Outside IN 對印度《數字個人數據保護法》的看法.pdf

1、Outside IN views on Indias Digital Personal Data Protection ActAbhishek Tiwari,FIP,CIPP/E,CIPMEducation Advisory Board MemberBangalore KnowledgeNet Chapter ChairLinkedIn Top AI Community VoiceManager,Digital Trust,KPMG IndiaWELCOME AND INTRODUCTIONSCharmian Aw,FIP,CIPP/E,A,US,CIPMPartnerSquire Patto

2、n Boggs(Singapore)Christopher Chew,CISSP,CCSK,PCIP,CIPP/A,CIPM,FIP,Privacy Engineering Section Advisory BoardTechnical Leader-Security&Digital Trust,Cisco CXTOThe Journey2017Supreme Court affirms privacy as fundamental right2021Parliamentary Committee report on PDPB2022Withdrawal of PDPB,2019 and re

3、lease of draft Digital Personal Data Protection Bill 2019Introduction of the Personal Data Protection Bill(PDPB)2017-2018Draft Data Protection Bill2023-AugustDBDP Bill,2023 was passed by both houses of the Parliament and received Presidential assent and notified in gazette to become an enforceable A

4、ct2023-JulyCabinet approval of the DPDP Bill2023-AugustComes into force on August 11The DPDPA 2023 is the onset of the data protection regime in India.It emphasizes and encourages organisations to protect digital personal data while safeguarding the freedom of individualsKey Highlights of DPDPAOrgan

5、izations processing large volumes of personal data will be categorized as Significant Data Fiduciary and will be required to comply with additional obligationsCross-border transfers have been permitted until explicitly restricted by the Government.However,stricter sectoral laws would continue to app

6、lyDPDPA has established a Data Protection Board to regulate data privacy frameworkOrganizations can continue to process employee personal data under legitimate interest without obtaining consentA layered penalty system has been implemented with severe violations like security failures leading to dat

7、a breaches has been imposed a maximum penalty of INR 250 croresDPDPA23Find Out If DPDPA Is Applicable To YouIs the organization processing personal data?YesNoIs processing happening in India?YesIs the data digitized?YesDPDP Act is applicableNoIs personal data processing happening outside India in re

8、lation to offering good/services to Individuals in India?YesNoDPDP Act is not applicableDoes the organization process personal data In large volumes and of high sensitivity That pose risks to the right of data principals and to electoral democracy Adversely impacts security of the state and public o

9、rderYesOrganization is a Data FiduciaryOrganization can potentially qualify as a Significant Data FiduciaryIntroduction to key stakeholders defined in the Act The Individual to whom personal data relatesData PrincipalDefines the purposes and means of personal data processingData FiduciaryOrganizatio

10、n that processes large volumes of sensitive data setsSignificant Data FiduciaryYour organization can wear multiple hats and can be a Data Fiduciary,Significant Data Fiduciary,Data Processor depending upon the context of personal data processingProcesses personal data on behalf of the Data FiduciaryD

11、ata ProcessorIndividual appointed by Significant Data FiduciaryData Protection OfficerOrganization managing the consent of Data PrincipalsConsent ManagerDo you process your employees personal data?You will act as a Data FiduciaryDo you process large volumes of personal data such as customer data?You

12、 might act as a Significant Data FiduciaryDo you process the personal data on behalf of other organizations?You will act as a Data ProcessorScope,Rights and the penalties Financial penalties up toper instanceData Principal could also be fined up to INR 10 thousand in case of violations of their duti

13、es.Processing within the territory of IndiaProcessing outside India in connection with any activity related to offering goods and services within IndiaTerritorial ScopePersonal data that is collected in:Digitized form Non-digital form and digitized subsequentlyMaterial ScopeRight to Grievance Redres

14、salThe Data Fiduciary is required to respond to the grievance of the Data Principal within a time period as may be prescribedRight to NominateData Principal have the right to nominate any other individual,who shall,in the event of death or incapacity of the Data Principal,exercise the rights of the

15、Data PrincipalRight to correction and erasure of personal dataData Principal can reach out to Data Fiduciary in order to exercise their right to correct,complete,update and erasure of their personal dataRight to Access Information about personal dataThe Data principal can exercise their right to obt

16、ain confirmation from the data fiduciary regarding processing of the data,summary of personal data&identities of all data fiduciariesRights of Data PrincipalsGrounds for processingThere are two grounds of processing defined under which organisations can process personal data:The Data Principal may g

17、ive,manage,review,or withdraw their consent to the Data Fiduciary directly or through a Consent Manager.In case of children,consent shall be obtained from the parent or the lawful guardian.ConsentNo separate consent is required for certain“legitimate uses”recognised under the Act.This includes where

18、 data is voluntarily provided or collected for a legal obligation.Legitimate UsesWho will provide consent?Data PrincipalWho will ask for consent?Data FiduciaryHow consent should be requested?In clear and plain language Using itemised noticeHow can consent be withdrawn?By contacting Data Fiduciary or

19、 Consent ManagerFreely GivenSpecific Unconditional&UnambiguousConsent should be For personal data provided voluntarily by the Data PrincipalFor personal data processed for any function under any law or judgement issued under lawFor responding to a medical emergency involving a threat to the life of

20、the Data Principal or other individualFor maintaining public order and ensuring safetyFor purposes related to employmentFor performing activities in public interestScenarios covered under Legitimate Uses Non-Compliance could lead to hefty penalties150crores per instance 200 crores per instance 250 c

21、roresper instance200 crores per instance 50 croresper instanceFor breach in observance of additional obligations of Significant Data Fiduciary For breach in notifying the board or the affected individuals For violation in taking security safeguards to prevent a personal data breach For breach in obs

22、ervance of additional responsibilities for processing childrens personal data For breach in observance of any other provisions of DPDPADPDPA23 PenaltiesKey Obligations As A Data FiduciaryDetermine legal ground of processing and obtain consent from Data Principals where required.(Section 4(1),DPDPA)P

23、rovide a privacy notice to Data Principals who have provided consent for processing their personal data.(Section 5,DPDPA)Identify key application and underlying infrastructure processing personal data,implement technical&organizational measures to safeguard personal data.(Section 8(4),DPDPA)Have a b

24、reach management policy to notify Data Principals and the Data Protection Board in accordance with prescribed timelines.(Section 8(6),DPDPA)01020304Implement a grievance redressal mechanism for handling queries from data subjects.(Section 8(10),DPDPA)Implement a mechanism for Data Principals to exer

25、cise their rights.(Section 11,12,13,&14,DPDPA)(Section 8(4),DPDPA)Irrecoverably delete personal data after the purpose for which it was collected has expired or when the consent has been withdrawn.(Section 8(7),DPDPA)Sign a valid contract with your Data Processors and ensure key obligations are abid

26、ed by including deleting data as required.(Section 8(2),DPDPA)05060708KEY OBLIGATIONSAdditional Obligations As A Significant Data FiduciaryIn addition to the general obligations of a Data Fiduciary,a Significant Data Fiduciary must also-Conduct Data Protection Impact Assessment periodicallyAppoint a

27、 Data Protection Officer based in IndiaAppoint an independent data auditor to carry out periodic data auditsBased on the following,you could potentially also qualify as a Significant Data Fiduciary under the DPDPA:-the volume and sensitivity of personal data processed;-risk to the rights of Data Pri

28、ncipal.Are you a Significant Data Fiduciary?What you need to do starting todayIdentify your personal data whereabouts Perform data discovery to know what data exists in the current environment and where is it stored.Establish the grounds for processing dataBased on the type of processing,establish a

29、nd document what is the ground of processing.Obtain and record consent for your existing customers and provide the privacy noticeConsent shall be obtained and recorded for personal data collected before the commencement of the Act along with a DPDPA-aligned privacy notice.Enable mechanism to handle

30、and respond timely to Data Principal Requests including Grievance Redressal Operationalize procedures for handling data principal requests and initiate departmental responsibility assignment.Identify the impact on data processing in case of consent withdrawal Identify how business processes shall be

31、 impacted and processing shall be restricted in case of a consent withdrawal.HOW DID THINGS GO?(WE REALLY WANT TO KNOW)Did you enjoy this session?Is there any way we could make it better?Let us know by filling out a speaker evaluation.1.Open the Cvent Events app.2.Enter IAPP DPIUK24(case and space sensitive)in search bar.3.Tap“Schedule”on the bottom navigation bar.4.Find this session.Click“Rate this Session”within the description.5.Once youve answered all three questions,tap“Done”.Thank you!