SlideShare a Scribd company logo

Feedback on Personal Data Protection Bill 2019

N
Nanda Mohan Shenoy

The document provides feedback on gaps and issues in definitions and provisions of the Personal Data Protection Bill 2019 of India. It identifies 14 gaps in definitions related to data principal, financial data, health data, intra-group schemes, official identifiers, personal data, sensitive personal data and issues in notices under Section 7. It also points out gaps in provisions regarding consent, employment related processing, and reasonable purposes that could lead to confusion and litigation if not clarified. Remedies and explanations are suggested to address each gap.

Law
1 of 41
Feedback on Personal Data Protection Bill 2019 (Bill No 373) submitted to JPC-31 points -23/02/2020 Nanda Mohan Shenoy D CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer Director 1
Background • Had submitted the feedback in Sep 2018 version • Was also part of NASSCOM Committee in Mumbai • Following three recommendations were accepted • (14) "data principal" means the natural person to whom the personal data referred to in sub- clause (28) relates; • (26) “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal • (23) "in writing" includes any communication in electronic format as defined in clause (r) of sub- section (1) of section 2 of the Information Technology Act, 2000-this definition was added 2
Gap-1 Definition -Data Principal (14) • Gap: –Natural Person-What about Living or Dead • Impact –Can lead to lot of litigation • Remedy –Definition of Natural Person to clarify the same • International examples –See next slides 3
Gap-1 I. GDPR Recital 27 -This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons II. Bulgaria recognises that “in event of death of the natural person his/her rights shall be exercised by his/her heirs", thus extending the right of access to personal data not only to the natural person, but also to his or her family. III. The Estonian Data Protection Act goes even further, giving a considerable amount of freedom to an individual to decide on the use of personal data in the event of processing personal data with the consent of a data subject In s 12 it states: “The consent of a data subject shall be valid during the life of the data subject and thirty years after the death of the data subject, unless the data subject has decided otherwise.” Furthermore, in s 13 it entitles certain family members to permit processing of personal data after the death of the data subject, but again for no more than thirty years after death. IV. The Swedish Data Protection Act explicitly refers to personal data of the living, defining personal data as “all kinds of information that directly or indirectly may be referable to a natural person who is alive.” V. The UK Data Protection Act defines personal data as “data which relate to a living individual". Other member states also predominantly use the term “natural person”; understood generally as a person having legal capacity, starting with the birth and ending with her death. Source –II TO V : https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem-privacy- potential-alternatives/#_ftn23 4
Gap -2 Definitions – Financial Data(18) • Gap : – means any number or other personal data • Gap – What is meant by other personal data ? No clarity • Remedy – Delete “ or Other personal data” • Interpretation – Can it be Customer id – Can it be UPI Virtual id which is already de- identified Financial data. 5
Gap -3 Definitions – Financial Data(18) • Gap : – Financial Status definition lacks clarity • Impact – Lead to interpretation • Remedy – Clarity required • Logic – If a loan is rejected does it come under the Financial status? – If the account turns NPA , is it Financial Status. – Are Life Insurance Policy number Financial data as it is issued by Financial Institution – Are General Insurance policy number financial data? 6
Gap-4 Definitions- Health Data (21) • Gap : – Exclusion of Blood Group needed in definition • Impact – Lead to delay in medical emergencies • Remedy – Exclude the Blood Group from health data • Logic – Many companies have printed the Blood group on the Employee Id cards. Huge rework – Medical emergency 7
Gap-5 Definitions- Health Data (21) • Gap : –Post Mortem data not covered • Impact –Harm and press publicity • Remedy –Need Clarity or include • Logic –Post mortem reports are often published in the newspapers which may or may not cause harm 8
Gap-6 Definitions- Intra-group schemes(22) • Gap : – Intra group • Impact – Clarity issues • Remedy – Need Clarity or include • Logic – Used in the context of Transborder .What constitutes the Intra group is not know. If trans border intra group is allowed why not domestic Intra group 9
Gap7-Definitions- Official identifier(26) • Gap : – List of Official identifier as schedule • Impact – Avoid confusion for data fiduciaries • Remedy – A separate schedule • Example – EPFO UIN is it Financial data or Official identifier – PRAN for NPS is it Financial data or Official identifier – Income TAX PAN – GSTIN ? 10
Gap 8-Definitions- Personal Data (28) • Gap : – Ambiguity in online identifiers • Impact – Avoid confusion and subjectivity for data fiduciaries • Remedy – A separate schedule or explanation • Example – GDPR Recital 30 is as follows: – (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. 11
Gap-9 Definitions- Sensitive Personal Data(36) • Gap : – 4 definitions missing • Impact – Avoid confusion for data fiduciaries • Remedy – Define the same or give note ( has the same meaning as defined in the xxxx Act) • Details (iv) sex life; (v) sexual orientation; (x) caste or tribe; (xi)Religious or Political Belief or Affiliation 12
13 Gap-10 Definitions- Sensitive Personal Data(36) Gap : How to protect SPDI on the cheque given below Impact Violation from Day 1 as confidentiality of the data cannot be ensured as the Cheque passes through multiple layer at Data Principal end as well as Fiduciaries/Processors Remedy Clarity required. May be exception for Physical cheques etc. But challenge is it can be converted into electronic image
Notice –Sec 7 (1) Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as reasonably practicable, containing the following information, namely— (a) the purposes for which the personal data is to be processed; (b) the nature and the categories of personal data being collected; (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (d) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in section 12 to section 14; (f) the source of such collection, if the personal data is not collected from the data principal; (g) The individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; 14
• Gap : – Cases where Consent is not required • Impact – Avoid confusion for data principal • Remedy – Modify Clause (1) (e) • Details • (e) the right of the data fiduciary to process certain data without the consent ,the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in section 12 to section 14 Gap -11 Notice –Sec 7 15
• Gap : – definition of the nature and the categories of personal data missing • Impact – Avoid confusion for data fiduciaries – Nature does it mean the data elements like gender ? Does category mean personal, sensitive personal data critical personal data as defined in the Bill? • Remedy – Explanation or rewording required . • Details • (b) the nature and the categories of personal data being collected; Gap -12 Notice –Sec 7 16
Notice –Sec 7 (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (i) the period for which the personal data will be retained in terms of section 9 or where such period is not known, the criteria for determining such period; (j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter V and any related contact details for the same; (k) the procedure for grievance redressal under section 32; (l) the existence of a right to file complaints to the Authority; (m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub section (5) of Sec 29 ; and (n) any other information as may be specified by the Authority. (2) Shall be clear ,concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable. (3) shall not apply where such notice substantially prejudices the purpose of processing of personal data under section 12. 17
• Gap : – Standardisation • Impact – Avoid confusion for data fiduciaries /Principals • Remedy – rewording required . • Details • j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter V in terms of Section 17 to Section 21 and any related contact details for the same Gap -13 Notice –Sec 7 18
• Gap : – Elements of Notice missing • Impact – Avoid confusion for data fiduciaries • Remedy – Add the same in the Act • Explanation – The right of the data fiduciary for anonymising the data and using it for predictive analysis big data etc should be inserted – Also the obligation of the Act does not apply to the anonymised data – No consent will be required for anonymising the data – The obligation of the data fiduciary to apply the security safeguards in terms of Section 24 .(The methods of de- identification of data as to enhance the transparency and trust ,wherever applicable ) Gap -14 Notice –Sec 7 19
Gap -15 Notice –Sec 7 • (2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable • Gap : – Ambiguous statement • Impact – Avoid confusion for data fiduciaries • Remedy – Clarity required • Explanation – Who decides necessary or practicable ? “multiple languages where necessary and practicable” 20
Gap 16-Sec-9 - Data storage limitation (4) Where it is not necessary for personal data to be retained by the data fiduciary under sub- sections (1) and (2), then such personal data must be deleted in a manner as may be specified • Gap : – Implementation hurdle • Impact – Penalties at future date for non compliance • Remedy – Clarity required in the Act • Explanation – Physical deletion or logical deletion? – Physical deletion ruled out in most of the cases and cost of implementation high – Logical deletion will give rise to referential integrity checks – What about deletion from all the backups taken say over the last n years and archived. How ill that be achieved . – Any cut off date for deletion related to the passing of the bill needs to be explored and cannot be retrospective – Everybody will be non complaint from day 1 – Right of the data fiduciary to store the data even if the service is not provided for example a loan is rejected or an account opening is rejected , as per regulatory requirement the data needs to be preserved for Audit purpose and the regulator comes and checks that as well. This is not under any law 21
Gap-17 Sec 11. Consent 11. Processing of personal data on the basis of consent.— (1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing • Gap : – Can any person authorised by the Data Principal give the consent • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – Indian Contract Act has the concept of Power of Attorney – The BFSI segment works on Power of Attorney – No clarity whether the consent can be given by POA holder. – In financial services industry there are two approaches • 1.Banks open account based on the signature of POA • 2. Depository accounts cannot be opened by POA holder – Absolute clarity required on the same 22
Gap 18-Sec 11 . Consent • Gap : – processing includes ‘use’ of data which can lead to implementation hurdles • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – Four types of processing 1. Account opening (Non Financial Transaction) 2. Transaction (Financial Transaction –one time System generated/Fiduciary induced ) 3. Transaction (Financial Transaction – recurring System generated/Fiduciary induced ) 4. Transaction (Financial Transaction- Customer Induced) – In case of 2 and 3 will consent be required every time for processing like Recurring Deposits in Banks, SIP in Mutual Fund – In case of 4 if the customer is signing a cheque and giving it to the bank , can it be construed as implied consent – Similarly employees monthly salary and statutory payment processing 23
(1)Notwithstanding anything contained in section 11, and subject to sub-section (2), any personal data, not being any sensitive personal data, may be processed if such processing is necessary for - (a) recruitment or termination of employment of a data principal by the data fiduciary; (b) provision of any service to, or benefit sought by, the data principal who is an employee of the data fiduciary (c) verifying the attendance of the data principal who is an employee of the data fiduciary; or (d) any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary. 24 S13 Employment Related (2) Any personal data, not being sensitive personal data, may be processed under sub-section (1), where the consent of the data principal is – not appropriate having regard to the employment relationship between the data fiduciary and the data principal ;or – would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities under this section.
Gap 19-Sec 13- Employment related • Gap : – Clarity required • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – What is disproportionate effort – Will monthly payroll processing require consent? – Why specifically attendance record is mentioned? – Whether one time consent is required from employees? – The notice to employees we can make it clear that referral checks and others do not need the consent as per this section. This section is also part of the notice – Does termination of an employee tantamount to withdrawal of consent by default? – What about Notice at the time of entering into contract. Is Notice necessary for outsourcing activities like payroll processing to third party? – Will a separate notice as per sec 7 will be required for employment? 25
S14. Reasonable Purposes (2) For the purpose of sub-section (1), the expression "reasonable purposes" may include— (a) prevention and detection of any unlawful activity including fraud; (b) whistle blowing; (c) mergers and acquisitions; (d) network and information security; (e) credit scoring; (f) recovery of debt; (g) processing of publicly available personal data; and (h) the operation of search engines Under such circumstances Notice under section 8 would not apply consent may not be required . Also consent may not be possible 26
Gap 20-Sec 14- Reasonable Purpose • Gap : – The Nominee personal details shared should also be outside the purview of Consent and treated as Reasonable Purpose. Addition required • Impact – Room for violation and litigation • Remedy – Add the following clause – “the consent of the Nominee is not required where the sharing of the Nominee details by the Data principal where the nominee is mandated by statute’ • Explanation – Consent of the Nominee can lead to a huge social problem in the country leading to Family disputes. – Nobody informs the Nominee that he/she has been nominated – Nominee is very popular in Banking/ Mutual Fund/Insurance – In employment PF/Gratuity/NPS etc requires nominations – Even housing societies are now insisting on nominations 27
Gap 21-Sec 14- Reasonable Purpose • Gap : – “(e) credit scoring” is very open • Impact – Every Fintech /NBFC/Financial Institution in the garb of Credit Scoring will start collecting data • Remedy – Add the following clause – “ Credit scoring as mandated by The Credit Information Companies (Regulation) Act 2005 and related Rules and Regulations in this regard” • Explanation – Consent of the Nominee can lead to a huge social problem in the country leading to Family disputes. – Nobody informs the Nominee that he/she has been nominated – Nominee is very popular in Banking/ Mutual Fund/Insurance/NBFC – Even housing societies are now insisting on nominations 28
Gap 22-Sec 14- Reasonable Purpose • Gap : – “(h) the operation of search engines” is not correct • Impact – This will be a big technical loop hole • Remedy – Delete this • Explanation – Periodic action based consent will be required – An off track example is Ola /Uber asking for consent every time – This is the first step of Profiling by the search engines 29
Gap 23 Sec 16 (2)-Parental Consent (2) The data fiduciary shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations. • Gap : – What happens when child attains majority? • Impact – Room for violation and litigation • Remedy – Clarity required as to what happens to the consent once the child attains majority ? – What is the mechanism? – Is the notice and consent freshly required from the Major? • Explanation – Something similar to Aadhaar Act can be implemented where the minor has the right within 6 months of achieving the majority can request to delete the Aadhaar 30
Gap 24 Sec 20-Right to be forgotten • Gap : – Section heading talks about Right to be forgotten but clause talks about “the right to restrict or prevent” • Impact – Totally out of Sync • Remedy – Need to relook at the same • Explanation – GDPR Article 17 has more clarity .However the word erasure is synonymously used there. In our bill erasure is a also mentioned in a separate context. – Too much of confusion in our bill regarding erasure. Please bring in some clarity 31
Gap 25 Sec 26-Right to data portability • Gap : – There is no standard interoperable structure in the country to enable the implementation of the data portability • Impact – Will remain good in paper only • Remedy – Add sub section 3 as follows: – “(3) The Authority has the right to define the interoperable standards to facilitate data portability “ • Explanation – UIDAI has done a lot of work on the standardisation as far as demographic standards are concerned. Refer – http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP_Committee_Rep ort_v1.0.pdf – Even for consent MIETY has come out with the Electronic Consent framework 32
Gap 26 Sec 28- Records of Processing • Gap : – Why only Fiduciaries ?It should include processors as well • Impact – Confusion • Remedy – Add processors as well • Explanation – GDPR Art 30 has two sections one for Controller and other for processor 33
Gap 27 Sec 29. Data Audits Vs Certification • Gap : – THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 which is getting repealed due to this ACT has provisions for both Audit and certification(refer rule-8 next slide) • Remedy – Implement Certification or Audit after necessary modification • Explanation – There is a new standard ISO 27701 for Privacy Management System which is an extension of ISO 27001 34
Rule 8 -SPDI contd.. 35 Rule-8 (1) if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, it shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. (2) The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).
Rules-cont. (3) Any industry association or an entity formed by such an association, whose members are self- regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation. 36 (4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when significant up gradation of its process and computer resource
Gap 28 Sec 30. DPO “30. (1) Every significant data fiduciary shall appoint a data protection officer possessing such qualification and experience as may be specified by regulations for carrying out the….” • Gap : • On roll or contract basis? • Can there be a single DPO in case of group companies? • Reporting structure of DPO-typically to Risk or Compliance Department • What about processors? Do they not need DPO? It should be there also • Remedy – Include these aspects as sub clauses • Explanation – Refer Article 37 of GDPR which has lot of clarity 37
Gap 29 Sec 35. Exemption • Gap : • Fear /perception of the misuse of the Provisions of this Act • Remedy – the provision similar to Sec 33 Sub section 1 of the Aadhaar Act wherein the Judge of the High Court can order the disclosure of information. Similarly Sub Section (2) of Sec 33 which can be ordered by the Secretary to the Government of India to be suitably substituted 38
Gap -30 Sec 57 Type of Penalties • The fiduciary is categorized – Significant – Small Entity – Guardian – Normal (which does not fall in the three categories ) • The Personal data is categorized – Personal data – Sensitive Personal data – Critical Data • This means that are 12 types of data breaches (4 *3) – The penalty should also be logically split into 12 categories and not one size fits all 39
Gap 31 Sec 91-Anoymised personal data • Gap : – This anonymised data will be of junk value and cannot be used unless the entire universe uses a common algorithm for anonymisations. – Also the anonymisation algorithm will also have to be shared . – Including Non Personal Data is opening a Pandora’s Box • Impact – Totally out of Sync • Remedy – Need to relook at the same • Explanation – More clarity required 40 https://www.youtube.com/watch?v=eMKieb YrvhU
nmds@bestfitsolutions.in 09820409261 ধনҝবাদ നؕിநன் ௣ धÛयवाद 41 Watch capsule module on: https://www.youtube.com/watch?v=eMKiebYrvhU

Recommended

Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Personal Data Protection Bill 2018
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
EFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van DoodewaerdEFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van Doodewaerd
Patrick Jordens
 
The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand
TrustArc
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer Update
TrustArc
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
Mathew Chacko
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
Renato Monteiro
 
GDPR compliance with Varonis
GDPR compliance with VaronisGDPR compliance with Varonis
GDPR compliance with Varonis
Angad Dayal
 
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
TrustArc
 

Recommended

Personal Data Protection Bill 2018
Personal Data Protection Bill 2018Personal Data Protection Bill 2018
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
EFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van DoodewaerdEFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van Doodewaerd
Patrick Jordens
 
The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand
TrustArc
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer Update
TrustArc
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
Mathew Chacko
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
Renato Monteiro
 
GDPR compliance with Varonis
GDPR compliance with VaronisGDPR compliance with Varonis
GDPR compliance with Varonis
Angad Dayal
 
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
TrustArc
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
Mathew Chacko
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
TrustArc
 
Personal data eng
Personal data engPersonal data eng
Personal data eng
Belarusian Helsinki Committee
 
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENTDATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
Prof. Jacques Folon (Ph.D)
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
TrustArc
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
TrustArc
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
Annelore van der Lint
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
TrustArc
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Constantine Karbaliotis
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
Vishnuvarthanan Moorthy
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
CILIP Ireland
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...
LJ Gilland Real Estate Pty Ltd
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
TrustArc
 
DPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, LondonDPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts
National Alliance to End Homelessness
 
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITYFeedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 

More Related Content

What's hot

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
Mathew Chacko
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
TrustArc
 
Personal data eng
Personal data engPersonal data eng
Personal data eng
Belarusian Helsinki Committee
 
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENTDATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
Prof. Jacques Folon (Ph.D)
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
TrustArc
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
TrustArc
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
Annelore van der Lint
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
TrustArc
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
Vishnuvarthanan Moorthy
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
CILIP Ireland
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...
LJ Gilland Real Estate Pty Ltd
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
TrustArc
 
DPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, LondonDPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts
National Alliance to End Homelessness
 

What's hot (20)

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
 
Personal data eng
Personal data engPersonal data eng
Personal data eng
 
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENTDATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
 
DPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, LondonDPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, London
 
3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts3.7 HMIS: Ask the Experts
3.7 HMIS: Ask the Experts
 

Similar to Feedback on Personal Data Protection Bill 2019

Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITYFeedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
The Pathway Group
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
JakeAldrinDegala1
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
Ulf Mattsson
 
GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?
MicheleNati
 
GDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, ManchesterGDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, BirminghamDPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
GDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, NottinghamGDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
Emerson Bryan
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
AltheimPrivacy
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Economic Laws Practice
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 

Similar to Feedback on Personal Data Protection Bill 2019 (20)

Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITYFeedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?GDPR and IoT: What do you need to know?
GDPR and IoT: What do you need to know?
 
GDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, ManchesterGDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, Manchester
 
DPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, BirminghamDPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, Birmingham
 
GDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, NottinghamGDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, Nottingham
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 

More from Nanda Mohan Shenoy

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
Nanda Mohan Shenoy
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
Nanda Mohan Shenoy
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
Nanda Mohan Shenoy
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedback
Nanda Mohan Shenoy
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
Nanda Mohan Shenoy
 

More from Nanda Mohan Shenoy (20)

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedback
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
 

Recently uploaded

ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
46adnanshahzad
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
MwaiMapemba
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Thomas (Tom) Jasper
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
9ib5wiwt
 
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxNATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
anvithaav
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
ssuser5750e1
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
BridgeWest.eu
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
9ib5wiwt
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
9ib5wiwt
 
WINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of DissolutionWINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of Dissolution
KHURRAMWALI
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
Daffodil International University
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
9ib5wiwt
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
Knowyourright
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
gaelcabigunda
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
Trademark Quick
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.doc
BRELGOSIMAT
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
9ib5wiwt
 
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptxHighlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
anjalidixit21
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
Wendy Couture
 
How to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the NetherlandsHow to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the Netherlands
BridgeWest.eu
 

Recently uploaded (20)

ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
 
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxNATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
 
WINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of DissolutionWINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of Dissolution
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.doc
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
 
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptxHighlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
 
How to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the NetherlandsHow to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the Netherlands
 

Feedback on Personal Data Protection Bill 2019

  • 1. Feedback on Personal Data Protection Bill 2019 (Bill No 373) submitted to JPC-31 points -23/02/2020 Nanda Mohan Shenoy D CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer Director 1
  • 2. Background • Had submitted the feedback in Sep 2018 version • Was also part of NASSCOM Committee in Mumbai • Following three recommendations were accepted • (14) "data principal" means the natural person to whom the personal data referred to in sub- clause (28) relates; • (26) “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal • (23) "in writing" includes any communication in electronic format as defined in clause (r) of sub- section (1) of section 2 of the Information Technology Act, 2000-this definition was added 2
  • 3. Gap-1 Definition -Data Principal (14) • Gap: –Natural Person-What about Living or Dead • Impact –Can lead to lot of litigation • Remedy –Definition of Natural Person to clarify the same • International examples –See next slides 3
  • 4. Gap-1 I. GDPR Recital 27 -This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons II. Bulgaria recognises that “in event of death of the natural person his/her rights shall be exercised by his/her heirs", thus extending the right of access to personal data not only to the natural person, but also to his or her family. III. The Estonian Data Protection Act goes even further, giving a considerable amount of freedom to an individual to decide on the use of personal data in the event of processing personal data with the consent of a data subject In s 12 it states: “The consent of a data subject shall be valid during the life of the data subject and thirty years after the death of the data subject, unless the data subject has decided otherwise.” Furthermore, in s 13 it entitles certain family members to permit processing of personal data after the death of the data subject, but again for no more than thirty years after death. IV. The Swedish Data Protection Act explicitly refers to personal data of the living, defining personal data as “all kinds of information that directly or indirectly may be referable to a natural person who is alive.” V. The UK Data Protection Act defines personal data as “data which relate to a living individual". Other member states also predominantly use the term “natural person”; understood generally as a person having legal capacity, starting with the birth and ending with her death. Source –II TO V : https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem-privacy- potential-alternatives/#_ftn23 4
  • 5. Gap -2 Definitions – Financial Data(18) • Gap : – means any number or other personal data • Gap – What is meant by other personal data ? No clarity • Remedy – Delete “ or Other personal data” • Interpretation – Can it be Customer id – Can it be UPI Virtual id which is already de- identified Financial data. 5
  • 6. Gap -3 Definitions – Financial Data(18) • Gap : – Financial Status definition lacks clarity • Impact – Lead to interpretation • Remedy – Clarity required • Logic – If a loan is rejected does it come under the Financial status? – If the account turns NPA , is it Financial Status. – Are Life Insurance Policy number Financial data as it is issued by Financial Institution – Are General Insurance policy number financial data? 6
  • 7. Gap-4 Definitions- Health Data (21) • Gap : – Exclusion of Blood Group needed in definition • Impact – Lead to delay in medical emergencies • Remedy – Exclude the Blood Group from health data • Logic – Many companies have printed the Blood group on the Employee Id cards. Huge rework – Medical emergency 7
  • 8. Gap-5 Definitions- Health Data (21) • Gap : –Post Mortem data not covered • Impact –Harm and press publicity • Remedy –Need Clarity or include • Logic –Post mortem reports are often published in the newspapers which may or may not cause harm 8
  • 9. Gap-6 Definitions- Intra-group schemes(22) • Gap : – Intra group • Impact – Clarity issues • Remedy – Need Clarity or include • Logic – Used in the context of Transborder .What constitutes the Intra group is not know. If trans border intra group is allowed why not domestic Intra group 9
  • 10. Gap7-Definitions- Official identifier(26) • Gap : – List of Official identifier as schedule • Impact – Avoid confusion for data fiduciaries • Remedy – A separate schedule • Example – EPFO UIN is it Financial data or Official identifier – PRAN for NPS is it Financial data or Official identifier – Income TAX PAN – GSTIN ? 10
  • 11. Gap 8-Definitions- Personal Data (28) • Gap : – Ambiguity in online identifiers • Impact – Avoid confusion and subjectivity for data fiduciaries • Remedy – A separate schedule or explanation • Example – GDPR Recital 30 is as follows: – (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. 11
  • 12. Gap-9 Definitions- Sensitive Personal Data(36) • Gap : – 4 definitions missing • Impact – Avoid confusion for data fiduciaries • Remedy – Define the same or give note ( has the same meaning as defined in the xxxx Act) • Details (iv) sex life; (v) sexual orientation; (x) caste or tribe; (xi)Religious or Political Belief or Affiliation 12
  • 13. 13 Gap-10 Definitions- Sensitive Personal Data(36) Gap : How to protect SPDI on the cheque given below Impact Violation from Day 1 as confidentiality of the data cannot be ensured as the Cheque passes through multiple layer at Data Principal end as well as Fiduciaries/Processors Remedy Clarity required. May be exception for Physical cheques etc. But challenge is it can be converted into electronic image
  • 14. Notice –Sec 7 (1) Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as reasonably practicable, containing the following information, namely— (a) the purposes for which the personal data is to be processed; (b) the nature and the categories of personal data being collected; (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (d) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in section 12 to section 14; (f) the source of such collection, if the personal data is not collected from the data principal; (g) The individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; 14
  • 15. • Gap : – Cases where Consent is not required • Impact – Avoid confusion for data principal • Remedy – Modify Clause (1) (e) • Details • (e) the right of the data fiduciary to process certain data without the consent ,the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in section 12 to section 14 Gap -11 Notice –Sec 7 15
  • 16. • Gap : – definition of the nature and the categories of personal data missing • Impact – Avoid confusion for data fiduciaries – Nature does it mean the data elements like gender ? Does category mean personal, sensitive personal data critical personal data as defined in the Bill? • Remedy – Explanation or rewording required . • Details • (b) the nature and the categories of personal data being collected; Gap -12 Notice –Sec 7 16
  • 17. Notice –Sec 7 (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (i) the period for which the personal data will be retained in terms of section 9 or where such period is not known, the criteria for determining such period; (j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter V and any related contact details for the same; (k) the procedure for grievance redressal under section 32; (l) the existence of a right to file complaints to the Authority; (m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub section (5) of Sec 29 ; and (n) any other information as may be specified by the Authority. (2) Shall be clear ,concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable. (3) shall not apply where such notice substantially prejudices the purpose of processing of personal data under section 12. 17
  • 18. • Gap : – Standardisation • Impact – Avoid confusion for data fiduciaries /Principals • Remedy – rewording required . • Details • j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter V in terms of Section 17 to Section 21 and any related contact details for the same Gap -13 Notice –Sec 7 18
  • 19. • Gap : – Elements of Notice missing • Impact – Avoid confusion for data fiduciaries • Remedy – Add the same in the Act • Explanation – The right of the data fiduciary for anonymising the data and using it for predictive analysis big data etc should be inserted – Also the obligation of the Act does not apply to the anonymised data – No consent will be required for anonymising the data – The obligation of the data fiduciary to apply the security safeguards in terms of Section 24 .(The methods of de- identification of data as to enhance the transparency and trust ,wherever applicable ) Gap -14 Notice –Sec 7 19
  • 20. Gap -15 Notice –Sec 7 • (2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable • Gap : – Ambiguous statement • Impact – Avoid confusion for data fiduciaries • Remedy – Clarity required • Explanation – Who decides necessary or practicable ? “multiple languages where necessary and practicable” 20
  • 21. Gap 16-Sec-9 - Data storage limitation (4) Where it is not necessary for personal data to be retained by the data fiduciary under sub- sections (1) and (2), then such personal data must be deleted in a manner as may be specified • Gap : – Implementation hurdle • Impact – Penalties at future date for non compliance • Remedy – Clarity required in the Act • Explanation – Physical deletion or logical deletion? – Physical deletion ruled out in most of the cases and cost of implementation high – Logical deletion will give rise to referential integrity checks – What about deletion from all the backups taken say over the last n years and archived. How ill that be achieved . – Any cut off date for deletion related to the passing of the bill needs to be explored and cannot be retrospective – Everybody will be non complaint from day 1 – Right of the data fiduciary to store the data even if the service is not provided for example a loan is rejected or an account opening is rejected , as per regulatory requirement the data needs to be preserved for Audit purpose and the regulator comes and checks that as well. This is not under any law 21
  • 22. Gap-17 Sec 11. Consent 11. Processing of personal data on the basis of consent.— (1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing • Gap : – Can any person authorised by the Data Principal give the consent • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – Indian Contract Act has the concept of Power of Attorney – The BFSI segment works on Power of Attorney – No clarity whether the consent can be given by POA holder. – In financial services industry there are two approaches • 1.Banks open account based on the signature of POA • 2. Depository accounts cannot be opened by POA holder – Absolute clarity required on the same 22
  • 23. Gap 18-Sec 11 . Consent • Gap : – processing includes ‘use’ of data which can lead to implementation hurdles • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – Four types of processing 1. Account opening (Non Financial Transaction) 2. Transaction (Financial Transaction –one time System generated/Fiduciary induced ) 3. Transaction (Financial Transaction – recurring System generated/Fiduciary induced ) 4. Transaction (Financial Transaction- Customer Induced) – In case of 2 and 3 will consent be required every time for processing like Recurring Deposits in Banks, SIP in Mutual Fund – In case of 4 if the customer is signing a cheque and giving it to the bank , can it be construed as implied consent – Similarly employees monthly salary and statutory payment processing 23
  • 24. (1)Notwithstanding anything contained in section 11, and subject to sub-section (2), any personal data, not being any sensitive personal data, may be processed if such processing is necessary for - (a) recruitment or termination of employment of a data principal by the data fiduciary; (b) provision of any service to, or benefit sought by, the data principal who is an employee of the data fiduciary (c) verifying the attendance of the data principal who is an employee of the data fiduciary; or (d) any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary. 24 S13 Employment Related (2) Any personal data, not being sensitive personal data, may be processed under sub-section (1), where the consent of the data principal is – not appropriate having regard to the employment relationship between the data fiduciary and the data principal ;or – would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities under this section.
  • 25. Gap 19-Sec 13- Employment related • Gap : – Clarity required • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – What is disproportionate effort – Will monthly payroll processing require consent? – Why specifically attendance record is mentioned? – Whether one time consent is required from employees? – The notice to employees we can make it clear that referral checks and others do not need the consent as per this section. This section is also part of the notice – Does termination of an employee tantamount to withdrawal of consent by default? – What about Notice at the time of entering into contract. Is Notice necessary for outsourcing activities like payroll processing to third party? – Will a separate notice as per sec 7 will be required for employment? 25
  • 26. S14. Reasonable Purposes (2) For the purpose of sub-section (1), the expression "reasonable purposes" may include— (a) prevention and detection of any unlawful activity including fraud; (b) whistle blowing; (c) mergers and acquisitions; (d) network and information security; (e) credit scoring; (f) recovery of debt; (g) processing of publicly available personal data; and (h) the operation of search engines Under such circumstances Notice under section 8 would not apply consent may not be required . Also consent may not be possible 26
  • 27. Gap 20-Sec 14- Reasonable Purpose • Gap : – The Nominee personal details shared should also be outside the purview of Consent and treated as Reasonable Purpose. Addition required • Impact – Room for violation and litigation • Remedy – Add the following clause – “the consent of the Nominee is not required where the sharing of the Nominee details by the Data principal where the nominee is mandated by statute’ • Explanation – Consent of the Nominee can lead to a huge social problem in the country leading to Family disputes. – Nobody informs the Nominee that he/she has been nominated – Nominee is very popular in Banking/ Mutual Fund/Insurance – In employment PF/Gratuity/NPS etc requires nominations – Even housing societies are now insisting on nominations 27
  • 28. Gap 21-Sec 14- Reasonable Purpose • Gap : – “(e) credit scoring” is very open • Impact – Every Fintech /NBFC/Financial Institution in the garb of Credit Scoring will start collecting data • Remedy – Add the following clause – “ Credit scoring as mandated by The Credit Information Companies (Regulation) Act 2005 and related Rules and Regulations in this regard” • Explanation – Consent of the Nominee can lead to a huge social problem in the country leading to Family disputes. – Nobody informs the Nominee that he/she has been nominated – Nominee is very popular in Banking/ Mutual Fund/Insurance/NBFC – Even housing societies are now insisting on nominations 28
  • 29. Gap 22-Sec 14- Reasonable Purpose • Gap : – “(h) the operation of search engines” is not correct • Impact – This will be a big technical loop hole • Remedy – Delete this • Explanation – Periodic action based consent will be required – An off track example is Ola /Uber asking for consent every time – This is the first step of Profiling by the search engines 29
  • 30. Gap 23 Sec 16 (2)-Parental Consent (2) The data fiduciary shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations. • Gap : – What happens when child attains majority? • Impact – Room for violation and litigation • Remedy – Clarity required as to what happens to the consent once the child attains majority ? – What is the mechanism? – Is the notice and consent freshly required from the Major? • Explanation – Something similar to Aadhaar Act can be implemented where the minor has the right within 6 months of achieving the majority can request to delete the Aadhaar 30
  • 31. Gap 24 Sec 20-Right to be forgotten • Gap : – Section heading talks about Right to be forgotten but clause talks about “the right to restrict or prevent” • Impact – Totally out of Sync • Remedy – Need to relook at the same • Explanation – GDPR Article 17 has more clarity .However the word erasure is synonymously used there. In our bill erasure is a also mentioned in a separate context. – Too much of confusion in our bill regarding erasure. Please bring in some clarity 31
  • 32. Gap 25 Sec 26-Right to data portability • Gap : – There is no standard interoperable structure in the country to enable the implementation of the data portability • Impact – Will remain good in paper only • Remedy – Add sub section 3 as follows: – “(3) The Authority has the right to define the interoperable standards to facilitate data portability “ • Explanation – UIDAI has done a lot of work on the standardisation as far as demographic standards are concerned. Refer – http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP_Committee_Rep ort_v1.0.pdf – Even for consent MIETY has come out with the Electronic Consent framework 32
  • 33. Gap 26 Sec 28- Records of Processing • Gap : – Why only Fiduciaries ?It should include processors as well • Impact – Confusion • Remedy – Add processors as well • Explanation – GDPR Art 30 has two sections one for Controller and other for processor 33
  • 34. Gap 27 Sec 29. Data Audits Vs Certification • Gap : – THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 which is getting repealed due to this ACT has provisions for both Audit and certification(refer rule-8 next slide) • Remedy – Implement Certification or Audit after necessary modification • Explanation – There is a new standard ISO 27701 for Privacy Management System which is an extension of ISO 27001 34
  • 35. Rule 8 -SPDI contd.. 35 Rule-8 (1) if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, it shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. (2) The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).
  • 36. Rules-cont. (3) Any industry association or an entity formed by such an association, whose members are self- regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation. 36 (4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when significant up gradation of its process and computer resource
  • 37. Gap 28 Sec 30. DPO “30. (1) Every significant data fiduciary shall appoint a data protection officer possessing such qualification and experience as may be specified by regulations for carrying out the….” • Gap : • On roll or contract basis? • Can there be a single DPO in case of group companies? • Reporting structure of DPO-typically to Risk or Compliance Department • What about processors? Do they not need DPO? It should be there also • Remedy – Include these aspects as sub clauses • Explanation – Refer Article 37 of GDPR which has lot of clarity 37
  • 38. Gap 29 Sec 35. Exemption • Gap : • Fear /perception of the misuse of the Provisions of this Act • Remedy – the provision similar to Sec 33 Sub section 1 of the Aadhaar Act wherein the Judge of the High Court can order the disclosure of information. Similarly Sub Section (2) of Sec 33 which can be ordered by the Secretary to the Government of India to be suitably substituted 38
  • 39. Gap -30 Sec 57 Type of Penalties • The fiduciary is categorized – Significant – Small Entity – Guardian – Normal (which does not fall in the three categories ) • The Personal data is categorized – Personal data – Sensitive Personal data – Critical Data • This means that are 12 types of data breaches (4 *3) – The penalty should also be logically split into 12 categories and not one size fits all 39
  • 40. Gap 31 Sec 91-Anoymised personal data • Gap : – This anonymised data will be of junk value and cannot be used unless the entire universe uses a common algorithm for anonymisations. – Also the anonymisation algorithm will also have to be shared . – Including Non Personal Data is opening a Pandora’s Box • Impact – Totally out of Sync • Remedy – Need to relook at the same • Explanation – More clarity required 40 https://www.youtube.com/watch?v=eMKieb YrvhU