January 22, 2019 By Shushant Jha 5 min read

The Personal Data Protection landscape in developing countries

Traditionally, personal data has been one of the most understated and undervalued assets in most parts of the developing world. Many uninformed customers don’t even think twice before sharing their personal data through mobile applications or the websites of various organisations to avail services. Certain organisations have been using consumer’s one-liner obscure consent as the lifetime approval to use the personal data in more than the implied way—sometimes legitimate and sometimes knowingly or unknowingly illegitimate. Such datasets are getting shared across organisations and individuals without any control or governance mechanism. Fortunately, governments are stepping in to protect the rights of the legitimate data owners—better late than never. In order to democratise data for leveraging it for research, economic growth, and other purposes which can benefit the society in the long run, it is of paramount importance that we have a Data Governing policy right up front before the problem becomes unmanageable.

India mooting GDPR-type law

Following in the footsteps of the EU-GDPR initiative, in the mid-2017, the Government of India appointed Justice BN Srikrishna, a former judge of the Supreme Court of India, to head a committee of experts brought together to create the legal framework for data protection and data privacy in India. The mandate given by the government to the committee was “to make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.”

A year after its appointment, the Justice BN Srikrishna committee submitted its 200+ page report on data protection, titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians.” The report also contained a draft of “The Personal Data Protection Bill 2018” (The PDP Bill). Early this year, the European Parliament and the Council of European Union enforced “General Data Protection Regulation” (GDPR), which has been the core point of discussion about data protection and privacy. The Justice BN Srikrishna committee took note of this in its report, and the proposed bill does reflect some of this inspiration from the GDPR regulation.

What does the proposed India PDP bill say and what does it means for you?

The Personal Data Protection Bill is a commendable step towards data protection in general and is very much needed at this time, especially when considering the contribution to global internet traffic from Indian territory. While it is essential to have a Data Regulation policy to protect the rights of the real owners of personal data, we also need to maintain an environment where such data can be used with proper consents for the benefit of industry, governments, and society as a whole. Most of the measures required to comply with the proposed policy can be handled through technology, while few points may need a reconsideration of some recommendations before finalising the bill. The draft bill in its present form may also bring in changes for the internet service providers or any service providers over the internet because the draft suggests enforcing certain mandatory provisions that have not only financial implications but also a significant effect on business models and modus operandi of such internet-based service providers.

Notable points from the Personal Data Protection Bill of 2018

The following are salient points of the committee report that concern the industry and may need more profound debate before finalising the Bill, inter alia:

  • The definition of data is too wide, and it may become a tool for the authorities to control data/information availability over the internet.

    • Section 2(12): “Data means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.”

  • Data localisation mandates at least one active copy of the data to be stored physically in India. In the age of cloud-based infrastructure, this means every cloud provider must set up at least one cloud pod operating from India for every service delivered to users in India.

    • Section 40(1) says: “Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.”

  • There is a restriction on data collection and processing without clear and specific consent. This bars any use of personal data, for a purpose that is conceived post data collection, unless explicit consent is acquired.

    • Section 5(1) states: “Personal data shall be processed only for purposes that are clear, specific and lawful.”

  • The Bill grants approval to governments to collect and process personal data for “functions of the state,” and “functions of the state” has not been defined in the bill.

    • Section 13 states: “Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.

Nevertheless, on the positive side, something unprecedented that this draft bill provides is the “right to be forgotten.” Section 27 of the bill provides for various implicit and explicit events when the “right to be forgotten” comes into play, and such a right can be enforced by approaching an adjudicating officer for the concerned data fiduciary. For medium to large Indian organisations, the challenge will be to trace every bit of data and its metadata of the subject (citizen) and then take action on it.

What role can technology play?

The good news, from a technological landscape perspective, is that there are several artificial intelligence (AI) and machine learning (ML) based “commercial off-the-shelf” tools and solutions available to help quickly comply with the proposed guidelines that are part of this PDP Bill 2018. However, there is no AI without making data simple and accessible, and perhaps an enterprise-wide data dictionary could provide a good starting point. This will enable people at every echelon in an organisation to refer to a single definition of data. Once data becomes accessible and straightforward, strategy and operations could work hand-in-hand in creating a more transparent and trustworthy organisation. One of the outcomes could be providing a detailed, yet decipherable, definition of the possible usage of subject (citizen) data for multichannel campaigns, which will help organisations to comply with the PDP.

AI and ML tools can also automate mapping of the new laws enacted by the legislature to the business glossary of an enterprise. What used to be achieved manually and could take months to accomplish with all possibilities of human error can now be done in a matter of days. These tools also facilitate tasks which were not possible earlier, like an automatic alert on parts of the law, rule, by-law, etc. where the enterprise may be violating on an ongoing basis, mainly since amendments to the law is also an ongoing activity of the government machinery.

IBM’s Point of View

A recommended best practice from IBM would be to put in place a strategic “Data Governance” platform, both to accelerate readiness and compliance with data privacy laws and to sustain it on an ongoing basis. Needless to say, smart organisations will not take much time to recognise this as an opportunity to use PDP as a vehicle for setting up an enterprise-wide data governance platform and use it as a differentiator to assure their customers that they are using ethical business practices. In the future, this very platform could be the difference between winners and losers as it will be the source of sustainable competitive advantage.

We urge you to review IBM’s journey to GDPR compliance, where we share our organisational program of change, prioritized work streams of activity, and the standard privacy methodology used both internally and with all client engagements. Are you contemplating taking next steps? Start today!

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters