Data protection obligations for processing personal data

The Draft Personal Data Protection Bill, 2018, was released on July 27, 2018, by the committee of experts under the chairmanship of Justice BN Srikrishna. The same was approved by the Union Cabinet on December 4, 2019, and will be introduced soon in parliament.

It is still unclear if the approved Bill has been tweaked. While the revised copy of the Bill is yet to be released, the draft released earlier lays down certain obligations on the data fiduciary for processing personal data. These include:

Fair and reasonable processing: The data fiduciary must process personal data in a fair and reasonable manner that respects the privacy of the data principal.

Purpose limitation: The purpose of processing the data must be clear, specific and lawful. Personal data must be processed only for the specified purpose.

Collection limitation: The collection of personal data shall be limited to the data that is necessary for the purposes of processing.

Lawful processing: The ground of processing should only be based on lawfulness of processing the personal data. Grounds for processing the data include consent, functions of state, compliance with law or order of court/ tribunal, for prompt action in case of emergencies, purposes related to employment or reasonable purposes of the data fiduciary.

Notice: Provide a fair and transparent notice that is easily comprehensible to a reasonable person and in multiple languages where necessary while collecting their data describing the collection, use, access, storage, disclosure, security of the personal data along with the choice and their rights. This should be applicable for both online and offline collection mediums. 

Data quality: The data fiduciary shall take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated, with respect to the purposes for which it is processed.

Data storage limitation: The data fiduciary shall retain personal data only if reasonably necessary to satisfy the purpose for which it is processed. However, personal data may be retained for a longer period if such retention is explicitly mandated, or necessary to comply with any obligation, under a law. The data fiduciary must undertake periodic review to determine whether it is necessary to retain the personal data in its possession. Where it is not necessary for personal data to be retained by the data fiduciary then such personal data must be deleted in a manner as may be specified.

Accountability: The data fiduciary shall be responsible for complying with all obligations set out in the Bill in respect of any processing undertaken by it or on its behalf. The data fiduciary should also be able to demonstrate that any processing undertaken by it or on its behalf is in accordance with the provisions of the Bill.

The Bill brings about a lot of significant changes to the existing data privacy regime in India. This means that organisations will be required to reassess the nature and quantum of personal data which they collect, store, process and their current practices. Complying with these obligations will indicate that the data fiduciaries have adhered to the best practices.

Vidur Gupta is partner, advisory services at EY India. The views in this article are his own.

Vidur Gupta