iPleaders

A quick guide to data privacy compliance for corporates

May 18, 2021
763 Views

Image Source: https://rb.gy/3cjsoh

This article is written by Amala Maria George pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.com.

Introduction

In a survey conducted by Sophos on cybersecurity, 52% of companies said that they had been victims of a successful cybersecurity attack in the previous 12 months. The Covid-19 pandemic has forced more companies to begin work from home and has seen an increase in online activity and digital transactions. A host of companies including Linkedin, Upstox, Facebook, MobiKwik, Domino’s India have fallen prey to data breaches in the recent few months. These developments have highlighted the huge regulatory lacunae in the Indian data privacy and cybersecurity area. Although the discussions for a data privacy regulation and the regime have been going on since July 2017 with the constitution of the B.N. Srikrishna committee and the release of the white paper in November 2017, the Personal Data Protection Bill which was introduced in Parliament in December 2019 is yet to be passed and has not yet become legislation. 

In the absence of exhaustive legislation on data privacy, an increasingly digital business environment, and an increase in the number of cyber-attacks and data breach it is imperative that corporates in India adopt international best practices in data privacy and security. The article evaluates the existing data privacy regime in India, analyses the requirements laid down in the Personal Data Protection Bill, 2019 (“PDP Bill”) and covers the kind of practices corporates in India can adopt in the interim period. 

Existing data privacy regulations and obligations in India

Currently, in India, corporates and business entities are bound by data privacy and security regulations in the form of rules made under the Information Technology Act, 2000 and the regulations, circulars, and guidelines issued by the financial sector regulators. 

The Information Technology Act, 2000 (“the Act”) has provisions relating to cybersecurity and in particular two provisions relating to the protection of sensitive personal data or information. Section 43A provides damages by way of compensation to the person affected if a corporate body is negligent in dealing with sensitive personal data or information. Section 87 provides the Central government the power to make rules to provide for reasonable security practices and procedures and sensitive personal data or information under section 43A. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”) were made in this regard. 

Analysis of SPDI Rules 

The SPDI Rules define personal information, sensitive personal data or information (SPDI), and is applicable to body corporates or persons located in India. SPDI Rules defines personal information to mean any information relating to a natural person which in combination with other information available with the corporate is capable of identifying such person and defines SPDI to mean personal information relating to eight kinds of data which has been listed in the definition. Although a distinction is made, the legislative authority of the SPDI Rules is restricted to SPDI as defined, and obligations relating to personal information may not be enforceable in courts of law. 

It is applicable to body corporates and body corporates have been defined to include companies, firms, sole proprietorship, or other associations of individuals engaged in commercial or professional activities. It was later vide a press note clarified that it is applicable to a body corporate or person located in India. This restricts the applicability only to business entities and leaves a wide gap in the regulation of non-profit organizations, governmental bodies, and departments. It also raises questions on whether corporates outside India but with computer resources in India or providing internet-based services to people in India will have to comply with the regulations. 

Rule 4 provides that a body corporate dealing with personal information including SPDI needs to have a clear and accessible privacy policy giving details of what kinds of personal information or SPDI it collects, the purpose of the collection of such data, disclosure to third parties, and the reasonable security practices and procedures it has implemented as directed in the SPDI Rules.   

It requires body corporates to obtain consent from the provider of SPDI in writing, by fax or email, or through any mode of electronic communication. This consent should be based on the disclosure of the collection of such information and the purpose and usage of the information collected. The body corporate shall also take steps to ensure that the person knows who the recipients of the data are and the name and address of the agencies collecting and retaining the information. Rule 5 also provides that the body corporate should give the person providing the information not to provide such information and an option to withdraw the given consent at any time while availing the services.

Disclosure of SPDI to third parties requires the prior consent of the provider of such information with exceptions in case the disclosure has been agreed in the contract between the body corporate and provider of such information, or where disclosure is necessary for compliance of a legal obligation or with government agencies in relation to prevention investigation or prosecution of offences or by an order under law.

Rule 5 also embodies the principle of purpose limitation, data minimization by requiring that it should not retain the data longer than required for the purposes and only that data should be collected which is necessary for that purpose.

Rule 5 requires the provider of information to be allowed to review and if data is found to be inaccurate or deficient the provider should correct/ amend the data if feasible.

The body corporate is required to designate a Grievance Officer to address any discrepancies and grievances of their provider of the information with respect to the processing of information expeditiously and within one month of the receipt of the grievance. The nature of discrepancies and grievances for which the provider of information can have recourse is unclear and there is no recourse provided in case of failure of the Grievance officer to resolve the issue. 

Transfer of information to another body corporate or person shall be done only if the body corporate or person ensures the same level of data protection that is adhered to as provided in the SPDI Rules. The transfer may only be done if necessary, to the performance of the contract or if consented to by the information provider.

The SPDI Rules require body corporates to have reasonable security practices and procedures which are comprehensive and documented and commensurate with the nature of the data and business. The SPDI Rules lays down that a body corporate which has implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection approved and notified by the central government shall be deemed to have complied with reasonable security practices and procedures. There is also a requirement of an audit every year or when the body corporate undertakes a significant upgrade of its processes. 

Data privacy regulations in the financial services sector

The financial sector regulators of India namely the Reserve Bank of India (“RBI”), Insurance Regulatory and Development Authority of India (“IRDAI”), and Securities Exchange Board of India (“SEBI”) have laid down extensive and in detail cybersecurity frameworks or guidelines for their regulated entities. These are quite comprehensive and cover data in all stages i.e. data at the source, in motion, in use, at rest, and destruction. There are few common threads such as the requirement of a Board approved cybersecurity plan, planning for a cyber-security crisis and its response, a business continuity plan, risk management framework, audit requirements, access control systems, periodic training of employees and staff, third party management, etc. IRDAI and RBI have also put in place data localization norms and requirements for its regulated entities.  

Summary of requirements under the Personal Data Protection Bill 2019 

This section will briefly summarize the requirements of the much-awaited and dissected PDP Bill, 2019– 

Best practices for Indian corporates to adopt an effective and compliant framework for data privacy

After a brief analysis of the existing regulations and the possible future legislation for data privacy, we move on to a quick cheat guide for setting up an effective and compliant framework for data privacy. Adopting these practices will ensure a smooth transition when the PDP Bill becomes law and will ensure that customer data and by extension trust are protected at all times. 

The concept of giving notice to customers and persons whose data is being collected means giving information regarding the data being collected, this provides transparency and helps in building the trust of the customers. 

Corporates should have an accessible privacy policy that has details of-

Consent is one of the cornerstones of having an effective data privacy compliance framework. Taking informed consent from the customers can in some cases negate the liability of the corporates in case of cybersecurity breaches. While talking of consent mechanism there are a number of ways of taking and recording consent. 

Some companies do not take explicit consent rather infer consent basis the conduct of the customer in availing the services. This could be practiced by putting up a privacy notice on the website or a simple pop-up notification stating “by using the website you agree to our terms of privacy”. In such a case the customer will not be actively choosing to agree to disagree, by way of conduct the customer’s consent will be recorded. 

Companies may have a checkbox requiring consent from the customer to proceed. This will be mandatory to proceed, hence the customer has to opt-in or opt-out. 

Many times companies collect data for a primary purpose and may store the data for usage in secondary purposes. For example- A pizza delivery would require contact and address details for a particular order placed by the customer, this would be the primary purpose of the data collection however it retains and stores the data to send promotional messages, advertising campaigns, and a faster checkout process in case of future orders, which will be the secondary usage of the data. This can be done by a blanket consent taken for both kinds of users or companies can take different consent for primary and secondary usage of the data using either opt-in or opt-out mechanisms. Since data collected for secondary purposes like promotional campaigns is a potential source of revenue and is often not consented to by consumers given a choice, blanket consent mechanisms are often used by companies.

It is advisable to have an opt-in consent mechanism for sensitive personal data to comply with EU GDPR and the impending PDP Bill.

Data subjects should be provided with the opportunity to withdraw consent at any point during their relationship with the service providing corporate or thereafter.  

It is advisable to collect only that data that is necessary to the purpose and it should not be stored beyond completion of the purpose. There should be processes to delete data on purpose completion or request by the consumer and a system to periodically erase data that is no longer in use. It is also important to define the purpose for which the data is going to be used, companies tend to use generic clauses to widen the ambit of the purpose however, it is advisable to provide specific purposes in the privacy policy. Even after defining the purpose, corporates have to take care that the usage of the data is reasonable and that which would be reasonably expected by the consumer. There should be a correlation between the actual usage and the purpose defined. The SPDI Rules and PDP Bill both require purpose limitation and data minimization and it is essential that users of the data is appropriate, reasonable, and essential to the purposes defined.

It is recommended that corporates provide data subjects with access to the data and the right to correction of data in case of any discrepancy or error. Access to the data may be based on a fee model in some cases wherein the data is difficult to track or gather depending on the company. Option to the erasure of data should ideally be provided by corporates, this would prove difficult in the case of some business models and industries like internet search engines. 

Most corporates have to share some part of the data with third-party vendors or service providers to ensure completion of service or to provide better and more efficient services. For instance, a social media application might be sharing the mouse-tracking data it collects on its websites to advertisers to understand consumer preferences and behavior. Another example is of a banking service provider sharing its website tracking data to marketing companies to understand the needs/ preferences of the customer and provide targeted advertising. 

Data theft, hacking, ransomware, and the likes are on the increase and it is essential for companies to have proper data privacy and security policy, effective technology tools, systems, and processes to ensure that reasonable safeguards against cyber attacks and data theft.

It is recommended that corporates set up a dedicated grievance redressal point of contact and procedure for consumers and consumers who have grievances with respect to the way their data is being processed. There should be a well-defined timeline for the response and redressal of the grievance. This is a requirement under SPDI Rules and under PDP Bill.

The regulators/ authorities must be notified in case of a data breach. Reporting of cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In) is currently a requirement under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. Notification to the Data Protection Authority (DPA) is also envisaged under the PDP Bill and the DPA may require notification to the data principal as well. Under the EU GDPR, a data breach likely to result in a high risk to the rights and freedoms of natural persons has to be notified to the data subject as well. Corporates should decide on public notification of a significant data breach or an attempted cyber-attack based on the risk it poses to the customers. While reputation might be at stake, it is also essential to consider the rights of the customers and its trust relationship with its customers.

It is essential that corporates have emergency response, a mitigation strategy, cyber crisis management plan, and business continuity processes in place. These should be periodically reviewed and updated based on changes in the nature of data collected, updation in technology and systems, and the evolution of cyber threats. It is not only essential to review it periodically but it also should be tested for quick response and implementation. 

Conclusion

With most corporates and brick and mortar businesses going digital, it is essential that corporates start thinking of implementing data privacy and security systems and procedures in place. Even though there are lacunae in the data privacy regime in India, it is a matter of time before the PDP Bill is enacted and corporates are burdened with a huge set of compliances. Adopting best practices adopted by international companies and setting up a good data privacy set-up in anticipation of the PDP Bill will be in favor of the corporates. Not only will it ensure a smooth transition for companies if and when the PDP Bill is enacted into legislation and implemented, but it will also help win and maintain the trust of the customers.

References


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Exit mobile version