As India is moving towards it first data privacy bill, this presentation attempts to give you an overview of the emerging law.

1. PERSONAL DATA PROTECTION
BILL

2. 2
APPLICABILITY
Processing of personal data:
• Where such data has been collected, disclosed, shared or
otherwise processed within the territory of India; and
• by any Indian company, any Indian citizen or any person or
body of persons incorporated or created under Indian law.
The PDPB does not apply to processing of anonymised data.
PDPB shall apply to data fiduciaries or data processors not present
within the territory of India, only if such processing is:
in connection with any business carried on in India, or any
systematic activity of offering goods or services to data principals
within the territory of India;
or in connection with any activity which involves profiling of data
principals within the territory of India.
Remarks:
 If personal data of foreign nationals is shared with an Indian
Company to comply with management/statutory reporting
requirement, PDPB shall not apply to such foreign company.
 If personal data of a person is anonymised through an
irreversible process, such that the person cannot be identified,
PDPB shall not apply.

3. 3
TRANSITIONAL PROVISION
The Act once notified, a period of 12 months thereto is prescribed
for notifying various Rules and Regulations thereunder.
The Data Protection Authority (DPA) will be constituted within a
period of 15 months from enactment of the Act.
DPA is conferred with the powers to issue code of practice on
various principles of data protection obligations and to notify
exceptional grounds for processing personal data without seeking
consent.
The Act once notified, various provisions will come into effect
within a span of 1 to 2 and a half year.
Remarks:
 Although the Bill has prescribed a transition period, the
penalties prescribed are quite onerous and are almost at par
with GDPR of EU. Further after the landmark judgement of
Supreme Court recognising privacy as fundamental right, it is
imperative for the organisation to re-look at its systems and
processes while the law is being enacted.
OVERRIDING EFFECT OF THIS ACT
In event of any inconsistency, PDPA will have an overriding effect
over any other laws.
The said laws will also rescind the existing the Information
Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011.

4. 4
GROUNDS FOR PROCESSING OF PERSONAL DATA
Remarks:
 Except the events stated herein above in the diagram, consent is a
pre-requisite before processing personal data. The consent has to
qualify all the attributes of sec. 12 of PDPB.
 The burden of proof to establish that a valid consent was given by
the individual is on the data fiduciary.
 In the event an individual, who is a party to a contract withdraws
consent to processing of his personal data, which is necessary to
performance of a contract, all legal consequences arising out of
such withdrawal has to borne by the respective individual only.
 The Bill explicitly states that consent is not essential to processing
of personal data of an employee in relation to employment.
However, processing of sensitive personal data in relation to
employment may require explicit consent of the employees,
currently there is an ambiguity on this aspect and clarification is
being sought.
 In the event of corporate restructuring events such as mergers
and acquisitions, prevention and detection of frauds, network and
information security measures, etc., given the fact these purposes
are reasonable purpose and seeking consent wouldn’t be a viable
option, DPA will issue a list of such purposes along with the
security measures company should ensure thereto.
PERMISSIBLE PROCESSING
Basis
Consent
Function
of the
State
Compliance with law or
compliance with any
order of the court or
tribunal
In case of
emergency
In relation to
employment
For
reasonable
purposes
Consent is not a pre-requisite in such events.

5. 5
PROCESSING THROUGH CONTRACTORS/SUB-CONTRACTORS
A Company can process personal data of an individual through
contractor/sub-contractor strictly only on execution of a valid
contract.
The contract so executed should restrict the vendor from further
engaging a sub – contractor unless expressly agreed by the
Company in the contract.
The purpose for processing such data should be solely
determined by the Company.
Remarks:
 It is imperative to bind the contractor with obligation to
protect and treat the data as confidential. It is also important
to ensure that the liability of the contractor in the event of
breach is not capped and unlimited, further the Company
should also have indemnity right.

6. 6
CROSS-BORDER TRANSFER OF PERSONAL DATA
Cross- border transfer of personal data will be allowed only
pursuant to standard contractual clauses or intra- group scheme
duly approved by Authority.
PDPB mandates storage of one copy of the personal data to whom
the Act applies, on a server maintained in India.
The Authority will notify list of critical data which mandatorily
needs to be maintained only in India.
Central Government may notify few exemptions to the above.
Remarks:
 On account of increasing instances of fraud/scams, recently
RBI vide its circular dated 6th April, 2018 has mandated
maintenance of all payments system within India latest by 15th
Oct, 2018. While there are multiple re-presentations to the
Government on the matter, RBI haven’t relaxed the condition
yet and in the interim the Bill aswell now mandates
maintenance of one copy of the personal data being processed
outside India, in India. It is imperative for the organisations
maintaining personal data of individuals outside India to
review their processes and system.

7. 7
TRANSPARENCY AND ACCOUNTABILITY MEASURES
Remarks:
 Actions listed in Group B are required to be complied only by
such class of data fiduciary and significant data fiduciaries as
may be notified by Data Protection Authority.
PRIVACY BY
DESIGN
•The
management,
organisational
practices
should be
aligned to the
interest of the
Data
Principals.
TRANSPARENCY
•The purpose
and operation
involved in
processing is
required to be
disclosed to the
Data Principals
SECURITY
SAFEGUARDS
•Organisation
should take
appropriate
security
measures to
protect the
integrity of
the data.
PERSONAL
DATA BREACH
•Depending on
the severity of
the harm
caused, the
Data Principal
is required to
be initiated.
GroupA
DATA PROTECTION
IMPACT
ASSESSMENT
• Before
undertaking any
new processing
activity or
technological
change or large
scale profiling
or use of SPD,
Company
mandatorily has
to undertake
Data Impact
Assessment
RECORD KEEPING
• Company need
to maintain
complete
record of end -
to end data
processing
activity for such
period as may
be notified by
the Authority.
DATA AUDITS
•Company has
to get its
processes
involved in
processing of
personal data
audited by an
independent
data auditor
annually.
DATA PROTECTION
OFFICER
• A DPO needs to
be appointed
who can guide
the Company in
relation to its
obligation
arising out of
PDPA.
• The aforesaid
role can be in
addition to any
other role
played by the
DPO.
GroupB

8. 8
RIGHTS OF DATA SUBJECT
Remarks:
 An application has to be made to the Company in writing for
exercise of any of the said rights.
 If Right to be Forgotten is exercised by an individual, however
there exist a dispute or company envisage a litigation,
regulatory enquiry or is required to maintain the data until the
stipulated statutory period, in such events Company can refuse
eraser of data to the person concerned in writing.
 Company is required to have in place a robust grievance
redressal mechanism in place. A DPO so designated or an
officer authorised for this purpose should be the point of
contact for the data principals.
 The grievance if raised has to be resolved within a period of 30
days, if not resolved or not satisfactorily resolved data
principal has a right to file a complaint with adjudicating wing.
POWERS VESTED WITH THE AUTHORITY
The Authority is vested with the power to call for information,
conduct inquiry, search and seizure.
Rights of
Data
Subject
Right to
correction
Right to
Data
Portability
Right to
confirmation
and access
Right to
be
forgotten

9. 9
DATA PROTECTION OBLIGATIONS
Remarks:
 An application has to be made to the Company in writing for
exercise of any of the said rights.
 If Right to be Forgotten is exercised by an individual, however
there exist a dispute or company envisage a litigation,
regulatory enquiry or is required to maintain the data until the
stipulated statutory period, in such events Company can refuse
eraser of data to the person concerned in writing.
 Company is required to have in place a robust grievance
redressal mechanism in place. A DPO so designated or an officer
authorised for this purpose should be the point of contact for
the data principals.
 The grievance if raised has to be resolved within a period of 30
days, if not resolved or not satisfactorily resolved data principal
has a right to file a complaint with adjudicating wing.
Fair and
reasonable
processing
Purpose
limitation
Collection
limitation
Lawful
processing
Notice Data Quality
Data Storage
Limitation
Accountability

10. 10
PENALTIES
PROVISIONS PENALTY
 Failure to take prompt action in
response to data security breach
 Failure on the part of significant
data fiduciary:
 To undertake data protection
impact assessment
 To conduct data audit
 To register with the Authority
Up to 5 Crs. Or 2% of the
worldwide turnover of the
preceding financial year,
whichever is higher
 Processing of personal data
against the data protection
obligation principles
 Processing of personal data not
in accordance with the grounds
of processing as provided under
the law
 Processing of sensitive personal
data not in accordance with the
grounds of processing as
provided under the law
 Failure to adhere to the security
safeguards
 Transfer of personal data in
violation of the Act
Up to 15 Crs. Or 4% of the
worldwide turnover of the
preceding financial year,
whichever is higher

11. 11
PROVISIONS PENALTY
Total worldwide turnover in relation to a data fiduciary is the
total worldwide turnover of the data fiduciary and the total
worldwide turnover of any group entity of the data fiduciary
where such turnover of a group entity arises as a result of the
processing activities of the data fiduciary, having regard to factors,
including—
(i) the alignment of the overall economic interests of the data
fiduciary and the group entity;
(ii) the relationship between the data fiduciary and the group
entity specifically in relation to the processing activity undertaken
by the data fiduciary; and
(iii) the degree of control exercised by the group entity over the
data fiduciary or vice versa, as the case may be.
 Without any reasonable
explanation, failure to comply with
data principals request
Rs. 5000/- for each day
during which the default
continues, subject to a
maximum of Rs. 10 Lakhs
in case of significant data
fiduciaries and 5 lakhs in
other cases.
 Failure to furnish reports, returns,
information to the Authority
Rs 10,000 for each day
during which such
default continues,
subject to a maximum
Rs.20 lakhs in case of
significant data
fiduciaries and 5 lakhs in
other cases.
PENALTIES CONTINUED…

12. 12
PROVISIONS PENALTY
Failure to comply with the order of the
Authority
Data Fiduciary - Up to
Rs 20,000 for each day
during which such
default continues,
subject to a maximum
Rs.2 Crs.
Processor – Up to Rs
5,000 for each day
during which such
default continues,
subject to a maximum
Rs. 50 lakhs.
Penalty for contravention where no
penalty is prescribed
Significant Data
Fiduciary – maximum
1 Cr.
Other data fiduciary
– maximum Rs. 25
lakhs.
PENALTIES CONTINUED…
Remarks on Penalties:
 In addition to the penalty, the data principals also have right to
compensation for damages suffered.
 The compensation awarded or penalty imposed, under the
PDPA does not limit the award of compensation or imposition
of any other penalty or punishment under any other law for the
time being in force.

13. 13
OFFENCES PUNISHABLE WITH IMPRISONMENT
Offence Liability
Personal Data
In contravention of the provision of the
Act, one obtains, disclose transfer, sell or
offer to sell personal data of a person
which causes significant harm to the data
principal
Imprisonment for a
term not exceeding
3 years or shall be
liable to fine which
may extend up to 2
lakhs or both.
Sensitive Personal Data
In contravention of the provision of the
Act, one obtains, disclose transfer, sell or
offer to sell personal data of a person
which causes significant harm to the data
principal
Imprisonment for a
term not exceeding
5 years or shall be
liable to fine which
may extend up to 3
lakhs or both.
Anyone who re-identification and
processes de-identified personal data
without the consent of data fiduciary or
processor
Imprisonment for a
term not exceeding
3 years or shall be
liable to fine which
may extend up to
2 lakhs or both.

14. 14
Remarks:
 Offences under PDPA are cognizable and non-bailable
offence.
 Offences committed by Company:
Every person who is in charge is responsible to the Company
for the conduct of the business of the Company as well as the
Company shall be deemed to be guilty. This includes
Managing Director, Manager and/or Whole- time Director of
the Company.
Further, also if it is proved that the offence by the Company
has been committed with the consent or connivance of, or is
attributable to any neglect on the part of any director,
manager, secretary or other officer of the company, such
persons shall be deemed to be guilty of the offence and shall
be liable to be proceeded against and punished accordingly.
OFFENCES PUNISHABLE WITH IMPRISONMENT
CONTINUED…

15. 15
KEY TAKEAWAYS
The Personal Data Protection Bill 2018 of India is a law with
extra – territorial jurisdiction and is aligned to the privacy
principles as laid down under GDPR, including severe fine in
case of data breach. After the Supreme Court Landmark
Judgement recognising privacy as a fundamental right, people
have become more vigilant towards their rights and are
questioning any usage of their data for purposes other than
they have consented to. In order to enjoy competitive edge
in the sectors the Business is operating in, especially the
sectors whose business model is directly linked to the
customers’ data, the law will have far reaching implications.
IMPLICATIONS
In the event of breach, not only one will be liable to pay
penalty and pay damages to the aggrieved person but will
also be subjected to business and reputational loss. In the
event it is determined that significant harm is caused to an
individual, the officer in default may even be sentenced to
imprisonment. The liability in certain events extents even to
the directors and manager of the Company. Further,
depending upon the harm caused to an individual, the
respective international privacy regulatory authority may
even restrict processing of data principals’ personal data
residing in the respective jurisdiction by an Indian Entity.

16. 16
ACTION POINTS
 One of the essential pillar to data protection laid under the
law, is the importance of ‘adequate safeguards’ such as
including de-identification, encryption, and tools to
prevent misuse, unauthorized access, modification,
disclosure, or destruction of personal data.
 Temporal limitations on processing and retention of
personal data. Store the data as long as “reasonably
necessary" to satisfy its intended purpose or to comply
with legal obligations. Undertake periodic review to check
that no one is unnecessarily retaining personal data.
 Undertake gap assessment exercise, frame privacy &
security policy of the company and adopt the code of
practice as may be notified by the Authority.
 Review existing contracts with vendors, bind them with
restrictive covenants aswell as security and privacy policy
of the Company.
 Undertake data – audits in case of any outsourced
processing assignments.
 Given the nature of operation of the Company, consider
taking Data Insurance.

17. 17
GLOSSARY OF KEY TERMS
Data means and includes a representation of
information, facts, concepts, opinions, or
instructions in a manner suitable for
communication, interpretation, or processing by
humans or by automated means.
Data
fiduciary
means any person, including the State, a company,
any juristic entity or any individual who alone or in
conjunction with others determines the purpose
and means of processing of personal data.
Data
principal
means the natural person to whom the personal
data referred to in sub-clause (28) relates.
Data
processor
means any person, including the State, a company,
any juristic entity or any individual who processes
personal data on behalf of a data fiduciary, but does
not include an employee of the data fiduciary.
Harm includes— (i) bodily or mental injury; (ii) loss,
distortion or theft of identity; (iii) financial loss or
loss of property, (iv) loss of reputation, or
humiliation; (v) loss of employment; (vi) any
discriminatory treatment; (vii) any subjection to
blackmail or extortion; (viii) any denial or
withdrawal of a service, benefit or good resulting
from an evaluative decision about the data
principal; (ix) any restriction placed or suffered
directly or indirectly on speech, movement or any
other action arising out of a fear of being observed
or surveyed; or (x) any observation or surveillance
that is not reasonably expected by the data
principal.

18. 18
GLOSSARY OF KEY TERMS CONTINUED…
Person means— (i) an individual, (ii) a Hindu undivided
family, (iii) a company, (iv) a firm, (v) an association of
persons or a body of individuals, whether
incorporated or not, (vi) the State, and (vii) every
artificial juridical person, not falling within any of the
preceding sub-clauses;
Personal
data
means data about or relating to a natural person who
is directly or indirectly identifiable, having regard to
any characteristic, trait, attribute or any other
feature of the identity of such natural person, or any
combination of such features, or any combination of
such features with any other information
Personal
Data Breach
(PDB)
means any unauthorised or accidental disclosure,
acquisition, sharing, use, alteration, destruction, loss
of access to, of personal data that compromises the
confidentiality, integrity or availability of personal
data to a data principal
Profiling means any form of processing of personal data that
analyses or predicts aspects concerning the
behaviour, attributes or interest of a data principal
Sensitive
Personal
Data (SPD)
means personal data revealing, related to, or
constituting, as may be applicable— (i) passwords; (ii)
financial data; (iii) health data; (iv) official identifier;
(v) sex life; (vi) sexual orientation; (vii) biometric
data; (viii) genetic data; (ix) transgender status; (x)
intersex status; (xi) caste or tribe
Significant
data
Fiduciary
(SDF)
means a data fiduciary notified by the Authority
under section 38.
Significant
harm
means harm that has an aggravated effect having
regard to the nature of the personal data being
processed, the impact, continuity, persistence or
irreversibility of the harm.

19. 19
THANK YOU