India’s Ministry of Electronics and Information Technology (MeitY) on 18 Nov 2022 drafted much-awaited Digital Personal Data Protection (DPDP) Bill, 2022 and proposed a new comprehensive data privacy law that will mandate how companies handle data of its citizens, will apply to businesses operating in the country and to any entities processing the data of Indian citizens.
The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.
The draft also proposes that companies only use the data they have collected on users for the purpose they obtained them originally. It also seeks accountability from the firms that they ensure that they are processing the personal data for the users for the precise purpose they collected it.
India Data Story - Aadhar Card
Aadhaar is a 12 digit individual identification number issued by the Unique Identification Authority of India on behalf of the Government of India. The number serves as a proof of identity and address, anywhere in India.
The UIDAI is collecting basic data fields in order to be able to establish identity– this includes Name, Date of Birth, Gender, Address, Parent/ Guardian’s name essential for children but not for others, mobile number and email id is optional as well . The idea initially behind Aadhar was to use it mainly for social welfare programs to identify leakages, to identify ghost beneficiaries and to weed them out and to make social welfare schemes more efficient.
Over time, what happened was that its use was expanded to other purposes which are not social welfare purposes, such as, say doing your customer norms for telephones, for linking your PAN numbers to your bank accounts and so on.
Now almost all companies, small businesses like real estate companies, hospitals, banks, insurance companies,auto dealerships, marketing agents collect data. They are collecting data in different wayse.g. Restaurants who collect your phone numbers so that they can, you know, give you a goodie on your birthday. Bank and Insurance companies collect data to enroll customers,etc.
Why DPDP needed?
Data is the Oil of the Digital Age. Companies gather data about a person’s online behavior, what people are doing, buying, eating, and so on. This data now powers the new age of AI. But now it is time to protect their personal data and the need to process personal data for lawful purposes.
The road ahead -
Data Protection Strategy:
- Appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act and be based in India.
- Data Encryption in Transit and Data Encryption at Rest strategy
- Identify privacy that would apply to each context lke bank, finance,health records
- Design backend systems for actually collecting that consent
- Create a categorization for different categories of data - Personal data, sensitive personal data
- Design an access system and policy for personal data security
- Create Standard Operating Procedures for the execution of personal data security activities
Data Protection Officer
A data protection officer is responsible for overseeing an organization’s data protection strategy and implementation.
Data Protection Implementation:
- Implement Data Encryption in Transit and Data Encryption at Rest
- Encrypt all personal data after being processes
- Implement Data Isolation and Protection
- Get your consent forms in order
- Implement granular opt-in
- Make sure users can easily withdraw their consent
- Implement DND and DNC system
- Erase unsubscribed user data
- Implement Data Linegae
No comments:
Post a Comment