UniConsent

Compliant Solution for India’s Personal Data Protection (PDP)

What the Personal Data Protection laws mean for India and the rest of the world. How does PDP compare with the General Data Protection Regulations (GDPR)?

FeaturesGet Started

What the Personal Data Protection laws mean for India and the rest of the world. How does PDP compare with the General Data Protection Regulations (GDPR)?

The Personal Data Protection bill for India could require changes to your data management and is not directly solved with GDPR compliance.

What is the Personal Data Protection Bill (PDP)?

The PDP bill is India’s own law which is to help protect personal data, it is based on the GDPR and is very similar but there are a few differences. The bill first came into the Indian Parliament on 11th December 2019, a first draft is still being analysed and worked on. The PDP bill is a big change for India as they did not have standalone personal data protection laws before.

Will GDPR Compliance make me compliant already? Not likely, even though the PDP is very similar to the GDPR and is used as a template, there are a few differences to how data can be processed and collected within India.

By being compliant with GDPR already, a lot of the work required to be compliant with the PDP in India will already be met. The most work comes for companies within India that are not already compliant with the GDPR.

Differences between PDP and GDPR

One of the biggest differences between the EU data laws and India’s PDP is data has been divided into three categories:

  • Personal data
  • Sensitive data
  • Critical personal data

Each Category is used to outline different regulation and importance of personal data. The Critical Personal Data category is important because it is not currently a part of the GDPR and has its own terms and conditions, such as being obligated to data localisation.

Compared to the GDPR India has focused on a larger area on what constitutes sensitive personal data. Some businesses may have to comply even if it merely processes personal data in India, and doesn’t collect the data locally.

Kinds of Personal Data

With the PDP bill splitting personal data into three categories, there is a more defined approach to what personal data is and what can be done with it, an overview of what counts as personal data between the three categories:

  1. Personal data: characteristics, traits or attributes of identity, which can be used to identify an individual, collected online or offline
  2. Sensitive data: financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government
  3. Critical personal data: personal data as may be notified by the Central Government to be the critical personal data

With the latter data category being new compared with the GDPR, it means that some companies may be required to only process and store this kind of data exclusively in India, which may rely on government or user consent.

Companies will have to gain permission from the Indian government in order to store or process certain information outside of India.

Requirement for Multiple Languages

Because of how diverse India is, with the PDP coming into effect it will require companies to render terms and conditions in multiple languages for users.

PDP Penalties

Just like the GDPR, it comes with some major penalties for when data is misused or when the data privacy laws are breached by a company. The PDP is similar but comes with a few differences:

  • By processing or transferring personal data in violation of the Bill, that could land a penalty of ₹15 crore of 4% of annual turnover, whichever is higher
  • Failing to conduct a data audit could land a fine of ₹5 crore or 2% of annual turnover, whichever is higher
  • Re-identification and processing of de-identified data without consent, could land a fine or imprisonment for up to three years, or both

What does this mean for user consent?

With the PDP, it focuses on setting up consent managers, requiring a company to use one in order to be compliant, a user may give or withdraw consent through a consent manager whereas no such provision exists under GDPR compared to the PDP bill.

Data retention and management

Under the GDPR a company is allowed to retain user data for a long period of time if it falls under certain circumstances, like being used for archiving, research and statistical analysis. However, the PDP states that user data can be retained for longer stretches of time if the user consents or if required in compliance with any obligation under the law, so the user may have to be able to access such settings through a consent manager, required by the PDP bill.

User consent for data storage and processing

As the PDP bill proposes the use of three categories for personal data, the user or government must be allowed to control where personal data is stored or processed based on the three categories under the PDP bill.

  • Personal data: Can be processed and stored outside India
  • Sensitive data: Should be stored in India and may be transferred outside India for processing, if explicitly consented to by the data principal (user)
  • Critical personal data: Must be stored and processed within India, needs special permission and consent from Indian government

Overall, what does it mean for users and companies?

Users

  • Better privacy for people that are residents of India
  • People’s personal information cannot be collected, processed or shared without their consent and permission
  • An individual’s data can only be used for clear and pre-defined purposes and only necessary data can be collected or monitored
  • People can move their data from one provider to another and ask any organization about the data they have about them. They can also request it to be deleted, and even can withdraw their consent at any time.

Companies

  • They will also need to place limits on data collection, processing, and storage.
  • Companies will need to build technical security safeguards, such as de-identification to prevent an individual’s identity to be inadvertently revealed and also encryption needs to be built-in.
  • They need to immediately inform the regulator in case of any data breach.
  • Sensitive personal data needs to be stored and processed in India and cannot be processed outside of boundaries without the regulator’s approval.
  • The government can ask companies to provide “anonymized” or “non-personal data” for policy-making or other public goods.

Use a consent management platform like UniConsent to offer consumers full control of data collection, opt-out features, manage the preferences communication for PDP compliance together with GDPR.

Comply With Global Privacy Regulations

General Data Protection Regulation (GDPR)

Achieve seamless compliance with the General Data Protection Regulation (GDPR) – the cornerstone of data privacy in the European Union. Safeguard user data and build trust with our comprehensive GDPR compliance solutions.

California Consumer Privacy Act (CCPA)

Navigate the intricate landscape of the California Consumer Privacy Act (CCPA) effortlessly. Our CCPA compliance tools ensure that you adhere to the rigorous data protection standards required for California residents.

U.S. State Privacy Laws

Stay ahead of evolving privacy regulations in the United States. Our platform supports a range of state-specific laws, including CCPA, CPRA, CPA, VCDPA, UCPA, and COPPA, ensuring you remain compliant across all jurisdictions.

California Privacy Rights Act (CPRA)

Embrace the future of data privacy with the California Privacy Rights Act (CPRA). As a pioneering state-level legislation, CPRA empowers businesses to enhance their data protection practices and prioritize consumer privacy.

Colorado Privacy Act (CPA)

Prepare for the Colorado Privacy Act (CPA) with UniConsent CMP. Our solutions help you meet the stringent requirements of this forward-thinking state-level privacy law, ensuring the highest level of data security and compliance.

Virginia Consumer Data Protection Act (VCDPA)

Comply confidently with the Virginia Consumer Data Protection Act (VCDPA). UniConsent CMP provides the tools and expertise to ensure your organization aligns with VCDPA's robust data privacy framework, bolstering trust among Virginia residents.

Utah Consumer Privacy Act (UCPA)

Protect user data effectively with the Utah Consumer Privacy Act (UCPA). UniConsent CMP offers solutions that facilitate compliance with this emerging privacy law, ensuring your business is well-prepared for data privacy challenges in Utah.

Connecticut Data Protection Act (CTDPA)

Guard user information and uphold their privacy rights under the Connecticut Data Protection Act (CTDPA). UniConsent CMP's suite of compliance tools empowers you to navigate this state-level law seamlessly and responsibly.

Children’s Online Privacy Protection Act (COPPA)

Prioritize children's privacy with UniConsent CMP's COPPA compliance solutions. Complying with the Children’s Online Privacy Protection Act (COPPA) is simplified, allowing you to provide a safe online environment for young users.

General Data Protection in Thailand (PDPA)

Adhere to the Personal Data Protection Act 2019 (PDPA) in Thailand with UniConsent CMP. Our expertise in PDPA compliance ensures that your organization can operate confidently and securely in the Thai market while respecting user data privacy.

The General Data Protection Law in Brazil (LGPD)

UniConsent CMP facilitates compliance with Brazil's General Data Protection Law (LGPD). Our solutions empower businesses to meet LGPD's stringent requirements, safeguarding the personal data of individuals in Brazil.

China Personal Information Protection Law (PIPL)

Prepare for the China Personal Information Protection Law (PIPL) with UniConsent CMP. As data protection regulations evolve in China, our platform ensures your organization is well-equipped to handle personal information responsibly and securely.

Protection of Personal Information Act in South Africa (POPIA)

The Summary of Protection of Personal Information Act, POPI Act, POPIA, South African Privacy Law.

India’s Personal Data Protection (PDP)

The Personal Data Protection bill for India could require changes to your data management and is not directly solved with GDPR compliance.

Turkey Personal Data Protection Law (KVKK)

The Summary of Turkey’s Personal Data Protection Law: KVKK.

UK General Data Protection Regulation (UK GDPR)

Achieve seamless compliance with the General Data Protection Regulation (GDPR) – the cornerstone of data privacy in the UK. Safeguard user data and build trust with our comprehensive GDPR compliance solutions.

IAB registered consent manager for GDPRIAB TCF V2 registered consent manager for GDPRIAB TCF Canada registered consent managerGoogle-certified CMP
Trusted by 5000+ of global publishers and marketers
  • sej
  • football365
  • sharethrough
  • districtm
  • pf1
  • tower cast

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up