What the Personal Data Protection laws mean for India and the rest of the world. How does PDP compare with the General Data Protection Regulations (GDPR)?
The Personal Data Protection bill for India could require changes to your data management and is not directly solved with GDPR compliance.
The PDP bill is India’s own law which is to help protect personal data, it is based on the GDPR and is very similar but there are a few differences. The bill first came into the Indian Parliament on 11th December 2019, a first draft is still being analysed and worked on. The PDP bill is a big change for India as they did not have standalone personal data protection laws before.
Not likely, even though the PDP is very similar to the GDPR and is used as a template, there are a few differences to how data can be processed and collected within India.
By being compliant with GDPR already, a lot of the work required to be compliant with the PDP in India will already be met. The most work comes for companies within India that are not already compliant with the GDPR.
One of the biggest differences between the EU data laws and India’s PDP is data has been divided into three categories:
Each Category is used to outline different regulation and importance of personal data. The Critical Personal Data category is important because it is not currently a part of the GDPR and has its own terms and conditions, such as being obligated to data localisation.
Compared to the GDPR India has focused on a larger area on what constitutes sensitive personal data. Some businesses may have to comply even if it merely processes personal data in India, and doesn’t collect the data locally.
With the PDP bill splitting personal data into three categories, there is a more defined approach to what personal data is and what can be done with it, an overview of what counts as personal data between the three categories:
Personal data: characteristics, traits or attributes of identity, which can be used to identify an individual, collected online or offline
Sensitive data: financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government
Critical personal data: personal data as may be notified by the Central Government to be the critical personal data
With the latter data category being new compared with the GDPR, it means that some companies may be required to only process and store this kind of data exclusively in India, which may rely on government or user consent.
Companies will have to gain permission from the Indian government in order to store or process certain information outside of India.
Because of how diverse India is, with the PDP coming into effect it will require companies to render terms and conditions in multiple languages for users.
Just like the GDPR, it comes with some major penalties for when data is misused or when the data privacy laws are breached by a company. The PDP is similar but comes with a few differences:
By processing or transferring personal data in violation of the Bill, that could land a penalty of ₹15 crore of 4% of annual turnover, whichever is higher
Failing to conduct a data audit could land a fine of ₹5 crore or 2% of annual turnover, whichever is higher
Re-identification and processing of de-identified data without consent, could land a fine or imprisonment for up to three years, or both
With the PDP, it focuses on setting up consent managers, requiring a company to use one in order to be compliant, a user may give or withdraw consent through a consent manager whereas no such provision exists under GDPR compared to the PDP bill.
Under the GDPR a company is allowed to retain user data for a long period of time if it falls under certain circumstances, like being used for archiving, research and statistical analysis. However, the PDP states that user data can be retained for longer stretches of time if the user consents or if required in compliance with any obligation under the law, so the user may have to be able to access such settings through a consent manager, required by the PDP bill.
As the PDP bill proposes the use of three categories for personal data, the user or government must be allowed to control where personal data is stored or processed based on the three categories under the PDP bill.
Use a consent management platform like UniConsent to offer consumers full control of data collection, opt-out features, manage the preferences communication for PDP compliance together with GDPR.