The Committee headed by Justice B N Srikrishna released their report formalising the legal framework for Data Protection in India. The Committee also released a draft of the Personal Data Protection Bill, 2018 (referred to as the Draft Bill).

The Draft Bill proposes to establish a legal framework for monitoring and supervising processing (Defined in Section 3(32) of the Draft Bill) of personal data. The Draft Bill, if implemented in its present form, will cast a series of obligations onto data fiduciaries, i.e., the entities which determine the purpose for which the personal data would be used. Contravention of such obligations will invite substantial penalties, with offenses likely to invite imprisonment, or fine, or both.

One of the core principles on which the present Draft Bill is based involves data fiduciaries obtaining specific and explicit consent from data principals (i.e., individuals to whom the personal data is related to). The data fiduciaries are obligated under the Draft Bill to provide specific notice(s) indicating the purpose for which the personal data is to

The data fiduciaries are also obligated to ensure that the personal data being handled is correct and error-free, and that it is stored to the extent it is required by the data fiduciaries.

The utility of the personal data the data fiduciaries maintain must be re-evaluated periodically – the personal data, if found to be no longer required for the purpose for which it was collected, has to be deleted by the data fiduciaries. In addition, the data fiduciaries are to conduct periodic audits.

As would be understood, discharging such obligations under the Draft Bill would require regular review and monitoring of the personal data being maintained and processed by the data fiduciaries.

Such monitoring would most certainly require additional resources and groups within an organisation for addressing the requirements as proposed under the Draft Bill. As a result, the organisations may have to establish a division to ensure that the organisation remains aligned with the requirements under the Draft Bill.

This may not be the only impact which the Draft Bill may have on organisations. The Draft Bill also requires that the data fiduciaries undertake a data protection impact assessment in case the data fiduciaries use any ‘new technology’, implement ‘processing which carries a risk of significant harm’, perform large-scale profiling, or process sensitive (Section 33(1) of the Draft Bill) personal data.The present requirement does appear to have merit in relation to profiling or processing of sensitive personal data, but has raised concerns owing to terms such as ‘new technology’ which may have a much broader impact than intended. For example, large organisations routinely handle large volumes of data, which may be processed using techniques involving Data Analytics or Big Data.