There is a common perception amongst privacy and business leaders that they do not need to take any action (for India’s PDPB) if they have already taken actions for compliance with EU GDPR. While the amount of work may not be as much, companies still need to take specific actions for PDPB. This article talks about what actions companies compliant with GDPR shall need to take to become compliant with PDPB.
India’s Personal Data Protection Bill (PDPB) is in its final stages of approval. Inspired by the EU General Data Protection Regulation (GDPR), the PDPB is sometimes referred as India’s GDPR. This is because EU GDPR is currently the gold standard when it comes to privacy laws. Most privacy laws that have been passed after GDPR have taken concepts and principles from EU GDPR. And, India’s PDPB is no exception in replicating quite a few concepts from EU’s GDPR law. At the level of principles or concepts, you may believe that both laws are similar and compliance with one means compliance with the other. However, as you dig deep, there are significant variants that require specific actions when it comes to compliance with PDPB. Let us dive into what your company will need to do specifically for PDPB even if your company is GDPR Compliant. Of course, compliance is always relative and there is no 100% compliance.
There are many differences that you will need to be cognizant and considerate about. For now, let us focus on 10 key areas that are significantly different in PDPB and will require you and your company to start working on:
The territorial scope: As per EU GDPR, the scope is limited to processing of personal data of EU residents. However, the PDPB states that any processing that is being done in India shall be under the realm of PDPB. This means, your company may have taken necessary actions to comply with processing EU residents but now will need to extend the protection to all processing that is being done within India. This has consequences for processors who may have contracts with companies that need to comply with EU GDPR but now need to extend similar protection to almost all processing being done in India.
Definition of personal and sensitive data: The EU GDPR defined personal data as anything that identifies a person directly or indirectly. However, the PDPB also considers inferred data as personal data. Similarly, PDPB rules that ‘financial data’ is also sensitive data. Further, PDPB has a provision that the government may define additional categories of sensitive data. So, to comply with PDPB, you will need to reconsider the way your company defines personal and sensitive data and adapt processes and systems to add ‘financial data’ into the ‘sensitive data’ category. Ideally, adapting your processes/systems to cater additional categories into the sensitive data definition will be a more preferred approach in longer term perspective.
Legal basis for processing: The EU GDPR and PDPB has a different set of legitimate bases for processing of personal data. More specifically, PDPB does not provide for processing under a contract because it leans more on consent. Furthermore, PDPB has something called ‘reasonable purposes. So, even though your company mapped all its processing activities to legitimate bases as part of GDPR compliance, the mapping may need to be reviewed again. Once you do so, there will be changes to systems and processes as well.
Consent: The EU GDPR considered the consent to be explicit, clear and informed while PDPB’s consent are more like contractual obligations. Furthermore, sharing information through a privacy notice may also be considered consent in PDPB. So, there is a choice to made by your company on whether to continue to lean on the GDPR consent approach and add contractual agreement as a consent when processing in India or consider completely different approaches. Either way, this is a significant and fundamental piece that determines compliance actions with PDPB.
Legitimate Interest: The EU GDPR allows controllers to assign certain processing activities as being a legitimate interest. However, in the PDPB, this assignment is done by Data Protection Authority (DPA). So, your company will need to justify and validate the choice of processing as legitimate interest with DPA. And, what if the DPA does not agree? I hope this will change before the final text is approved.
Children’s age: The EU GDPR defined the ages for children as those under the age of 16 with the flexibility for member states being allowed to change the age to 13,14 and 15 years old. However, the PDPB rules anyone under 18 as a child. So, your company will need to factor this when processing personal data. This may not be a big change if your company already implemented age per country for GDPR but still worth a change.
Accountability and Audits: The EU GDPR puts the accountability to conduct audits and remain compliant on the organizations but the PDPB requires the organizations to conduct audits and submit them to Data Protection Authority (DPA) on regular basis. So, your company will now need to be factoring when to conduct these audits and how to submit them to the DPA in India.
Right to be forgotten and deleted: The EU GDPR does not differentiate between right to deletion and right to be forgotten. However, the PDPB does make a difference between the two. So, even if your company is compliant with GDPR, you need to think on how to differentiate between erasure i.e., right to deletion and restricting processing i.e., right to be forgotten. And, you also need to consider if this fine-grained option is to be made available to those under GDPR.
DPA registration: The EU GDPR does not have any mandatory requirement for organizations to register with the DPA. Of course, The United Kingdom and Turkey have a registration requirement. However, PDPB requires organizations processing significant data to register with DPA. So, while you may have done all for GDPR compliance, this is a new action yet to be taken.
Data Localization: The EU GDPR allows for data transfers in so far you ensure adequate protection through different means. However, the PDPB requires that certain ‘critical’ personal data must be processed in India. Even for sensitive personal data, a copy must be kept in India. These are significant variants and will need a review of your data processing and transfer approach if your company has been using cloud-based solutions to store personal data.
The PDPB is like EU GDPR in principles and intentions to protect the personal data of individuals. However, the PDPB introduces subtle changes in scope, definitions, rights, accountability and other legitimate purposes. These subtle variances require that your company conducts a thorough review from a PDPB perspective. This will help determine the precise changes that are required. This is irrespective of whether your company is compliant with EU GDPR or not. Yes, being GDPR complaint may make things easier but there is no way you can say that you are complaint with PDPB just because you believe you are compliant with the GDPR.