IntSights comments on India’s revision of its data protection bill
Chris Strand, Chief Compliance Officer at threat intelligence first, IntSights on the news that India is looking to revise its current personal data protection bill in a joint parliamentary committee, which is similar to the European GDPR.
“In regard to India’s pending release of the data protection bill, there are two points that are of immediate concern when considering the security of individual data, particularly to newly developed replacement applications where GDPR can provide some clarity:
Firstly, the definition of data ownership is one of the distinguishing differences that stood out in India’s protection act. This would definitely come into play when considering the development of home grown, new multi-jurisdictional applications. This is one area that can greatly affect the degree in which security parameters can be mandated or enforced upon the protection of that data, and the potential exposure of data based on its purpose and determined lifecycle. For example, the definition of “right to be forgotten” or “right to erasure” of the data subject (GDPR) or data principal (PDPB), is well laid out within the GDPR. GDPR outlines very specific parameters on the data subject’s right to request the deletion of personal data and grants the right directly to data subjects who, in turn, direct request of deletion to the data controller. The original draft of the PDPB shows that citizens had not been given the proper attention and instead, puts more responsibility and rights in the hands of the adjudicating officers or DPA (Data Protection Authorities). This can represent a lack of control over one’s data that could cause concern for the outcome of how it’s used within any application.
The parameters around notification and informing the data subject is a key difference in the requirement on breach notification between the GDPR and the PDPB that is of real concern. In its current form, the PDPB fails to outline the notification time of a breach of personal data. GDPR has a well-defined breach notification section that controllers must follow when developing applications that handle personal data. The differences between definitions in the GDPR and the PDPB could create a significant gap in the security of personal data that’s being utilised and fed into newly developed applications, as it could have the effect of de-emphasising the enforcement of SLA’s that application vendors are normally required to meet in the event of a breach of data.”