As Indian privacy law is about to be tabled in parliament it is important for Indian companies to understand how they need to restructure their business processes to insure they are fully compliant to the law.

Who will be effected

Any company who process personal information of individual , though law has given some exemptions but most of them does not apply to businesses. For example small entities are exempted but as per definition companies with turnover less than 20 lacks are considered as small entities. Largely effected companies will be

• Travel and Hospitality sector.
• Education sector.
• Healthcare sector
• Departmental stores
• Online portals
• Or any other sector which process volume information or sensitive personal information

As per section 2 of personal data protection act 2018

Notwithstanding anything contained in sub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —

• in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
• (b) in connection with any activity which involves profiling of data principals within the territory of India.

How it will effect business in India

Non compliance to Personal data protection act 2018 can lead to huge penalties

As per Article 69

Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable

As per Article 70 :Penalty for failure to comply with data principal requests under Chapter VI.—

Where, any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.

As per Article 71. Penalty for failure to furnish report, returns, information, etc.—

If any data fiduciary, who is required under this Act, or rules prescribed or regulations specified there under, to furnish any report, return or information to the Authority, fails to furnish the same, then such data fiduciary shall be liable to penalty which shall be ten thousand rupees for each day during which such default continues, subject to a maximum of twenty lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.

As per Article 72. Penalty for failure to comply with direction or order issued by the Authority.—

If any data fiduciary or data processor fails to comply with any direction issued by the Authority under section 62or order issued by the Authority under section 65,as applicable, such data fiduciary or data processor shall be liable to a penalty which, in case of a data fiduciary may extend to twenty thousand rupees for each day during which such default continues, subject to a maximum of two crore rupees, and in case of a data processor may extend to five thousand rupees for each day during which such default continues, subject to a maximum of fifty lakh rupees.

How penalty will be recovered

As per Article 78. Recovery of Amounts.—

The Recovery Officer may recover from such person the aforesaid amount in any of the following ways, in descending order of priority, namely—

• attachment and sale of the person‟s movable property;
• attachment of the person‟s bank accounts;
• attachment and sale of the person‟s immovable property;
• arrest and detention of the person in prison;
• appointing a receiver for the management of the person‟s movable and immovable properties.

As per Article 93. Offences to be cognizable and non-bailable.—

Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), an offence punishable under this Act shall be cognizable and non-bailable.

How representatives of business get impacted

As per Article 95. Offences by companies.—

(1)Where an offence under this Act has been committed by a company, every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly

(2) Notwithstanding anything contained in sub-section (1), where an offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

How Indian Data protection Authority Act when complaint is lodged

As per Article 65

On receipt of a report under sub-section (2) of section 64, the Authority may, after giving such opportunity to the data fiduciary or data processor to make a representation in connection with the report as the Authority deems reasonable, by an order in writing—

• require the data fiduciary or data processor to modify its business or activity to bring it in compliance with the provisions of this Act;
• temporarily suspend or discontinue business or activity of the data fiduciary or data processor which is in contravention of the provisions of this Act;
• vary, suspend or cancel any registration granted by the Authority in case of a significant data fiduciary;
• suspend or discontinue any cross-border flow of personal data; or

As per Article 66

Where the Authority has reasonable grounds to believe that—

• enter and search any building or place where she has reason to suspect that such books, registers, documents, records or data are kept;
• break open the lock of any box, locker, safe, almirah or other receptacle for exercising the powers conferred by clause (i) where the keys thereof are not available;
• access any computer, computer resource, or any other device containing or suspected to be containing data;
• seize all or any such books, registers, documents, records or data found as a result of such search;

The Authorised Officer may requisition the services of any police officer or of any officer of the Central Government, or of both, as the case may be, for assistance related to any of the purposes specified in sub-section (1) and it shall be the duty of every such police officer or officer to comply with such requisition.

So what is required to assure business is personal data protection act 2018 compliant

Cultural change required by Indian businesses will not come over night but law will be enforced. Thus it is high time one should start updating their business activities as per law.

The company shall provide the individual with the following information, no later than at the time of collection of the personal data or, if the data is not collected from the data principal, as soon as is reasonably practicable—

• the purposes for which the personal data is to be processed;
• the categories of personal data being collected;
• the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
• the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
• The basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds in section 12 to section 17, and section 18 to section 22;
• the source of such collection, if the personal data is not collected from the data principal; (g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
• information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
• the period for which the personal data will be retained in terms of section 10 or where such period is not known, the criteria for determining such period;
• the existence of and procedure for the exercise of data principal rights mentioned in Chapter VI and any related contact details for the same;
• the procedure for grievance redressal under section 39;
• the existence of a right to file complaints to the Authority;
• where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under section 35; and
• any other information as may be specified by the Authority.

What does this law means to business

As an service provider, our everyday operations revolve around massive amount of data. From IT Infrastructure to data bases, from IT Support professionals to end-user data, from remote support to physical touch labor, from Depot and warehouses to onsite installations, we process multiple data in multiple forms. Data being an indispensable part of IT organizations need stringent controls and procedure from Nodes to Hub from end user to cloud,

BUT is that Sufficient?

Let’s understand Governing dynamics of Business are undergoing a major paradigm shift, our controls hitherto which were requires for organizational control are just not enough. GDPR will change the dynamics, privacy is no longer by choice or for policy but is now required by design. Not only world tech giants have changed they use to business before, but all small and medium business firms have started to transform their business to get an early edge over their noncompliant partners to gain competitive advantage.

Let’s agree we Just cannot work without processing Personal data of Our Client, vendors, customers, creditors, Client vendors, Client end users and the scope is mammoth, as we all use IT systems to power our businesses, Law compliance effectively applies to IT business. Unless, of course, you don’t keep any paper or electronic files, don’t employ anyone, don’t operate online, do not provide online support, and have never sold a thing. That’s pretty unlikely. Safe to say, most aspects of your business are affected by GDPR.

At this time, you must take a deep dive in to your operations and ask

• Do you know which systems hold personal data including the new special categories of personal data?
• Can you find that data in the event of a request from a data subject and, more importantly, can you erase it?
• Do your customers and client have methods to modify their existing data.
• Do you have established process and procedures to check the data flow in, within and out of your organization?
• Do you store Data securely, whether that’s in your office's data center, Vendor Datacenter, or in the Cloud?
• Can you identify a security breach, Source of breach – e.g. a hack – and assess it regarding impact to personal data?
• Do you have a process for notifying the supervisory authority of that breach within 72 hours?
• While providing on-demand It resources, do you know if your employee understands the organizational policies on Data privacy and controls.
• Do you evaluate when a personal data becomes unusable for a legal processing and you need to trash it.

AND most importantly- Do you have legal grounds to defend yourself, if you are ever subject to a regulatory authority/ Court of law enquiry and have demonstrable evidence to support and guard yourself and prove your compliance.

What will change?

• Your business development approach
• Your client support approach
• Handling of personal information of individuals
• Imposing data minimization on all business activates
• Rights of data subjects and how to handle that from sales/support representative level
• Time till you keep personal information of individuals
• How to handle Employee/contractor information
• How to make sure you produce demonstrable evidences to ensure compliance is in place.
• Etc.

Most important part of Law which is self compliance hence nobody can issue an certificate is to act and create demonstrable evidences that your business activities are aligned as per Law framework .

So effectively lot of activities (almost all) requires major overhaul as the change will produce demonstrable evidences required to be shown to supervising authorities as desired.

When you collect, process, analyze, and share data, and use it to provide customized, tailored and Leading-edge services to customers and businesses. you need to be acquainted with multitude of possibility that may result in knowingly or unknowingly impacting the fundamental rights and privacy right of a data subject and result in non-compliance, which is why you need to gear up and not only comply with the regulations buts should have readily available demonstrable evidences and artifacts to support out compliance.

Personal data protection act 2018 compliance does not conclude itself within the perimeter of your organization premise, but far from it travels to your vendors, systems, offshore data centers and DR sites, employees, contractors. Its relatively easy to demonstrate your compliance, but what about outside your org walls Do you know what legal implications that might follow when a vendor of you mismanages data provided by you. Well you just cannot wash your hands clean.

Key Question is , Are you ready?

Well the scope is not infinite but way to wide, which is why we at seven step consulting provides you with measures to guard you with our layered compliance assistance that covers you from Node to Hub. With mammoth Noncompliance penalties ranging up to 5 crore rupees or 2 % of your global turnover, Impact on business continuity, and losing clients, you need to gear up in ensuring your compliance

Do contact us if you wish to have Indian privacy law compliance solution for your business and help your organization Stay One Step Ahead !