India is planning to pass a law on Privacy and Data Protection and the Bill titled Data Protection Act 2021 (DPA 2021) which is pending in the Parliament. The copy of this Bill originated in 2018 following the Srikrishna Committee report and was later modified as Personal Data Protection Bill 2019 (PDPB 2019) and a Joint Parliamentary Committee (JPC) has deliberated on the bill for more than two years, held consultations with many stakeholders and has now revised the PDPB 2019. The revised version now referred to as DPA 2021 is ready for final debate in the Parliament and being passed into a law.
Like all laws that have a significant impact on the society, DPA 2021 has also been facing opposition from a section of the industry. As a result, the mainstream industry has been presented with a skewed view of the proposed law and creating uncertainty in the minds of the industry professionals on whether the law will be passed and whether it is desirable or not. This has resulted in many organizations delaying the implementation of their compliance program.
We need to realize that DPA 2021 is a continuation and expansion of the currently applicable law namely, Information Technology Act 2000 (ITA 2000) and forms the part of the “Due Diligence” under Section 43A of the ITA 2000. Several Courts have taken cognizance of the Bill and incorporated the provisions in their decisions. Prudent Companies therefore think that the time for compliance has already come and the time upto the actual passage of the Bill and further implementation time that may be provided there in is a cushion against being held liable to the potential penalties envisaged in the Act for non compliance.
FDPPI (Foundation of Data Protection Professionals in India) is an organization that is dedicated to the cause of “Data Protection” in India and building a Data Protection Compliance Eco system in India. FDPPI since 2018 has been engaged in outreach programs to build awareness of the Privacy and Data Protection concepts and also the development of professionals who are certified in the relevant skills to provide consultancy to organisations and conduct audits of the “Data Protection Compliance Management Systems”. FDPPI is today the apex organization in India dedicated to the establishment of the Data Protection compliant environment in India.
During the pandemic times, FDPPI conducted nearly 100 online events on Data Protection regulations and related issues which has already created wide awareness of the forthcoming laws.
As a part of the activities in the post-pandemic scenario, FDPPI is now conducting a series of physical programs in different parts of the country in association with multiple organizations to spread the awareness of the regulation from the compliance perspective.
In this series, FDPPI conducted one program in Bangalore in association with Indo American Chamber of Commerce (IACC) on 04th March, 2022. On April 23rd 2022, FDPPI is conducting a program in Chennai in association with Madras Management Association, ISACA Chennai Chapter, Cyber Society of India and IACC.
During these programs, we discuss the compliance measures that are required to be followed by the industry steering clear of the controversies. The discussions cover the overview of the law as presented in DPA 2021, the Technology and Business Challenges that the law presents, the Professional opportunities created for Data Protection Officers and Data Auditors and also the Compliance framework exclusively designed for compliance of the law.
FDPPI presently has developed a Compliance framework called “Data Protection Compliance Management Standard of India (DPCMS)” which is focussed on the compliance of DPA 2021 incorporating the best principles of other international frameworks. This is an indigenous approach designed to be a Unified Framework for Indian companies to be compliant with all Personal Data Protection laws and includes some aspects of compliance of Non-Personal Data protection which is part of DPA 2021.
The framework includes innovative and globally unique concepts such as “Data Valuation”, “Distributed Implementation Responsibility”, “ Generation of Data Trust Score” etc. It is flexible enough to be customized and adopted by different industry segments.
Recognizing the difficulties that arise when implementing one law applying equally to all industries and entities of all sizes, FDPPI is now in the process of developing different “Sector Specific Compliance Code of Practice” which meet the requirements of law under Section 50 of DPA 2021. The Data Protection Authority of India (when operative) can approve such codes of practice after due consideration whether they meet the requirements of the law. This should substantially ease compliance and encourage increased voluntary compliance in the industry. FDPPI has a vision to create tailor made Compliance frameworks for different industry segments with the participation of industry representatives. This is a “First in the World” approach to the customization of data protection law compliance to different sectors and would help in reducing the pain of compliance.
FDPPI however is a Not-for-Profit organization and its bandwidth to conduct the outreach programs in different locations is dependent on the partner organizations. Presently we are working with organizations like IACC and ISACA which have presence in multiple locations. However we are looking for other suitable partners who are interested in associating with FDPPI for this “National Data Protection Compliance Movement” where we disseminate knowledge, motivate companies to start compliance initiatives and develop sector specific codes of practice.
Come, Let’s together bring about a Data Protection Revolution in the country.