other information as may be specified by the Authority. (2) Shall be clear ,concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable. (3) shall not apply where such notice substantially prejudices the purpose of processing of personal data under section 12. 17
  • 18. • Gap : – Standardisation • Impact – Avoid confusion for data fiduciaries /Principals • Remedy – rewording required . • Details • j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter V in terms of Section 17 to Section 21 and any related contact details for the same Gap -13 Notice –Sec 7 18
  • 19. • Gap : – Elements of Notice missing • Impact – Avoid confusion for data fiduciaries • Remedy – Add the same in the Act • Explanation – The right of the data fiduciary for anonymising the data and using it for predictive analysis big data etc should be inserted – Also the obligation of the Act does not apply to the anonymised data – No consent will be required for anonymising the data – The obligation of the data fiduciary to apply the security safeguards in terms of Section 24 .(The methods of de- identification of data as to enhance the transparency and trust ,wherever applicable ) Gap -14 Notice –Sec 7 19
  • 20. Gap -15 Notice –Sec 7 • (2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable • Gap : – Ambiguous statement • Impact – Avoid confusion for data fiduciaries • Remedy – Clarity required • Explanation – Who decides necessary or practicable ? “multiple languages where necessary and practicable” 20
  • 21. Gap 16-Sec-9 - Data storage limitation (4) Where it is not necessary for personal data to be retained by the data fiduciary under sub- sections (1) and (2), then such personal data must be deleted in a manner as may be specified • Gap : – Implementation hurdle • Impact – Penalties at future date for non compliance • Remedy – Clarity required in the Act • Explanation – Physical deletion or logical deletion? – Physical deletion ruled out in most of the cases and cost of implementation high – Logical deletion will give rise to referential integrity checks – What about deletion from all the backups taken say over the last n years and archived. How ill that be achieved . – Any cut off date for deletion related to the passing of the bill needs to be explored and cannot be retrospective – Everybody will be non complaint from day 1 – Right of the data fiduciary to store the data even if the service is not provided for example a loan is rejected or an account opening is rejected , as per regulatory requirement the data needs to be preserved for Audit purpose and the regulator comes and checks that as well. This is not under any law 21
  • 22. Gap-17 Sec 11. Consent 11. Processing of personal data on the basis of consent.— (1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing • Gap : – Can any person authorised by the Data Principal give the consent • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – Indian Contract Act has the concept of Power of Attorney – The BFSI segment works on Power of Attorney – No clarity whether the consent can be given by POA holder. – In financial services industry there are two approaches • 1.Banks open account based on the signature of POA • 2. Depository accounts cannot be opened by POA holder – Absolute clarity required on the same 22
  • 23. Gap 18-Sec 11 . Consent • Gap : – processing includes ‘use’ of data which can lead to implementation hurdles • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – Four types of processing 1. Account opening (Non Financial Transaction) 2. Transaction (Financial Transaction –one time System generated/Fiduciary induced ) 3. Transaction (Financial Transaction – recurring System generated/Fiduciary induced ) 4. Transaction (Financial Transaction- Customer Induced) – In case of 2 and 3 will consent be required every time for processing like Recurring Deposits in Banks, SIP in Mutual Fund – In case of 4 if the customer is signing a cheque and giving it to the bank , can it be construed as implied consent – Similarly employees monthly salary and statutory payment processing 23
  • 24. (1)Notwithstanding anything contained in section 11, and subject to sub-section (2), any personal data, not being any sensitive personal data, may be processed if such processing is necessary for - (a) recruitment or termination of employment of a data principal by the data fiduciary; (b) provision of any service to, or benefit sought by, the data principal who is an employee of the data fiduciary (c) verifying the attendance of the data principal who is an employee of the data fiduciary; or (d) any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary. 24 S13 Employment Related (2) Any personal data, not being sensitive personal data, may be processed under sub-section (1), where the consent of the data principal is – not appropriate having regard to the employment relationship between the data fiduciary and the data principal ;or – would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities under this section.
  • 25. Gap 19-Sec 13- Employment related • Gap : – Clarity required • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – What is disproportionate effort – Will monthly payroll processing require consent? – Why specifically attendance record is mentioned? – Whether one time consent is required from employees? – The notice to employees we can make it clear that referral checks and others do not need the consent as per this section. This section is also part of the notice – Does termination of an employee tantamount to withdrawal of consent by default? – What about Notice at the time of entering into contract. Is Notice necessary for outsourcing activities like payroll processing to third party? – Will a separate notice as per sec 7 will be required for employment? 25
  • 26. S14. Reasonable Purposes (2) For the purpose of sub-section (1), the expression "reasonable purposes" may include— (a) prevention and detection of any unlawful activity including fraud; (b) whistle blowing; (c) mergers and acquisitions; (d) network and information security; (e) credit scoring; (f) recovery of debt; (g) processing of publicly available personal data; and (h) the operation of search engines Under such circumstances Notice under section 8 would not apply consent may not be required . Also consent may not be possible 26
  • 27. Gap 20-Sec 14- Reasonable Purpose • Gap : – The Nominee personal details shared should also be outside the purview of Consent and treated as Reasonable Purpose. Addition required • Impact – Room for violation and litigation • Remedy – Add the following clause – “the consent of the Nominee is not required where the sharing of the Nominee details by the Data principal where the nominee is mandated by statute’ • Explanation – Consent of the Nominee can lead to a huge social problem in the country leading to Family disputes. – Nobody informs the Nominee that he/she has been nominated – Nominee is very popular in Banking/ Mutual Fund/Insurance – In employment PF/Gratuity/NPS etc requires nominations – Even housing societies are now insisting on nominations 27
  • 28. Gap 21-Sec 14- Reasonable Purpose • Gap : – “(e) credit scoring” is very open • Impact – Every Fintech /NBFC/Financial Institution in the garb of Credit Scoring will start collecting data • Remedy – Add the following clause – “ Credit scoring as mandated by The Credit Information Companies (Regulation) Act 2005 and related Rules and Regulations in this regard” • Explanation – Consent of the Nominee can lead to a huge social problem in the country leading to Family disputes. – Nobody informs the Nominee that he/she has been nominated – Nominee is very popular in Banking/ Mutual Fund/Insurance/NBFC – Even housing societies are now insisting on nominations 28
  • 29. Gap 22-Sec 14- Reasonable Purpose • Gap : – “(h) the operation of search engines” is not correct • Impact – This will be a big technical loop hole • Remedy – Delete this • Explanation – Periodic action based consent will be required – An off track example is Ola /Uber asking for consent every time – This is the first step of Profiling by the search engines 29
  • 30. Gap 23 Sec 16 (2)-Parental Consent (2) The data fiduciary shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations. • Gap : – What happens when child attains majority? • Impact – Room for violation and litigation • Remedy – Clarity required as to what happens to the consent once the child attains majority ? – What is the mechanism? – Is the notice and consent freshly required from the Major? • Explanation – Something similar to Aadhaar Act can be implemented where the minor has the right within 6 months of achieving the majority can request to delete the Aadhaar 30
  • 31. Gap 24 Sec 20-Right to be forgotten • Gap : – Section heading talks about Right to be forgotten but clause talks about “the right to restrict or prevent” • Impact – Totally out of Sync • Remedy – Need to relook at the same • Explanation – GDPR Article 17 has more clarity .However the word erasure is synonymously used there. In our bill erasure is a also mentioned in a separate context. – Too much of confusion in our bill regarding erasure. Please bring in some clarity 31
  • 32. Gap 25 Sec 26-Right to data portability • Gap : – There is no standard interoperable structure in the country to enable the implementation of the data portability • Impact – Will remain good in paper only • Remedy – Add sub section 3 as follows: – “(3) The Authority has the right to define the interoperable standards to facilitate data portability “ • Explanation – UIDAI has done a lot of work on the standardisation as far as demographic standards are concerned. Refer – http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP_Committee_Rep ort_v1.0.pdf – Even for consent MIETY has come out with the Electronic Consent framework 32
  • 33. Gap 26 Sec 28- Records of Processing • Gap : – Why only Fiduciaries ?It should include processors as well • Impact – Confusion • Remedy – Add processors as well • Explanation – GDPR Art 30 has two sections one for Controller and other for processor 33
  • 34. Gap 27 Sec 29. Data Audits Vs Certification • Gap : – THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 which is getting repealed due to this ACT has provisions for both Audit and certification(refer rule-8 next slide) • Remedy – Implement Certification or Audit after necessary modification • Explanation – There is a new standard ISO 27701 for Privacy Management System which is an extension of ISO 27001 34
  • 35. Rule 8 -SPDI contd.. 35 Rule-8 (1) if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, it shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. (2) The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).
  • 36. Rules-cont. (3) Any industry association or an entity formed by such an association, whose members are self- regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation. 36 (4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when significant up gradation of its process and computer resource
  • 37. Gap 28 Sec 30. DPO “30. (1) Every significant data fiduciary shall appoint a data protection officer possessing such qualification and experience as may be specified by regulations for carrying out the….” • Gap : • On roll or contract basis? • Can there be a single DPO in case of group companies? • Reporting structure of DPO-typically to Risk or Compliance Department • What about processors? Do they not need DPO? It should be there also • Remedy – Include these aspects as sub clauses • Explanation – Refer Article 37 of GDPR which has lot of clarity 37
  • 38. Gap 29 Sec 35. Exemption • Gap : • Fear /perception of the misuse of the Provisions of this Act • Remedy – the provision similar to Sec 33 Sub section 1 of the Aadhaar Act wherein the Judge of the High Court can order the disclosure of information. Similarly Sub Section (2) of Sec 33 which can be ordered by the Secretary to the Government of India to be suitably substituted 38
  • 39. Gap -30 Sec 57 Type of Penalties • The fiduciary is categorized – Significant – Small Entity – Guardian – Normal (which does not fall in the three categories ) • The Personal data is categorized – Personal data – Sensitive Personal data – Critical Data • This means that are 12 types of data breaches (4 *3) – The penalty should also be logically split into 12 categories and not one size fits all 39
  • 40. Gap 31 Sec 91-Anoymised personal data • Gap : – This anonymised data will be of junk value and cannot be used unless the entire universe uses a common algorithm for anonymisations. – Also the anonymisation algorithm will also have to be shared . – Including Non Personal Data is opening a Pandora’s Box • Impact – Totally out of Sync • Remedy – Need to relook at the same • Explanation – More clarity required 40 https://www.youtube.com/watch?v=eMKieb YrvhU