As we approach nearer to the notification of DPDPA it emerges that there are some sectors of the industry and business which may have serious repercussions if they donot recognize the impact of DPDPA. Though we often speak of the penalty of Rs 250 crores, we donot imply that any of the organizations would be penalised substantially in the near future. But it is essential to understand the risks and brace for impact.
Some of the developments in Delhi indicate that the notification of DPDPA is imminent. This should put all wise managements into alert to understand the risk of non compliance and what is the basic requirement to meet the challenge of DPDPA.
In particular I recognize some sectors as vulnerable to damage for various reasons. One may be lack of resources to put in place a good “DPDPA Risk Identification and Management System”. (DRIMS). The SME and MSME as a sector irrespective of what business they are in could fall into this category. Second major reason for vulnerability are those organizations who are engaged in activities traditionally recognized as service to society though in recent days they might have been commercialized. Hospitals, Educational Institutions, Temples can all come under this category.
Under GDPR, Article 91 exempts Churches and Religious Associations from the rigours of GDPR. The article states as under:
Article 91:Existingdata protection rules of Churches and religious associations
1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.
2.Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of this Regulation.
In other words, GDPR recognizes that Churches and Religious Institutions can self regulate. Such organizations can set up their own regulatory agency. While we are not aware if any of such agencies have been set up in any EU member state, the provision does exist.
On the other hand, DPDPA does not specifically exempt any religious or charitable organizations from the law.
The complete exemption from DPDPA is provided under Section 17(2) to “Notified instrumentalities of the State”. The power of such notification however is limited to
“interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it;”.
Hence Government cannot indiscriminately use Section 17(2) to exempt any data fiduciary from the Act.
The rest of the “Instrumentalities” of the state come under Section 17(4) and the exemption available is limited to Sections 8(3),(8(7), 12(2) (if not used for decision making) and 12(3).
Additionally, under Section 17(3), the Central Government has reserved its right to notify certain data fiduciaries including start ups to which major parts of the Act such as “Providing Notice”,” Data Deletion after completion of purpose”, “Maintaining Accuracy of data”, “Providing Right to Access and Erasure”.
If therefore certain sections of the industry consider themselves as “Vulnerable”, then they should either be fully compliant with the Act or seek exemption under Sections 17.
Out of the exemptions , Exemption under Section 17(1) is process dependent and not entity dependent. In other words any data fiduciary can claim exemption for this purpose. The process based compliance recommended under DGPSI satisfies this need.
Exemptions under Section 17(2) as well as 17(3) require a specific notification.
Section 17(4) applies to all “Instrumentalities of State” but exempts only Notice, Accuracy, erasure and rights related to erasure and accuracy.
Section 17(5) is an enabling provision available for 5 years to exempt any data fiduciary other than those covered in Sections 17(1), 17(2), 17(3) and 17(4).
Of the several vulnerable sections, Education Center is considered as the most vulnerable since by tradition it does not focus on Information Security to the extent other sectors do. Small hospitals, dispensaries, medical consultants may also be considered as vulnerable.
These sectors need to organize themselves and undertake “Sectoral Representative Action”. Others who are not considered “Vulnerable sectors” can brace for impact with compliance measures under DGPSI.
FDPPI would like to catalyse this as a part of its commitment to the society. This will be one of the main objectives of the IDPS 2025.
Naavi
