What the Personal Data Protection laws mean for India and the rest of the world. How does PDP compare with the General Data Protection Regulations (GDPR)?
The Personal Data Protection bill for India could require changes to your data management and is not directly solved with GDPR compliance.
What is the Personal Data Protection Bill (PDP)?
The PDP bill is India’s own law which is to help protect personal data, it is based on the GDPR and is very similar but there are a few differences. The bill first came into the Indian Parliament on 11th December 2019, a first draft is still being analysed and worked on. The PDP bill is a big change for India as they did not have standalone personal data protection laws before.
Will GDPR Compliance make me compliant already? Not likely, even though the PDP is very similar to the GDPR and is used as a template, there are a few differences to how data can be processed and collected within India.
By being compliant with GDPR already, a lot of the work required to be compliant with the PDP in India will already be met. The most work comes for companies within India that are not already compliant with the GDPR.
Differences between PDP and GDPR
One of the biggest differences between the EU data laws and India’s PDP is data has been divided into three categories:
- Personal data
- Sensitive data
- Critical personal data
Each Category is used to outline different regulation and importance of personal data. The Critical Personal Data category is important because it is not currently a part of the GDPR and has its own terms and conditions, such as being obligated to data localisation.
Compared to the GDPR India has focused on a larger area on what constitutes sensitive personal data. Some businesses may have to comply even if it merely processes personal data in India, and doesn’t collect the data locally.
Kinds of Personal Data
With the PDP bill splitting personal data into three categories, there is a more defined approach to what personal data is and what can be done with it, an overview of what counts as personal data between the three categories:
- Personal data: characteristics, traits or attributes of identity, which can be used to identify an individual, collected online or offline
- Sensitive data: financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government
- Critical personal data: personal data as may be notified by the Central Government to be the critical personal data
With the latter data category being new compared with the GDPR, it means that some companies may be required to only process and store this kind of data exclusively in India, which may rely on government or user consent.
Companies will have to gain permission from the Indian government in order to store or process certain information outside of India.
Requirement for Multiple Languages
Because of how diverse India is, with the PDP coming into effect it will require companies to render terms and conditions in multiple languages for users.
Just like the GDPR, it comes with some major penalties for when data is misused or when the data privacy laws are breached by a company. The PDP is similar but comes with a few differences:
- By processing or transferring personal data in violation of the Bill, that could land a penalty of ₹15 crore of 4% of annual turnover, whichever is higher
- Failing to conduct a data audit could land a fine of ₹5 crore or 2% of annual turnover, whichever is higher
- Re-identification and processing of de-identified data without consent, could land a fine or imprisonment for up to three years, or both
What does this mean for user consent?
With the PDP, it focuses on setting up consent managers, requiring a company to use one in order to be compliant, a user may give or withdraw consent through a consent manager whereas no such provision exists under GDPR compared to the PDP bill.
Data retention and management
Under the GDPR a company is allowed to retain user data for a long period of time if it falls under certain circumstances, like being used for archiving, research and statistical analysis. However, the PDP states that user data can be retained for longer stretches of time if the user consents or if required in compliance with any obligation under the law, so the user may have to be able to access such settings through a consent manager, required by the PDP bill.
User consent for data storage and processing
As the PDP bill proposes the use of three categories for personal data, the user or government must be allowed to control where personal data is stored or processed based on the three categories under the PDP bill.
- Personal data: Can be processed and stored outside India
- Sensitive data: Should be stored in India and may be transferred outside India for processing, if explicitly consented to by the data principal (user)
- Critical personal data: Must be stored and processed within India, needs special permission and consent from Indian government
Overall, what does it mean for users and companies?
- Better privacy for people that are residents of India
- People’s personal information cannot be collected, processed or shared without their consent and permission
- An individual’s data can only be used for clear and pre-defined purposes and only necessary data can be collected or monitored
- People can move their data from one provider to another and ask any organization about the data they have about them. They can also request it to be deleted, and even can withdraw their consent at any time.
- They will also need to place limits on data collection, processing, and storage.
- Companies will need to build technical security safeguards, such as de-identification to prevent an individual’s identity to be inadvertently revealed and also encryption needs to be built-in.
- They need to immediately inform the regulator in case of any data breach.
- Sensitive personal data needs to be stored and processed in India and cannot be processed outside of boundaries without the regulator’s approval.
- The government can ask companies to provide “anonymized” or “non-personal data” for policy-making or other public goods.
Use a consent management platform like UniConsent to offer consumers full control of data collection, opt-out features, manage the preferences communication for PDP compliance together with GDPR.