On 09th August, 2023, both the houses of the Parliament approved the ‘Digital Personal Data Protection Act 2023’ paving way for its enforcement into India’s new Data Privacy law in the coming days. The act regulates the processing of personal information data in India, and increases the obligations for businesses for closer and more comprehensive oversight over their data processing and data protection measures. The specific date for the enforcement of the act is yet to be confirmed.
Consent and Notice:
Businesses are required to provide an itemised notice in clear and plain language containing a description of personal data sought to be collected by them and the purpose of processing of such personal data to the Data Principal (DP) on which the DP can provide freely given and informed consent; agreement to the processing of personal data for specific purposes. The written notice needs to be clear, plain, and available to DPs in English, with an option to read the same in all languages listed in the Eighth Schedule of the Constitution [Section 6(3)].
The privacy notice to the DP is required to be prominently displayed to the DP at the time of obtaining consent and before processing of PI.
Businesses are required to implement necessary and appropriate technological infrastructure for efficient adherence to their duties under the act in order to facilitate DPs in exercising their rights including rights to withdraw consent or to correct or erase their PIs.
The act also provides for ‘deemed consent’ (Section 8) to Data Fiduciaries in instances where there is a fair, reasonable and legitimate basis and interest involved in processing of PI from DPs end. For instance, for employment-related purposes; or for matters where legitimate interests of the fiduciaries outweigh the adverse effects on rights of DPs.
As part of the Section 7(6), ‘Consent Managers’ are defined as “third party Data Fiduciary, who are accountable for and act on behalf of the DP to enable them give, manage, review and withdraw their consent through a platform which is accessible, transparent and interoperable”. Businesses need to make secure technological integrations with such Consent Managers in the near future to be compliant and securely share data with such consent managers.
For example – the Banking sector has its own Consent Managers for data sharing and consent management in form of Account Aggregators, which are regulated by the RBI.
The act establishes breach notification requirement for DFs and Data Processors, whereby an affected DP and the Data Protection Board of India (Board) established by the Central Government for the purposes of this Act will need to be notified by businesses in the event of a ‘personal data breach.’
‘Personal data breach’ is defined in the act as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”
The definition is wide enough to encompass incidents like loss/ theft of an employee’s laptop containing third party PI to qualify as a data breach. Businesses will need to deploy necessary personnel, breach notification procedures and information security management systems for compliance which will likely to increase the cost of compliance.
Upon receipt of consent, businesses are permitted to transfer PI to other Processors (other Fiduciaries), provided a valid contract exists between Businesses and Processors. In cases where the Processor also needs to sub-contract their processing activity to another Fiduciary, the same needs to be done with a valid contract of engagement with such sub-contracted Processor.
Processing of Children’s Data:
Businesses will need to form processes to obtain parental consent for processing data of any individual below age of 18. Businesses are also expected to not carry out any tracking and behavioural monitoring of children or advertisement targeted on them.
Businesses are expected to cease retention of the PI once its purpose is served and no longer necessary for legal or business purposes. Although, businesses can modify PI in a manner where it cannot be associated with DP (Data anonymisation).
Businesses will need to erase data upon receipt of request from DP unless retention is necessary for legal purposes (Section 13(2)(d)).
Significant Data Fiduciaries:
Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including:
Significant Data Fiduciaries (SDF) will be required to appoint a Data Protection Officer who will be based in India and report to the Board of Directors; SDFs will also need to appoint an independent data auditor and undertake a data protection impact assessment.
The act applies to any business that processes PI either collected online or converted into digital format from physical within the territory of India. The act also applies to businesses based outside India which ‘process’ PI of any Data Principal (defined in the act as “the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child”) in India for the purpose of profiling of, or activity of providing goods and services to Data Principals within territory of India.
Upon its likely enactment, practical implications of the act include:
Some of the key aspects to start looking into would be as follows:
Management must be aware of these heightened obligations and empower their business units with touchpoints on personal data (IT, Legal, HR, amongst others) to review and update their IT, data protection, data retention, and cybersecurity policies. It will become imperative for businesses to have processes and safeguards for handling and protecting personal information, procedures for consent withdrawal, correction, erasure, and grievance redressal, and provisions for providing information to data subjects to significantly reduce and avoid the exposure to data breach incidents.
Board obligations around data protection and cybersecurity can no longer be ignored or passed off to IT departments. C-suites are being held accountable on a global scale to make sure data protection procedures are up to par. This act serves to further reiterate and enforce the same in the Indian territory, significantly increasing the implications of a data breach incident involving personal information.
Risk transfer considerations to mitigate and minimise losses:
Given the imminent and ever-evolving nature of the cyber and data breach incidents, organisations need to realise that while enhancing data protection and cyber security investments are critical, it can only reduce the exposure but cannot completely eradicate the risk. An organisation's cyber security is only as strong as its weakest link, thus boards should seriously think about boosting the "Recovery" component of their cyber risk management strategy.
Organisations should invest in conducting ‘Impact Assessments’ (also indicated in the act-Section 11.2(C)) not only from a customary operational and legal standpoint but also extend these assessments to include a loss quantification exercise to estimate likelihood and severity of losses from privacy breach and network outage incidents. Planning and testing effective incident response plans and business continuity plans is a crucial component of the "Recover" and "Respond" strategies. This would aid the Boards in setting priorities for spending on necessary cyber security measures as well as in thinking of ways to transfer loss forecasts that exceed their risk tolerance.
Given the regulatory development in India, cyber risk insurance should be a critical component of cyber loss recovery and risk transfer strategy of organisations. Cyber risk insurance programmes have shown to enhance the incident response capability of insured organisations through the cyber claims know-how and relevant incident response resources, in addition to indemnifying costs associated with incident response like forensic investigations, data reconstitution, notifications, credit monitoring, and public relations, as well as covering damages legally payable due to data privacy breach, network security liability, and data breach regulatory implications.
WTW is a leading innovator in addressing the changing risk landscape through cyber analytics solutions and services designed to help organisations mitigate the myriad of risks they are facing today. Our holistic approach to cyber risk management consisting of proprietary cyber risk assessment, cyber loss quantification solutions help organisations in understanding their respective exposures through a scientific and analytical approach and enabling informed decisions in matters related to risk management and risk transfer (cyber insurance).