Availability of a globally recognized and established Data Privacy regulation like GDPR, provides impetus and guidance in the future evolution of Privacy Bills in other countries. Likewise, the Draft Personal Data Protection Bill, India has been shaping up drawing clear insights from the GDPR. This Bill is based on the Draft Bill prepared by the Justice Srikrishna Committee in July 2018. Among the other authoritative support document, Justice Puttaswamy vs Union of India, Supreme Court of India judgement 2017, is notable.
Legal aspects of the Draft Personal Data Protection Bill and recent debate around some aspects of the Bill are beyond the scope of this article. Since the Draft Personal Data Protection Bill is a new compliance challenge for the Indian entities, our primary interest is in understanding what control provisions are present in the Bill to help the entities to mitigate risks. To be specific, this discussion focuses on different types of Audit and assessment requirements and associated details that form part of the Bill. Selected Bill's provisions are reproduced as is and our commentary is added to explain the details.
Some key definitions are worth noting for clearly understanding the Bill.
Personal Data (PD) - Data relating to natural person
Data principal - Natural person
Data Fiduciary (DF) - Entity who determines processing
Data processor - who processes PD for DF
Data Protection Officer (DPO) - Data Protection Officer
Data Protection Authority (DPA) - Data Protection Authority
Section 10: Data storage limitation(1) The Data Fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. (3) The data fiduciary must undertake periodic review in order to determine whether it is necessary to retain the personal data in its possession.
Comments: Instead of Data Storage limitation, this section can be aptly called as Data retention guidelines. The periodic review appears to be more of a self assessment.
Section 31: Security Safeguards.(2) Every data fiduciary and data processor shall undertake a review of its security safeguards periodically as may be specified and may take appropriate measures accordingly.
Comments: This may require internal security risk assessment with particular emphasis on security of PD. Though this doesn't specify frequency, once every two years is recommended. The Bill doesn't require the report to be submitted to DPA.
Section 33: Data Protection Impact Assessment. (1) Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or bio-metric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section.
Comments: GDPR article 35 also refers to this as Data Protection Impact Assessment(DPIA). It is different from Privacy Impact Assessment(PIA). There are some triggers which require the conduct of DPIA. Post completion of the DPIA, DPO needs to submit the final report and review with the Data Protection Authority (DPA). If not satisfactory, the DPA may direct the data fiduciary to cease processing of the PD.
Section 34: Record-Keeping. (1) The data fiduciary shall maintain accurate and up-to-date records of the following— (a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11; (b) periodic review of security safeguards under section 31; (c) data protection impact assessments under section 33; and (d) any other aspect of processing as may be specified by the Authority.
Comments: The cross referencing of sections makes the Bill more integrated.
Section 35: Data Audits.(1) The data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Bill.(2) The data auditor will evaluate the compliance of the data fiduciary with the provisions of this Bill
Comments: More details are provided to help the data fiduciary. This will be an annual audit. DPA will also define qualifications for a Data Auditor. Data trust score will be one of the outcome of the audit. Privacy Maturity Model(PMM) may be a good framework to arrive at the Trust Score.
Section 36: Data Protection Officer.(1) The data fiduciary shall appoint a data protection officer for carrying out the following functions ...
Comments: Designation of the Data Protection Officer(DPO) is also covered in GDPR article 37. The Bill also defines responsibilities and qualifications of a DPO. DPO is a point person for the DPA. All communications from DPA will be addressed to DPO.
Section 49: Establishment and incorporation of Authority. (1) The Central Government shall, by notification, establish for the purposes of this Bill, an Authority to be called the Data Protection Authority of India.
Comments: Section 60 explains Powers and Functions of a DPA. Some key functions include Examining Data Audit, issuing Data Audit certificates, reviewing DPIA report, publishing DFs and Trust Scores and ensuring overall compliance with the Bill.
Section 69: Penalties.— (1) Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable— (a) obligation to take prompt and appropriate action in response to a data security breach under section 32 of this Bill; (b) obligation to undertake a data protection impact assessment by a significant data fiduciary under section 33 of this Bill; (c) obligation to conduct a data audit by a significant data fiduciary under section 35 of this Bill; (d) appointment of a data protection officer by a significant data fiduciary under section 36 of this Bill; (e) failure to register with the Authority under sub-section (2) of section 38.
Comments:The above penalty is for violations relating to security breach, DPIA, audit, DPO. However there is another type of penalty included for data fiduciary contravening processing of personal data in violation of the provisions of Chapter II, III, IV, V of this Bill. Data fiduciary shall be liable to a penalty which may extend up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher.
Summary
In matters relating to audits and assessments the Bill is
Aligned with global privacy regulations
Sufficient details are provided as guidance for Data fiduciaries.
Further improvements are anticipated before the Bill becomes an Act.