A common misconception is that IT teams can manually compile a list of sensitive data
Summary of Personal Data Protection bill (PDP bill)
The Indian parliament, realizing the need to protect its citizens’ data as part of the fundamental right to privacy, came up with the Personal Data Protection (PDP) Bill in 2019. The growth of the digital economy also conceived the need for this bill. The bill primarily aims at protecting the individuals’ personal data. It accomplishes this by regulating the collection, usage, and processing of the data by entities that benefit from the same. The bill applies to all sectors and categories of industries. Non-compliance with the bill will be met with stiff penalties and fines.
Does PDP apply to your organization?
PDP was drafted to imbibe a culture that nurtures a just digital economy that centers around respecting the privacy of each individual’s personal information. This bill applies to-
-the processing of personal information within the Indian territory, states, any Indian company/citizen/individual or a body of individuals that fall under the Indian law.
-the processing of personal information that is outside the Indian territory as well, if it involves any ties with a business that is run in India and collects/processes data within the Indian territory.
Where will non-compliance take your business?
Non-compliance with the PDP bill will have organizations paying a fine of up to INR five crores or two percent of their total global turnover of the previous financial year, whichever is higher.
The PDP bill lets the data principals rule the roost. It urges businesses and organizations to comply with a set of rules that benefit the data principals.
A data principal is a natural person to whom the personal data relates to. A data fiduciary is any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data.
Below are a few key clauses under the regulation:
-Right to confirmation and access
The data principal has the right to obtain the following from the data fiduciary:
-a confirmation that the data fiduciary is processing or has processed the data principal’s data.
-a clear, concise and comprehensible summary of the data or the data that the fiduciary is processing or has processed of the data principal.
-a summary of the data processing activities performed by the fiduciary (that must be provided to the data principal in a comprehensible format).
Kogni can help organizations comply with this clause. Anytime a data principal requests to access their data, the data fiduciary leveraging Kogni’s services can pull the data up instantly from all available data sources.
-Right to correction and erasure
- The data principal has the right to
-correct any inaccurate or misleading personal data
-complete any incomplete personal data
-update any personal data that needs to be updated
-erase any personal data that is no longer necessary for the intended purpose
- If the data fiduciary does not oblige with the data principal's request for correction/completion/updation/erasure of the personal data, the data fiduciary shall provide the data principal with adequate justification supporting the rejection of the request.
- If the data fiduciary corrects/completes/updates/erases the data principal’s data upon their request, the data fiduciary must also notify all relevant organizations or individuals to whom the personal data was shared with, regarding the action.
Anytime a data principal initiates their right to deletion/correction/completion/updation of their data, data fiduciaries that use Kogni’s services can instantly collect the data from all available sources and comply with the clause well ahead of the stipulated duration.
-Right to data portability
If the data has been processed using automated means, the data principal shall possess the right to
-request for and receive the processed personal data in a structured, commonly used and machine-readable format
-transfer the personal data to another data fiduciary
-Right to be forgotten
- The data principal has the right to restrict or prevent the continuing disclosure of their personal data to a data fiduciary in the following events:
-if the personal data has served its intended purpose of collection
-if the personal data is no longer necessary for its initial intended purpose
-if the personal data was collected with the data principal’s consent and the consent is later withdrawn
-if the personal data was gathered and/or processed without the data principal’s consent or in contradiction with the provisions of the act
Other general rights that the data principals possess:
- The data principal shall put in a written request with the data fiduciary with their necessary information like identity and the latter shall acknowledge the receipt of such a request within the duration specified under the act.
- For complying with the data principal’s request, the data fiduciary may charge a fee as specified under the act.
- If the data fiduciary does not oblige with the data principal’s request, the former shall convey the same to the latter with adequate justification in a written format within 30 days of the receipt of the request.
How can Kogni help?
Knowing where sensitive data is located and properly governing it with policy rules and impact analysis is critical for compliance, audits and risk management. Kogni, the world’s leading data privacy, and security product helps solve all of these challenges. The data-centric software’s data discovery tools enable data fiduciaries to discover sensitive data in enterprise data sources, secure data as it is ingested and continuously monitor data sources for possible breach and policy violations. Kogni, with automatic sensitive data discovery, is uniquely positioned to help entities adhere to the PDP bill within an accelerated time frame.
Kogni's Sensitive data explorer helps data fiduciaries identify further context around the data in terms of location -whether it is in the cloud, on-premise or controlled by a third-party. This feature comes in handy when a data principal executes their right to access their personal information or requests its deletion.
Entities are also able to utilize the built-in data security capabilities in Kogni to further protect that data manually or automatically through encryption, hashing, anonymization, and tokenization.
When it comes to protecting data, organizations need to view it as an established component of their security and privacy program. Using less comprehensive tools is no longer a feasible alternative and it is time to take into account all aspects of an organization’s data handling processes. Organizations trying to address the myriad security and privacy regulations around data should consider a comprehensive data security product like Kogni. Products like Kogni help you navigate the complex data security and privacy regulation landscape.