The data privacy code of practice is finally making headway in India. Globally, 107 countries have introduced some form of legislation for data privacy and security. The implementation rate in Europe is high, but a majority of Asian economies are catching up on formulating local regulatory frameworks for protecting data privacy and security.
India is one of the newest participants in the data protection ring, with the Personal Data Protection (PDP) Bill already approved by the cabinet of the Government of India, and it is in the final stage to become a legal act soon. Personal data protection law to administer the accumulation, storage and processing of data by public and private entities is anticipated next in India’s data privacy chronicle.
The PDP Bill was designed to craft the foremost cross-sectoral legal framework for data protection in the country. A data privacy law is essentially an umbrella, in all jurisdictions; it applies to private companies, government entities and individuals that process private data, regardless of sector or industry. In retrospection, these regulatory developments are necessary considering the rising digital footprint of consumers and the patchy track of sensitive data they leave behind, namely — on the web, mobile, storage media, and other IoT devices where data might get processed or stored without intent or approval.
Data today is at a perpetual risk of breach, leak and abuse, with major repercussions in the form of identity theft, financial fraud, coercion and harassment, brand damage, customer loss and even lawsuits. 59% of senior Gen-y’s (age 29-39) surveyed by FIS for the PACE Pulse survey indicated concerns around safety and security about their data while using contactless payments which is becoming the new normal. The data privacy system intends to safeguard the consumers’ fundamental right to privacy from the risks of undesirable exposure of sensitive information in this digital age. Data protection laws have compelled organisations to articulate rigorous measures for shielding user data from any kind of peril – be it cybersecurity breach, residual data leakage, etc. The target is to secure digital citizens, including businesses from a data breach, and hence, facility of penal action in various data protection statutes.
Globally, data protection and privacy laws strive to control how companies source, store, manage and distribute private data. The crucial benchmark is to be within the range of most law is where the data are collected, processed and stored. Financial institutions are major consumers and distributors of data but, with increasing digitization, data is a major driver of business success across all sectors. The main legislative aspect of these constitutional laws is based on controlling how companies handle user data in its entire lifespan – from accumulation and storing to archival and discarding. Failing to obey with these data protection guidelines puts companies at risk of huge fines and even lawsuits.
Generally, organisations must specify and document why they are storing private data. They must contemplate judiciously about what they anticipate to use the data for before obtaining approval.
In addition, data privacy legislation also has insinuations for data archiving, in the case that data subjects wish to be overlooked. All organisations that gather and process personal data must have a genuine interest for doing so and some statutory programs reckon specific principles for processing.
Data protection laws require organisations to act, to ensure compliance and there are major penalties for failing to do so. A big debate is going on which all countries are looking ahead for this law in compliance with General Data Protection Regulation (GDPR), India being one of them. Though the Indian government has not very clearly mentioned whether it will comply with all the GDPR laws, but it is definitely being taken as a reference. The Ministry of Electronics and Information Technology is trying to find the right balance to take advantage of a data-driven ecosystem, but with all reasonable restrictions – which are very much in line with the GDPR.
While the transition to a digital economy in India is ongoing, the handling of personal data has already become ubiquitous. There are various aspects of the PDP Bill that will require organizations to change their business models, practices, and principles. Several others will increase operational costs and complexity. These matters serve as a textbook for what businesses need to remember about India’s new regulation and the upsurge in data protection regulation worldwide. Understanding these concerns will help digital corporations plan into the future, face future regulations, and take informed decisions whether to enter or exit specific markets.
Data is the new currency to succeed in the digital economy; many Indian businesses are quickly converted into data-driven businesses. Especially, financial service providers with access to data could possibly extend to an underserved client with an offer of credit. In such a case, the paybacks of having a purpose limitation would have to be considered against the costs of the inescapable prospects – augmented access to credit.
In India, this has significant insinuations for meeting national economic objectives like financial inclusion. Forward-looking companies will implement end-to-end data protection solutions that moderate costs, simplify compliance and upturn automation.
(The author is Chief Risk Officer- India, Middle-East & Africa, FIS and the views expressed in this article are his own)