What is the Personal Data Protection Bill?
In 2018, India approved the Data Protection Bill which proposes a legal framework to protect the autonomy of individuals regarding their personal information, and to specify the rights of individuals whose personal data are being processed and stored. The new regulation will be added to the existing laws in order to strengthen India’s position regarding data protection but no official date of enforcement has been released yet.
It comes as no surprise that thousands of local and international companies from various sectors will need to find new data protection tools in order to comply with the new laws and protect customer’s sensitive information. The Indian regulatory body will allow for penalties of up to $730 000 or 2% of company’s global turn-over for failing to protect data including sensitive personal information as well as up to 3 years of imprisonment.
Requirements
Right of Access to Data / Copies of Data:
The law stipulates that the body corporate or anyone must allow data subjects to access and review the personal information they have provided. However, the law does not explain the procedures data subjects must follow in order exercise their right.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Right of Deletion / Right to Be Forgotten:
Data subject are allowed to access the personal information they have provided in order to ensure that every information that is inaccurate can be corrected or amended. Organizations must obtain written consent from data subjects regarding the usage of the personal information they provided.
How SecuPi Helps:
On the application level, SecuPi redacts information on customer who requested to be forgotten (referred to as “logical deletion” ). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.
Right to Object and Restrict Processing:
The law states that during the pendency of request for removal of the data subject’s personal information, the data controller and data processor must stop processing the specific information but are not restricted to collect or store the personal data.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Right to Withdraw Consent:
The new bill gives the right to seek removal of personal information from the data controller if an individual has withdrawn his consent.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request). Using Dynamic Masking and redaction, SecuPi can disable access to data subjects where consent wasn’t given or where the customer requested to restrict processing of personal data.
Breach Notification:
The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“Cert-In Rules”) require obligatory notification requirements on service providers, intermediaries, data centers and corporate entities, upon the occurrence of certain cybersecurity incidents.
How SecuPi Helps:
In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
