Q. Do you believe companies fully understand their duties of conﬁdentiality and data protection in an age of evolving privacy laws?
Ans. Companies are becoming increasingly aware of their duties of conﬁdentiality and data protection, though awareness varies across sectors and businesses. Sectors such as banking, telecommunications, the cloud and e-commerce have witnessed data-focused regulatory intervention and are therefore more aware. The emergence of the General Data Protection Regulation (GDPR) has also contributed to this awareness, as Indian companies that are part of multinational groups or are driven toward EU businesses have been evaluating their data protection frameworks to make them GDPR compliant. India was ranked sixth in GDPR preparedness by a Cisco Data Privacy Benchmark study. In 2018, India released its Personal Data Protection Bill, 2018 (PDP Bill) for public consultation, which will replace the existing privacy landscape under the Information Technology Act, 2000 (IT Act). The extended consultation period encouraged many businesses to identify process gaps in their compliance. Businesses are aware that once the PDP Bill is notiﬁed, they will need to devote time and resources to manage their exposure
Q. As companies increase their data processing activities, including handling, storage and transfer, what regulatory, ﬁnancial and reputational risks do they face in India?
Ans. With India on the cusp of a new data privacy regime, the risks associated with existing data processing and the related compliance requirements will increase manifold. Most business activities are driven toward customer generation and retention, and therefore the risks will apply across a range of activities.
Companies will not be able to rely on template practices and will have to examine each stage of data processing and its underlying risks.
Click through ‘I agree’ privacy policies may be replaced with explicit consent requirements for processing sensitive personal data in the form of consent dashboards, or ‘one-time password’ (OTP) based consent. Companies will need to be aware of their transfer obligations, including sector-speciﬁc data localisation or entering into agreements with transferees having speciﬁc provisions as may be approved by the Data Protection Authority. Under the PDP Bill, the monetary penalties for breaching obligations are calculated based on worldwide turnover and can therefore be signiﬁcant. The PDP Bill may also include a requirement to post details of data security breaches online. Robust data privacy and security measures are expected by all regulators in matters of public procurement, and ISO standards are insisted upon.
Q. What penalties might arise for a company that breaches or violates data or privacy laws in India?
Ans. Under the IT Act, an individual is entitled to monetary compensation if he or she has suffered any loss attributable to a data breach, however a data processor is not subject to speciﬁc penalties for failure to implement adequate security standards and processes.
Limited precedents exist for application of the compensatory remedy. This is set to change under the PDP Bill. In addition to compensation for individuals, the PDP Bill envisages speciﬁc consequences for data ﬁduciaries. Depending on the nature of the breach, penalties can extend up to US$2m or 4 percent of the total worldwide turnover of the preceding ﬁnancial year, whichever is greater. Data ﬁduciaries can also be penalised around US$80 per day for not allowing individuals to exercise their rights for each day of the default, which is capped at a certain value.
They can also be penalised around US$300 for not complying with directions of the Data Protection Authority for each day of the default, capped at a certain value, and around US$150 for each day of the default, capped at a certain value, for not providing the required reports or information.
Q. What insights can we draw from recent cases of note? What impact have these events had on the data protection landscape?
Ans. In August 2017, the Indian Supreme Court delivered a landmark decision declaring the ‘right to privacy’ as a fundamental right. This has elevated the status of the ‘right to privacy’ which can now be interfered with only by a speciﬁc law and a procedure which is fair, just and reasonable. After this judgment, except for banks, the private sector’s access to biometric information available under the Aadhaar database was struck down. An enablement, however, has now been provided for regulated non-bank entities to use the Aadhar database for authentication purposes, subject to receipt of approvals and compliance with multiple conditions, including those governing security of the underlying data. The PDP Bill embodies similar principles and imposes data privacy obligations on the private sector and the state, while providing the latter with additional exemptions.
Q. In your experience, what steps should a company take to prepare for a potential data security breach, such as developing response plans and understanding notiﬁcation requirements?
Ans. Companies have the discretion to determine how they prepare for a potential data security breach. The preparation steps, as well as the level of preparedness, varies depending on the size of the business, the nature of the information being processed, the retention period, the purpose of the data retention or processing, transfer requirements and so on.
We believe the degree of preparation should be aligned with the possible harm that can be caused in the event of a security breach. An ideal preparation checklist should include a standard operating procedure that identiﬁes possible breach incidents and describes remedial actions as per the severity of the breach, identifying teams and personnel responsible for responding to the breach, investigating the cause, protecting unaffected systems, reviewing existing security safeguards, mandatory and frequent transaction monitoring, updates, and backups. There should also be mandatory security audits and rectiﬁcation measures implemented by responsible personnel, transition plans and risk mitigation measures, including stop gaps on further processing to prevent additional harm, a description of the nature of security incidents that need external or internal reporting, identiﬁcation of minimum security standards to be implemented by third parties who receive data, and continuous review of existing security processes to identify risks.
Q. What can companies do to manage internal risks and threats arising from the actions of rogue employees?
Ans. Companies should formulate internal data protection policies that describe restrictions applicable to employees’ access to any personal data. Any access to or usage of personal data should be permitted only for trained security professionals on a ‘need to know’ basis. All company systems should be protected with security measures, including encryption to disable the unauthorised access or monitoring of personal data. An employee authentication process should be implemented to prevent any misuse, and to minimise localised, extended access or storage of personal data, to the extent possible. Employees should also be provided with initial and recurrent training to understand company policies and their data protection obligations, including personal exposure for them in the event of any violation. To exhibit compliance, companies should retain records of these training sessions and update their contents, depending on the nature of processing and recent security threats, if any.
Q. Would you say there is a strong culture of data protection developing in India? Are companies proactively implementing appropriate controls and risk management processes?
Ans. The GDPR and judicial precedents have contributed extensively to data privacy awareness among users and businesses in India. This is particularly helpful as even though an extensive data protection framework in the form of the PDP Bill is yet to emerge, data processing and monetisation continues to exist in India and does require some oversight. Until such time as the deﬁnitive law is implemented, voluntary compliance with advanced international standards is preferred by mature and large businesses.
Aprajita Rana, Partner
Aman Gera, Senior Associate