Kris Gopalakrishna Committee (KGC) has defined a new line of Business Activity called “Data Business”. It has also suggested a new regulatory authority and a comprehensive regulation on collection , storage, processing and managing of data.
This proposition is a highly significant recommendation that could be a game changer in the industry.
While Personal Data Protection Act itself is a gold mine of opportunity, yet to be realised, the Data Business suggested by KGC will be another major development that holds lot of promise for those business entities which have the right long term vision.
To put it simply, while every business uses data for it’s internal purpose, over a period some companies acquire so much of data where data management itself can become a business opportunity and law recognizes it as a business to be regulated.
KGC recommends that entities who process large quantities of data have to be recognized as being in “Data Business” irrespective of their core business. At this stage KGC recommends that the “Data Business” should be regulated separately by a regulator with various regulatory measures such as regulating collection, storing, processing and sharing of Personal data, as being addressed in a personal data protection act.
We can therefore expect a mirror image of the PDPA in the form of “Data Governance Act” (DGA) which regulates the “Non Personal Data”.
This business will be an independent industry sector and cuts across different industry sectors regulated by sectoral regulators.
“Data Business Discovery” is an important milestone for industries when they will be required to register with the regulator and become compliant with the law.
The idea suggests that “Companies who are today not recognized as either a Personal Data Company or even an IT Company may suddenly find themselves as a Data Business company” and would be subjected to new regulations.
Some of the “Data Business Companies” may also be “Personal Data Fiduciaries/Processors” under the PDPA.
Such companies may simultaneously also be “Non Personal Data Fiduciaries/Processors”.
In such cases, the Company will have with one set of regulations under PDPA being managed by a Data Protection Officer and another set of regulations under DGA managed by a Data Governance Officer (DGO).
We will therefore have DPOs and DGOs as new designations for professionals in many companies.
While DPOs will have more people from the IT/IS background, DGOs will have more from the MBA type who have to manage Data as an asset and ensure that after giving away the Personal data to the custody of the DPO, manage the Non Personal Data for the company’s benefit under the new regulation.
Just as some of the CEOs were feeling relieved after appointing a DPO and entrusting him with the responsibilities of Personal Data Protection, they are suddenly confronted with the Data Governance Act which needs to be managed by a DGO failing which there could be adverse consequences.
At this time we donot know what would be the compliance requirements and consequences of non compliance but we can definitely expect that the regulations will have some teeth of its own for industries to contend with.
The Data Business companies will be required to share some data with the Government and negotiate with the Government if any price can be extracted. IoT companies and service organizations in Smart City projects will have a wealth of data which can be packaged and converted into value products.
AI and Big Data companies will have to contend with the regulatory measures that may define the do’s and dont’s and make the industry interesting.
The ISPs and MSPs will be another set companies who will be prominent players “Data Business” with a collection of “Meta Data” that would be considered “Non Personal Data”.
Technology people will have a lot to work on Differential Privacy and Anonymization with related professional opportunities.
All in all the concept of “Data Business” is exciting and we look forward to a new world of opportunities opening up.
(To Be Continued)