Cyber Security is important because it encompasses everything that pertains to protect our sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property data, and governmental and industry information systems from theft and damage attempted by criminals and adversaries.

Cyber Security risk is increasing, driven by global connectivity and usage of cloud servicesto store sensitive data and personal information. Gone are the days of simple firewalls and antivirus software being your sole security measures.

Information Act, 2000, The EU’s General Data Protection Regulation (GDPR) and India’s upcoming Personal Data Protection Bill 2019 means that Cyber Security is no longer something businesses of any size can ignore. Cyber crimeare not limited to Money Loss only, it extended to your Identity Loss also.

Fundamentally, our society is more technologically reliant than ever before and there is no sign that this trend will slow. Personal data that could result in identity theft is now posted to the public on our social media accounts. Sensitive information like social security numbers, credit card information and bank account details are now stored in cloud storage services.

Information theft is the most expensive and fastest growing segment of cybercrime. Largely driven by the increasing exposure of identity information to the web via cloud services, giving irrelevant permissions to the Applications we use in our Android, etc. According to the Report of Coveware, in the year 2019 itself, the cases of Documents Theft has increased by 129%. Cyber Crime is a business which is estimated to grow at the speed of 16% every year. But this does not mean that we should stop trusting and working on technology. Just we need to be smart while using the technology.

Data Privacy Bill 2019 All you need to know

In July 2017, the Ministry of Electronics and Information Technology (MeitY), Government of India (GoI), constituted a committee of experts under the chairmanship of the retired Supreme Court judge Justice B. N. Srikrishna. The committee was entrusted with the responsibility of identifying lapses in the present data protection regulations and preparing more robust and comprehensive data protection laws. After working for nearly a year, the committee submitted the draft Personal Data Protection (PDP) Bill, 2018, in July 2018.

Since its introduction last year, MeitY has solicited comments and suggestions on the PDP Bill from the public, various stakeholders, ministers and consultants. Based on these suggestions, a revised Personal Data Protection Bill, 2019 (Draft Bill), was cleared by the Union Cabinet on December 4 2019.

The key changes/highlights of the Draft Bill are as follows:

Definitions: The definition of ‘sensitive personal data’, as laid out in section 2(36) of the Draft Bill, does not include the term ‘passwords’ any more.

Sensitive personal data is now defined as such personal data which may, reveal, be related to, or constitute:

  1. Financial data
  2. Health data
  3. Official identifier
  4. Sex life
  5. Sexual orientation
  6. Biometric data
  1. Genetic data
  2. Transgender status
  3. Intersex status
  4. Caste or tribe
  5. Religious or political belief or affiliation, or
  6. Any other data categorised as sensitive
    personal data by the authority and the sectoral regulator concerned.

Prohibition of processing of personal data

Clause 4 seeks to prohibit processing of personal data without any specific, clear and lawful purpose. Earlier, the concept of reasonable processing was categorically prescribed, which could have resulted in possible processing of data without consent. The amended draft does away with that provision.

Restriction on retention of personal data

Clause 9 of the Draft Bill prescribes that the data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets consent from the data principal.

Processing of personal data for other reasonable purposes

Clause 14 seeks to provide for other reasonable purposes for which personal data may be processed. One such newly introduced purpose is the operation of search engines. This is a new insertion and was not present in the previous bill.

Right to correction and erasure

As part of chapter V on the Rights of Data Principal, under Clause 18, the data principal has been provided the right to erasure of personal data which is no longer necessary for the purpose for which it was processed. This has been added in the Draft Bill over and above the other data principal rights, such as the right to correction of inaccurate data, completion of incomplete personal data and right to updating of personal data that is out of date.

Privacy by design policy

Clause 22 seeks to list out the constituents of privacy by design policy. Though the concept itself is not new (as it was already included in the previous bill), the mandatory requirement for a certification of the privacy by design policy by the data protection authority has been newly added. Such a policy is required to be published on the organisation and the authority’s website.

Transparency in processing of personal data

Clause 23 seeks to bring in transparency in the processing of personal data by requiring the fiduciary to inform the data principal and make information available. This clause introduces a new term − ‘consent manager’ − which is defined as a data fiduciary through which a data principal can give, withdraw, review and manage his/her consent through an accessible platform.

Prohibition on processing of sensitive personal data and critical personal data outside India

Clause 33 seeks to prohibit processing of sensitive personal data and critical personal data outside India. Though these concepts were included in the previous bill, the new provisions are clearer, and restrictions are imposed on transferring sensitive and critical data.

The new provisions state that:

sensitive personal data may be transferred outside India, subject to conditions for transfer of sensitive personal data and critical personal data, but shall continue to be stored within India

critical personal data (the definition of which is to be notified by the Central Government) can only be processed in India.

Conditions for transfer of sensitive personal data and critical personal data

Clause 34 seeks to list out conditions under which sensitive personal data and critical personal data could be transferred outside India. Sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where such transfer is made pursuant to a contract or intra-group scheme approved by the authority. Previously, intra-group scheme related approval was provided only for the categories of personal data, not being sensitive data. However, the Draft Bill extends this provision to sensitive data as well.

© 2021 Asset Chain Techlligence Pvt. Ltd. All Rights Reserved | Design by ImagineScript Solutions Pvt. Ltd.