Business Mandate
Panel discussions

Data Protection Act 2021 – A compliance perspective

MMA Business Mandate
Read Time:12 Minute

The world was shaken up in 2018 with the advent of GDPR. DPA 2021 is not on the distant horizon but has already entered into our day-to-day obligations as “Due Diligence” under Information Technology Act 2000 (ITA 2000).

R Ravichandran, IRS
Chief Commissioner of Income Tax

In the Nineties, I was working as Deputy Director in DG Shipping, Mumbai. In shipping, managing containers like how to position them, where they can be stuffed and how to get them transmitted was a big challenge. So we used to collect a lot of information from thirty to forty thousand ports, all over the world on the container / cargo movement. All these data used to be very sensitive information which would benefit everyone, including the user, customs, custom house agents and shipping lines. The challenge was in managing the safety and security of the data. Honestly, in the Nineties, nobody thought about data protection or privacy. Data was always collected to promote business interests. In 2000, when I was working in SEBI, we had a committee on data protection along with RBI, where we addressed the financial sector information, which has two parts—personal and non-personal information. Personal information include our buying behaviour, preferences, etc., which we now share openly on social media and sometimes get trapped by them. The personal information has become a marketable commodity, and it is available for a price.

Mountain of information
The government also collects information diligently for official purposes like taxation. Income tax department collects third-party information through the Central Information Bureau and the Statement of Financial Transaction mechanism. We are able to capture 95% of the financial transactions done by an individual, including banking, non-banking or chit fund transactions. Lending, borrowing, deposits, buying or selling properties and stocks or foreign exchange transactions—all are now captured. This was around 30,000 pieces of information in 1994. It grew to 30 crore pieces in 2015. Since then, there has been an explosion in collection of information. Today, we collect about 300 lakh crore pieces of information. With PAN and Aadhar seeding, we now have one common identifier and can map a person’s complete financial profile. 26AS can give 50 types of information. Such information is necessary to collect taxes. But what kind of data protection and privacy issues do I need to deal with? After all, the data belongs to the stakeholders who provide the data. At IT department, I am only a custodian of the data.

Everybody collects data in some form. When a government collects data, they have a system and process to deal with it, but when a private entity collects data, there is the question of how they deal with data. We need to have a regulation. Data protection is a fundamental right and it is in a very nascent stage. Implementation is a big challenge.

A Bird’s Eye View of DPA 2021

Na Vijayashankar (Naavi)
Data Governance and Data Protection Consultant

Foundation of Data Protection Professionals in India (FDPPI) is an organisation of professionals. In 2018, after GDPR came in, I wondered how companies will face the challenge if 4% penalty is levied for GDPR non-compliance. With this objective, we formed FDPPI in 2018 as a not-for-profit Section 8 company. Since then, we have been conducting many outreach programmes. We have conducted two certification programmes for our own data protection professionals, focussing on Indian law. We also created a framework for the industry.

Everybody collects data in some form. When a government collects data, they have a system and process to deal with it, but when a private entity collects data, there is the question of how they deal with data. We need to have a regulation.

DPA’s Legacy
India has been trying to get the Data Protection Act (DPA) for decades now. In fact, in 2006, a bill called Personal Data Protection Bill (PDPB) 2006 was presented in the parliament along with the Information Technology Act Amendment Bill 2006. The Amendment Act 2006 became 2008 and it got passed. But everybody forgot about PDPB 2006. Every time the government wants to come up with the legislation, there is always the problem of balancing the requirements of the industry on the one hand, privacy activists on the other hand and the government itself. The distinction between personal data and non-personal plus personal data came only after privacy became an important aspect. That is why even today the distance between cyber security and personal data security is high and the Joint Parliamentary Committee (JPC) ultimately decided that we will call this as Data Protection Act, instead of Personal Data Protection Act. They took an easy way out to merge the two. But from compliance point of view, it creates a lot more complications. The DPA 2021 was earlier called Personal Data Protection with a focus on personal data. Now the title has been changed. In the applicability clause, it is said that this Act shall apply to non-personal data also, including anonymised personal data. This has confused people. What then happens to the Information Technology Act? The IT Act 2000 is anyway a data protection act in terms of both personal and non-personal data. Contravention of IT Act can lead to both civil and criminal liabilities. People don’t realize that India already has a data protection act since 2000.

Difference between ITA and DPA
We need to draw boundaries between DPA 2021 and the IT Act. You cannot say that Section 88 of ITA2000 is not applicable for personal data. It will continue to have impact, particularly when it comes to criminal offences. DPA 2021 will mostly focus on compliance. Before a data breach happens, what should an organization do in terms of compliance? What is the penalty if they don’t have suitable measures? That will be the focus of DPA 2021.
After the data breach happens, ITA2000 will also wake up. Corporates are more afraid of being in jail for two or three years rather than paying a heavy fine. The fine may be paid by the company. Such a thing happened in the 2004 baazee.com case. Its Director Avinash Bajaj fought in the Supreme Court for 8 to 10 years to avoid criminal liability. The IT Act will continue to be relevant even after DPA 2021.

Finding out the difference between the two is, in fact, a challenge for compliance people. Where does ITA compliance end and DPA 2021 begin? How do they both combine? For this, we have prepared Data Protection Compliance Standard of India (DPCSI), which is inclusive of ITA 2000 compliance.

Compliance instead of complaints
Objections will continue to be there for the Act. The complaint that the government is having more powers than what is necessary or companies are not being properly prevented from collecting personal data will remain and privacy activists will never be satisfied with any law. Whether it is GDPR or anything else, they will continue to have their complaints.

In some countries, when data protection law was introduced, they gave one or two years’ time for implementation and came out with staggered implementation of fines. India also may do that.

In India, we are always fighting against the government. We talk of surveillance raj. But in the corporate sector, we should steer clear of this. Let us understand and accept that there will be no unanimity. The industry should not be distracted by such complaints but instead look at compliance. Now, ultimately, if the Government passes it through, then we will not be able to say that Section 35 is not good or 33-34 on data localization is not acceptable. Those arguments will become irrelevant. You have to immediately look at what needs to be complied with. That is why FDPPI is bringing the focus on the compliance view of DPA 2021.

It’s a long journey
Compliance is a journey and not an overnight possibility for any company. For employees to understand the data privacy needs and assimilate that into the culture, it will take time. Then comes the question of having technology, tools and policies. For large organizations, even six months is not sufficient for compliance readiness. DPA2021compliance is more complicated than GDPR because GDPR applies only to personal data coming here from EU region. We should use the available time to build a culture in the industry. Let us not be distracted by what they say in the media that this act will never come and if it comes startups will get affected or our ease of doing business index will get affected. It is their business to write. We in the industry can participate in the discussions, if possible, and at the same time, quietly undertake compliance measures.

No room for complacency
When companies start their journey towards compliance, professionals such as auditors have to help these companies and they have to start their journey much before the companies do. This act is inevitable. It will come, if not today, maybe in the next three months or whatever.

Let us not have the complacency that until the Act comes, no damage will occur to the company. It may be true in the case of IT Act where, unless you prove the cause of action and say that XYZ has suffered damage, he can’t go to either the adjudicator or the court. Whereas with DPA, it is not like that. Even if there is no data breach and nobody has suffered a damage, compliance is still required.

In some countries, when data protection law was introduced, they gave one or two years’ time for implementation and came out with staggered implementation of fines. India also may do that.

Courts, cases and informed judgments
There have been many court cases—one each in Madras, Odissa, Delhi and Bombay. In all these cases, courts have quoted that right to be forgotten is a right to privacy. They are quoting this from GDPR. The Odissa court quoted sections of the personal data protection bill 2019, which many of us may dismiss as a bill. They are not even talking about DPA 2021, which is the JPC approved version of PDPB.

This means that courts have started looking at the environment of what the industry is expected to be—in India and outside. They are using it in their judgments and giving decisions. Today, it may not be a decision to impose a penalty. But our courts can quote rulings in foreign courts like the USD 887 Mn fine imposed on Amazon by the Luxembourg Supervisory Authority, for prospective leakage of data and the-not-so-good-compliance, and impose fines in India too.

Compliance by design
A CEO’s responsibility is to ensure Privacy by Design and Security by Design which are all part of Compliance by Design. It is not restricted to the technology aspects and to think that only the CTO is responsible is wrong. The entire business and professionals should be aware of what is required for compliance. Before you go into a trade negotiation and sign some contract, you should know that this is data protection related and there will be consequences. The decision to be compliant lies with the board. That is the reason why Indian law says that a Data Protection Officer (DPO) should be a Key Managerial Person (KMP).

A CEO, CFO, the independent director, the company secretary are the kinds of designations which fit into KMP definition. Now the DPO is also put in that group, which essentially recognizes that the activity of a DPO is at the top level of the business. The Board and CEOs must recognize the need for compliance. Let us not blame a CFO for non-sanction of finances for compliance. A CFO may suggest to take a cyber-insurance. If you want to bring down the insurance cover and thus the premium amount, to that extent, you should think of compliance and mitigation policies.

However, compliance has to be customized. What is relevant for Infosys cannot be applicable for another small IT company. A standard for health industry may not be sufficient for fintech companies.

Option to develop codes
Section 50 of DPA says that different industry segments, if they want, may develop codes of practice as applicable to them for compliance and that such codes can be reviewed and accredited. You don’t have to be bound by an ISO 27701 only or some other framework.

The government is telling the industry to develop some self-regulatory practices. Such a provision was there in IT Act also. But we never looked at the law. We think that the law is made only by the government and either we oppose it and be non-compliant and face the consequences or keep blaming the government.

FDPPI is now focusing on sectoral development of codes of practice. We have developed a general umbrella code of practice, which we have called as the Data Protection Compliance Standard of India (DPCSI) and it is good enough as a general framework. However, compliance has to be customized. What is relevant for Infosys cannot be applicable for another small IT company. A standard for health industry may not be sufficient for fintech companies. Even educational institutions and MMA have to be data protection compliant. There is no exemption for NGOs or government organizations. In banks, SBI and HDFC Bank can follow a certain code which need not be applicable for Repco or a Co-operative Bank.

I am not trying to support the government, but before DPA 2021 is passed, industries should respond and try to develop self-regulatory practices.

I am not trying to support the government, but before DPA 2021 is passed, industries should respond and try to develop self-regulatory practices. We at FDPPI are looking at interested corporate people who can be our members. Companies proactive in developing the codes of practice will take the leadership in their sector.

The timeline so far:

  • 27 July 2018-PDPB 2018 – Based on Justice Srikrishna Committee
  • 11 Dec 2019-PDPB 2019 – Revised with public comments
  • 16 Dec 2021-DPA 2021/22 – Reviewed by JPC

The more, the government postpones the Act, it gives more time for us to do some preparatory work. With this objective and focus on compliance perspective, let us look at the Act.

The essence of DPA 2021 in a nutshell:

  • The objective is to protect the privacy of individuals.
  • The law applies to certain kinds of data and certain kinds of activities.
  • It prescribes some actions – the data processing requirements and then compliance requirements by default.
  • It provides certain rights to data principals.
  • There are penalties, which may go up to four percent of the global turnover.
  • Penalties may arise for non-compliance, even when there is no data breach or wrongful harm caused.
  • There is a section, which talks of criminal punishment up to 3 years imprisonment, which extends to individuals and corporate executives including the Directors.

Eminent panellists who participated in the panel discussions include Geetha Jayaraman, GRC Expert, Capgemini; Rohan K George, Advocate, Samvad Partners; Nagendra Javagal, Director, FDPPI; Dr Mahesh Kalyanaraman, AVP, Risk & Compliance, HCL; Nikhil Ranjan Nayak, Product Manager, Tata Health; Ramesh Venkatraman, Portfolio Manager, QMS and ISMS, Carl Zeiss; Venkataramani Suresh, Co-Founder, Karkinos Health Care; R Vittal Raj, Cyber Risk Assurance Consultant; Govind Srinivasan, Management Systems Practitioner, Paramount Dataware Pvt Ltd and Rupak Nagarajan, Associate Director, KPMG.

Discover more from Business Mandate

Subscribe now to keep reading and get access to the full archive.

Continue reading