Bridging the gap between privacy and accountability, India’s new Data Protection Bill emerges as a crucial cornerstone in the modern age of information. As the virtual realm evolves, so must our legal frameworks. And at the forefront of this evolution stands the proposed Data Protection Bill 2023 by the Government of India. The Digital Personal Data Protection (DPDP) or Data Protection Data (DPD) Bill 2023 was passed by the Lok Sabha on August 7, 2023, and it needs to be passed by Rajya Sabha before it becomes law. This legislative endeavor seeks to redefine how personal data is processed, shared, and protected within the country’s borders and beyond. 

“A Bill to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.” – the Bill definition says.

The new Data Protection Bill aims to halt the transfer of data outside the country, impose penalties on companies mishandling data, and establish a system to ensure universal compliance with the rules. Right now, there’s no exact date for when these rules will become official. Upon approval by the Upper house, the bill will encompass information collected from individuals in India, both offline and online, which subsequently undergoes transformation into digital dataThese rules will also be applicable if companies outside India utilize data from Indian people to sell products or provide services.

What Does the Data Protection Bill Cover?

The Data Protection Bill sets out rules for businesses that handle and manage data, while also safeguarding individual rights. Its primary objectives encompass halting the movement of data across borders, imposing penalties on companies for data breaches, and establishing a framework for a data protection body to ensure universal compliance with the rules.

Companies failing to comply could encounter penalties, and they must also discontinue retaining user data if it ceases to be necessary for their business purposes. The bill also says that no company or organization can use personal data in a way that could harm a child’s well-being.

Evaluating Cross-Border Transfer Adequacy

Cross-border data transfers stand as a pivotal concern within the Data Protection Bill. The bill states that the central government holds the power to limit the transfer of personal data to specific countries through official notifications. This essentially implies that the transfer of personal data to all other nations would take place without explicit restrictions. 

The core objective of regulating the movement of personal data outside India is to shield the privacy of Indian citizens. The intention is clear – to fortify data against vulnerabilities and potential breaches in countries with less robust data protection laws. Data stored in such regions might become susceptible to unauthorized sharing with both foreign governments and private entities, raising concerns over data security and citizen privacy. This implies that organizations must embrace a risk-focused strategy for data security, ensuring that their employees and stakeholders adhere to industry-leading practices and standards.

Data Protection Bill gives citizens certain rights

The Right to Information

Data Principles can ask for information about how their personal data is being used along with the summary of the data itself.

The Right to Withdraw Consent 

You can say no to your data being used, and you’ll know if it’s shared with others.

Right to Correction and Erasure 

 If your data is wrong or not needed anymore, you can ask to fix it or get rid of it.

Right of Grievance Redressal

You can complain if you’re not happy with how your data is being handled. If that doesn’t work, you can talk to the Data Protection Board. At the same time, companies that hold data have some responsibilities too:

Transparency 

They need to explain what personal data they’re collecting and why.

Informed Consent

They can’t collect your data without your permission.

Security Measures 

They need to protect your data from being stolen or lost.

Data Retention

They can only keep your data as long as they need to.

Data Breach Notification

If your data gets hacked, they have to tell you and the Data Protection Board.

For bigger data companies, the bill says they should have a data protection officer and an outside auditor to check if they’re following the rules.

Read More About the Top Cybersecurity Initiatives by the Government of India 

Who Will Enforce the Digital Data Protection Bill?

An important part of the Bill is the establishment of the Data Protection Board of India (DPB). This board will be a significant regulatory body in India, dedicated to ensuring the privacy of personal data. The DPB’s main role will be to make sure companies are following the rules and taking care of people’s data. If a company doesn’t follow the rules, the board can give them penalties. The board and its members are protected when they do things honestly and with good intentions.

The primary responsibilities of the Board include overseeing adherence to regulations, conducting inquiries, and imposing penalties. The DPB has the authority to summon and examine individuals under oath, inspect documents of companies handling personal data, and recommend blocking access to intermediaries that repeatedly breach the bill’s provisions.

Board members will initially serve for two years and can be eligible for reappointment. However, this relatively short term with the possibility of reappointment could potentially influence the board’s autonomy and independent operation.

Rules and Penalties 

The proposed bill mandates companies, termed ‘data fiduciaries,’ to strengthen the protection of digital information acquired from individuals, also recognized as ‘data principals.’ This entails transparently informing individuals about the collected data and its intended purpose. Additionally, companies must designate a Data Protection Officer with contact details and provide users the capability to alter or delete their personal data. These stipulations mirror obligations found in similar data protection laws worldwide, including the General Data Protection Regulation of the European Union.

The bill suggests penalties ranging from ₹50 crores to ₹250 crores for companies that fail to ensure the protection of user data or neglect to meet disclosure requirements. Government sources indicate that these penalties could stack up, allowing separate fines for each violation by the same data fiduciary.

Further guidelines will be issued by the Union government to identify firms categorized as ‘significant’ data fiduciaries, which will have to adhere to stricter regulations. This might involve undergoing data audits and conducting ‘Data Protection Impact Assessments’ for enhanced compliance.

In establishing the foundation, the bill sets the stage for the formation of the Data Protection Board of India (DPBI). Appointments of board members will be made by the Union Government through official notifications.

Also Read About Important Insights for CIOs & CISOs to Ensure Cybersecurity

What are the Limitations of Personal Data under the Data Protection Bill?

The forthcoming Data Protection Bill brings forth clear boundaries on its applicability, defining scenarios where its provisions won’t come into play. For instance, the Act won’t be concerned with personal data managed by an individual for personal or household purposes. Similarly, personal data shared publicly by the data principal, such as when a blogger openly shares personal information on a social media platform, is also outside the purview of the Act.

Guided by Consent and Legitimacy

According to the proposed bill, personal data processing must be based on lawful purposes and require explicit consent from the individual. This ensures that individuals’ intentions guide the utilization of personal data, directing it towards legitimate endeavors.

Transparency in Data Processing

A noteworthy instance of this transparency is evident when financial institutions handle customer KYC (Know Your Customer) information. The Data Protection Bill requires banks to notify the concerned individual about the processed data and the specific purpose behind it, thus establishing a precedent for open and accountable data management practices.

What are the Insights for CISOs in Data Protection Bill? 

The Data Protection Bill brings crucial shifts in safeguarding data, and for Chief Information Security Officers (CISOs), these insights are key to steering through its complexities. CISOs are the guardians of user data, entrusted with ensuring its privacy, compliance, and security. These must-know points empower them to make informed choices that effectively shield users’ digital belongings. Let’s explore the key pointers for CISO.

Penalty for Mishandling Data

The bill suggests severe penalties, up to Rs 250 crore, for entities mishandling or inadequately safeguarding personal data. This underscores the need for CISOs to establish stringent data protection practices to evade hefty fines.

Principles of Data Collection

The bill underscores essential principles like legality, purpose limitation, data minimization, and storage constraints. CISOs play a pivotal role in ensuring the lawful collection of data, its use for intended purposes, and maintaining it at a minimum level to protect user privacy.

Language Access for All

The bill ensures that notices and consents are available in the 22 languages mentioned in the 8th Schedule, thereby facilitating people’s understanding of their data rights. CISOs need to prioritize transparent communication in users’ preferred languages, bridging the gap between data privacy and accessibility.

Resolving Disputes Alternatively

The bill introduces an alternative method for resolving disputes through the data protection board, providing organizations a chance to rectify mistakes and address data breaches. CISOs are instrumental in aligning these resolutions and nurturing a secure digital environment.

Balancing Right to Information and Data Protection

The bill harmonizes the Right to Information (RTI) principles with personal data protection, highlighting the necessity of balancing transparency and data privacy. This balance resonates with the core essence of cybersecurity awareness – recognizing the importance of openness while safeguarding user data.

As the Data Protection Bill sets new standards for data security, CISOs stand at the forefront of shaping a secure, innovative digital landscape. Their awareness, actions, and strategic decisions will define the way forward, ensuring a resilient digital future for all.

Read More About People Security Management: Making ‘Weakest Link’ Into Strongest Defense

FAQs: Data Protection Bill 2023

The post Data Protection Bill’23: Insights and Directions for CISOs appeared first on Threatcop.