The document discusses the Personal Data Protection Bill, 2018 in India, highlighting its key provisions and importance for ensuring data privacy and compliance. It outlines various aspects such as sensitive personal data, data fiduciaries, and the establishment of a Data Protection Authority. The bill aims to create a framework for protecting personal data and enforcing accountability among data processors and fiduciaries.

2. Implications of the Upcoming “The
Personal Data Protection Bill 2018”
Nanda Mohan Shenoy
Director & CEO of Bestfit Business Solutions Pvt Ltd.
24 Jan 2019

3. 3
Nanda Mohan Shenoy
CISA, CAIIB, COBIT 5 Trainer, a seasoned Security Professional with more than 30 years
of experience in the Banking and Financial Services and Insurance (BFSI) segment.

4. 4
Opening Remarks
Why Compliance?
The Only cost that is going up in the current scenario
Compliance Cost
Other Costs moving southward
Transaction
People
Technology
Penalties and fines by regulators
What is Compliance?

5. 5
Background
Committee of Experts under the Chairmanship of Justice B N
Srikrishna, Former Judge, Supreme Court of India, to identify key
data protection issues in India and recommend methods of
addressing them.
Released for Public Comments on 27th Nov 2017
(243 pages) & was open for public comments till 31st Dec 2017
The Personal Data Protection Bill, 2018 Draft submitted by
Srikrishna to Ravishankar Prasad on 27th July (62 pages)
Was open for public comments till mid Oct 2018
Parliament Process pending - hopefully in the Budget Session
2019
A Free and Fair Digital Economy, Protecting Privacy, Empowering
Indians another report (213 pages)

6. 6
Overview: Chapter & Sections
I
Preliminary
(3)
IV
Grounds for
Processing of
Sensitive
Personal Data
(5)
VII
Transparency
and
Accountability
Measures (11)
X Data
Protection
Authority of
India (20)
XIII
Offences (7)
II
Data
Protection
Obligation (8)
V Personal
and Sensitive
Personal
Data of
Children(1)
VIII Transfer
of personal
Data outside
India (2)
XI
Penalties and
Remedies
(10)
XIV
Transitional
Provisions (1)
III
Grounds for
Processing of
Data (6)
VI
Data
Principal
Rights (5)
IX
Exemptions
(7)
XII
Appellate
Tribunal
(11)
XV
Miscellaneou
s(15)
Schedules (2)

7. 7
Sensitive Personal Data - (35)
(i) Password (ii) Financial Data
(iii) Health Data (iv) Official
Identifier
(ii) Sex Life
(vi) Sexual
Orientation

8. 8
Sensitive Personal Data - (35)
(i) Password (ii) Financial Data
(iii) Health Data
any number or other personal
data used to identify an account
opened by, or card or payment
instrument issued by a financial
institution to a data principal or
any personal data regarding the
relationship between a financial
institution and a data principal
including financial status and
credit history
(iv) Official
Identifier
(27) “Official identifier” means any
number, code, or other identifier,
including Aadhaar number, assigned
to a data principal under a law made
by Parliament or any State
Legislature which may be used for
the purpose of verifying the identity
of a data principal
(ii) Sex Life
(vi) Sexual
Orientation

9. 9
Sensitive Personal Data - (35)
(vii) Biometric (viii) Genetic Data
(ix) Transgender
Status
(x) Intersex Status
(xi) Caste or Tribe
(xii) Religious or
Political Belief or
Affiliation

10. 10
Data Fiduciary & Processor
Data Fiduciary
Significant
Data Fiduciary
(S38)
Small Entity
(S48)
Guardian
Data Fiduciary
(S23)
any person, including the State, a
company, any juristic entity or any
individual who alone or in conjunction
with others determines the purpose
and means of processing of personal
data;
Data
Processor
who processes personal data
on behalf of a data fiduciary,
but does not include an
employee of the data fiduciary

11. 11
Data Fiduciary & Processor
Data Fiduciary
Significant
Data Fiduciary
(S38)
Small Entity
(S48)
Guardian
Data Fiduciary
(S23)
(a) volume of personal data processed;
(b) sensitivity of personal data processed;
(c) turnover of the data fiduciary;
(d) risk of harm resulting from any processing or any
kind of processing undertaken by the fiduciary;
(e) use of new technologies for processing; and
(f) any other factor relevant in causing harm to any data
principal as a consequence of such processing
Data
Processor
who processes personal data
on behalf of a data fiduciary,
but does not include an
employee of the data fiduciary

12. 12
Notice & Consent
Notice
नोटीस
േനാ‫؂‬ീസ്
ேநாட்௃ஸ்
έনাΜটশ
નોિટસ
ඣೕഔೕ๺
ߠܾࣆ
where necessary
and practicable
െഷയർ ചാ‫്ئ‬ ഉപേയാഗി‫ׯ‬ാനു‫ت‬
നിബ‫ؖ‬നകൾ
െഷയർചാ‫്ئ‬ ക؇ന്റ് &
കമّൂണി‫ئ‬ി മാർഗനിർേؐശക
േരഖകള്
െഷയർ ചാ‫്ئ‬ സٔകാരّതാ നയം
െഷയർ ചാ‫്ئ‬ കു‫ׯ‬ി നയം
Sc 1- Data collected from
Data principal Directly-At
the time of collection
Sc 2 - Data not collected
directly - as soon as is
reasonably practicable
Notice (S8)
& Consent
(S12, S18)

13. 13
Notice
Service Entity Type of data shared
Form Collection and Data
Input
NBFC Lender Pvt Ltd Personal Data & Sensitive
Personal Data
Tele-verification Bestfit TeleSales Pvt
Ltd
Personal Data
Field Verification
(including Salary /
employer verification)
Magnus Field
Verification Pvt Ltd
Personal Data and Salary details
Credit Bureau validation CIBIL Transunion /
Experian
Sensitive Personal Data
Credit Decision &
Underwriting
NBFC Lender Pvt Ltd Personal Data & Sensitive
Personal Data
Disbursal of loan amount ABC Bank Ltd Bank account details for receiving
loan amount
Courier of Loan Disbursal
Kit and contract
Blue Dart Courier Personal Data - Name and Address
Storage of Loan
documents
Blue Mountain
Storage
Personal Data & Sensitive
Personal Data
8 .1.(g)
The individuals or
entities including other
data fiduciaries or data
processors, with whom
such personal data may
be shared, if applicable

14. 14
Other Key Points - 1
S10. Data
Storage
S33.
Data
Protection
Impact
Assessment
Data
Principal
Rights
explicitly mandated, or
necessary to comply
with any obligation,
under a law.
S24. Right to confirmation and access
S25. Right to correction, etc
S26. Right to Data Portability.
S27. Right to Be Forgotten.
S28. General conditions for the
exercise of rights in this Chapter
New technologies
large scale profiling
significant fiduciary
S36.
Data
Protection
Officer
Compliance
Review the
DPIA

15. 15
S31. Security Safeguards
S31.
Security
Safeguards
De-identification
Ch. IX
Exemptions
S42-48
No exception
to this section
Steps to protect integrity of data
Data Segmentation is also a concept
not explicitly mentioned here

16. 16
Regulators - One More!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ch. X
Data
Protection
Authority of
India

17. 17
S35. (6) Data Trust Score
Similar to CIBIL Score
To be provided to significant data fiduciaries
To be part of the notice
Parameters to be decided
S35.
(6) Data
Trust
Score

18. 18
S35. Data Audits
S35.
Data
Audits
All
U
Do
Is
Tick
(1) Annual Audit by an independent data
auditor under this Act
(2) The compliance of the data fiduciary
with the provisions of this Act.
(3) Civil penalties on data auditors for
negligence.
(4) Register

19. 19
₹5 Cr
or
2%
S32. Notify & to take prompt and appropriate action in
response to a data security breach
S33. Undertake a data protection impact assessment
S35. Conduct the annual data audit
S36. Appoint a data protection officer
S38. Register with the Authority

20. 20
₹15 Cr
or
4%
 processing of personal data in violation of the
provisions of Chapter II,III,IV,V(Sec 4-Sec 23)
 failure to adhere to security safeguards as per
section 31 of this Act;
 transfer of personal data outside India in violation of
section 41 of this Act.

21. 21
S97. Transition Enactment of the Act
Notified Date (ND)
(i) Ch X-Data Protection
Authority of India
(ii) & (iii) S107/108-
Power to make rules/
regulations
Establish DPAI
Max 12 months
Max 12 months from ND
Max 3 months from ND
No Date Specified
Sec 61. Code of Practice Sec 17 (2)
S40
Max 18 months from ND
Balance Provisions
Schedule-I
Sec 43A of
IT Act will
be deleted
Sec 8, Sec 9, Sec10,
Ch III, Chp IV, Sec 31,
Sec 45, Ch VI
Methods of
De-identification &
anonymization, Ch VII
Processing of data
for reasonable
purposes

22. 22
Thank You
nmds@Bestfitsolutions.in
9820409261
www.bestfitsolutions.in