How The Personal Data Protection Bill, When An Act, Will Overhaul Privacy Norms

Updated: Oct 25, 2021

$887 million, $57 million, $26 million - these massive numbers denote the hefty fines levied on large corporations in recent times. The reason? General Data Protection Regulation (GDPR) violations.

History lesson for the day:

In 1995, when the Data Protection Directive, the forerunner to the General Data Protection Regulation, was introduced, social media and cloud storage were at their nascency. With the emergence of rapidly changing technologies, more personal data was being created and stored, and the Data Protection Directive was outdated. The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) arrived in order to keep legislation current with technological advancements, while also protecting fundamental rights of citizens - (1) explicit content needed to be given by the user, (2) the request for consent had to be presented in a clear and plain language, and (3) the data subject had to be able to easily withdraw his consent at any time and informed of this right in advance.

The Personal Data Protection Bill, India:

India is one of the countries with a planned data privacy bill modeled after the General Data Protection Regulation. Introduced in India’s parliament on December 11, 2019, the Personal Data Protection Bill sets rules for how personal data should be processed and stored, and lists people’s rights with respect to their personal information. While large Indian companies with operations/customers in the EU or USA already have these safeguards in place (be it a large exporter or indeed an IT company that handles consumer data because it maintains a core banking application), it will nonetheless mean more compliance and reporting requirements. SMEs on the other hand would have to start from scratch with a plethora of tasks such as, but not limited to:

  • Categorization of personal data generally collected and noting the manner of such collection

  • Notification of the data principal of important operations in the processing of personal data through periodic notifications

  • Enablement of safeguards to prevent misuse, unauthorized access to, modification, disclosure or destruction of personal data

Technology: The knight in shining armor While the above seems like a herculean task, there is a way out. Technology can be used to automate many of these tasks in a faster, accurate and cost-effective manner, and is able to do the following:

  • Monitoring personal data processing activities of the data fiduciary to ensure that such processing does not violate the provisions of the Act

  • Providing advice to the data fiduciary where required on the manner in which data protection impact assessments must be carried out, and assisting the review of such assessment as under sub-section (4) of section 33

  • Providing advice to the data fiduciary, where required on the manner in which internal mechanisms may be developed in order to satisfy the principles set out under section 29

  • Providing assistance to and cooperating with the Authority on matters of compliance of the data fiduciary with provisions under the Act

  • Act as the point of contact for the data principal for the purpose of raising grievances to the data fiduciary pursuant to section 39 of the Act

  • Maintaining an inventory of all records maintained by the data fiduciary pursuant to section 34

Cool infographic on requirements vs. how technology can add value.


One of the job titles we will start to see increasingly is is a DPO (Data Protection Office). S(he) will understand data privacy legislation, ensure that your company is complying with these regulations, and act as a point of contact for data subjects. Technology as indicated above will help decrease workloads significantly. We must face privacy challenges head-on while keeping in mind national and global laws, without compromising on security and keeping costs low.


1 view0 comments