As Indian privacy law is about to be tabled in parliament it is important for Indian companies to understand how they need to restructure their business processes to insure they are fully compliant to the law.
Any company who process personal information of individual , though law has given some exemptions but most of them does not apply to businesses. For example small entities are exempted but as per definition companies with turnover less than 20 lacks are considered as small entities. Largely effected companies will be
Notwithstanding anything contained in sub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —
Non compliance to Personal data protection act 2018 can lead to huge penalties
Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable
Where, any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
If any data fiduciary, who is required under this Act, or rules prescribed or regulations specified there under, to furnish any report, return or information to the Authority, fails to furnish the same, then such data fiduciary shall be liable to penalty which shall be ten thousand rupees for each day during which such default continues, subject to a maximum of twenty lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
If any data fiduciary or data processor fails to comply with any direction issued by the Authority under section 62or order issued by the Authority under section 65,as applicable, such data fiduciary or data processor shall be liable to a penalty which, in case of a data fiduciary may extend to twenty thousand rupees for each day during which such default continues, subject to a maximum of two crore rupees, and in case of a data processor may extend to five thousand rupees for each day during which such default continues, subject to a maximum of fifty lakh rupees.
The Recovery Officer may recover from such person the aforesaid amount in any of the following ways, in descending order of priority, namely—
Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), an offence punishable under this Act shall be cognizable and non-bailable.
(1)Where an offence under this Act has been committed by a company, every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly
(2) Notwithstanding anything contained in sub-section (1), where an offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
On receipt of a report under sub-section (2) of section 64, the Authority may, after giving such opportunity to the data fiduciary or data processor to make a representation in connection with the report as the Authority deems reasonable, by an order in writing—
Where the Authority has reasonable grounds to believe that—
The Authorised Officer may requisition the services of any police officer or of any officer of the Central Government, or of both, as the case may be, for assistance related to any of the purposes specified in sub-section (1) and it shall be the duty of every such police officer or officer to comply with such requisition.
Cultural change required by Indian businesses will not come over night but law will be enforced. Thus it is high time one should start updating their business activities as per law.
The company shall provide the individual with the following information, no later than at the time of collection of the personal data or, if the data is not collected from the data principal, as soon as is reasonably practicable—
As an service provider, our everyday operations revolve around massive amount of data. From IT Infrastructure to data bases, from IT Support professionals to end-user data, from remote support to physical touch labor, from Depot and warehouses to onsite installations, we process multiple data in multiple forms. Data being an indispensable part of IT organizations need stringent controls and procedure from Nodes to Hub from end user to cloud,
Let’s understand Governing dynamics of Business are undergoing a major paradigm shift, our controls hitherto which were requires for organizational control are just not enough. GDPR will change the dynamics, privacy is no longer by choice or for policy but is now required by design. Not only world tech giants have changed they use to business before, but all small and medium business firms have started to transform their business to get an early edge over their noncompliant partners to gain competitive advantage.
Let’s agree we Just cannot work without processing Personal data of Our Client, vendors, customers, creditors, Client vendors, Client end users and the scope is mammoth, as we all use IT systems to power our businesses, Law compliance effectively applies to IT business. Unless, of course, you don’t keep any paper or electronic files, don’t employ anyone, don’t operate online, do not provide online support, and have never sold a thing. That’s pretty unlikely. Safe to say, most aspects of your business are affected by GDPR.
At this time, you must take a deep dive in to your operations and ask
AND most importantly- Do you have legal grounds to defend yourself, if you are ever subject to a regulatory authority/ Court of law enquiry and have demonstrable evidence to support and guard yourself and prove your compliance.
Most important part of Law which is self compliance hence nobody can issue an certificate is to act and create demonstrable evidences that your business activities are aligned as per Law framework .
So effectively lot of activities (almost all) requires major overhaul as the change will produce demonstrable evidences required to be shown to supervising authorities as desired.
When you collect, process, analyze, and share data, and use it to provide customized, tailored and Leading-edge services to customers and businesses. you need to be acquainted with multitude of possibility that may result in knowingly or unknowingly impacting the fundamental rights and privacy right of a data subject and result in non-compliance, which is why you need to gear up and not only comply with the regulations buts should have readily available demonstrable evidences and artifacts to support out compliance.
Personal data protection act 2018 compliance does not conclude itself within the perimeter of your organization premise, but far from it travels to your vendors, systems, offshore data centers and DR sites, employees, contractors. Its relatively easy to demonstrate your compliance, but what about outside your org walls Do you know what legal implications that might follow when a vendor of you mismanages data provided by you. Well you just cannot wash your hands clean.
Well the scope is not infinite but way to wide, which is why we at seven step consulting provides you with measures to guard you with our layered compliance assistance that covers you from Node to Hub. With mammoth Noncompliance penalties ranging up to 5 crore rupees or 2 % of your global turnover, Impact on business continuity, and losing clients, you need to gear up in ensuring your compliance
Do contact us if you wish to have Indian privacy law compliance solution for your business and help your organization Stay One Step Ahead !