If you exchange information internationally, you must strengthen data protection. Those are two sides of the same coin
– Gijs de Vries
As internet bytes became cheaper in India with the launch of JIO after 2015, a strong and efficient data protection law was direly needed. In November of 2018, the Privacy Data Protection Bill was finally drafted under the chairmanship of Justice B.N. Srikrishna. The bill was created to empower common individuals about their rights of keeping their data and information private.
Privacy Protection Data Bill comes under Section 43A of the Information Technology, 2000 & the Information Technology Rules, 2011 which was enacted under Section 43A of the IT Act. The bill directs the processing of personal data within India, by state, non-state or foreign entities within India. It should be noted that this bill does not apply to any anonymized data. Failure to comply with this bill results in a fine of 2%-4% of worldwide turnover or 5-15 crore INR (whichever is higher).
On the other hand, the General Data Protection Regulation came into force in May of 2018, to safeguard privacy in the European Union & European Economic Area. It levies restrictions on what organizations can do with public data and extends the rights of individuals to access and control data within the EU. There are two types of fines levied as penalties for not complying with GDPR which are up to €10 Million or 2% annual global turnover OR up to €20 Million or 4% annual global turnover.
NOTE: – Even companies outside the EU will have to comply with the regulation if they process personal data of EU data subjects related to the offering of goods or services & monitoring their behaviour within the EU.
Before tabular comparison between GDPR and Privacy Protection Bill, there are some terms that one must be aware of. Let’s see them one by one: –
DATA SUBJECT: A resident of the European Union, whose personal data are to be protected.
DATA FIDUCIARY: Any Juristic entity or an individual whose job is to determine the purpose and means of the processing of personal data.
DATA PRINCIPAL: The person to whom the personal data belongs to. (could be a family, firm, state, juridical person).
DATA CONTROLLER: A business or person processing personal information. For example, an e-commerce site.
DATA PROTECTION OFFICER: A person who is appointed by the Data Controller responsible for overseeing data protection practices.
DATA PROCESSOR: Subject processing the data on behalf of the controller.
DATA AUTHORITY: It is a public institution that monitors the implementation of the regulations in the specific EU member country.
CONSENT: A clear statement by the Data Subject that signifies the agreement of the processing of personal data related to him or her.
PROCESSING: Processing means a set of operations performed on personal data such as collecting, organizing, retrieving, consulting, etc.
TABULAR COMPARISON BETWEEN GDPR & DATA BILL
| S.no. | Parameters | Data Bill | GDPR |
| 1. | Citizens whose personal data is being processed | Data Principles | Data Subjects |
| 2. | Entities that process the personal data | Data Fiduciaries | Data Controller |
| 3. | Enforcement Date | The Data Bill 2018 is a draft as of now and not in force. | The provisions of the General Data Protection Regulation have been in force since 25th May 2018. |
| 4. | Extra Territorial Application | Applicable to any activity inside territory of India | Organization offering services to EU citizens |
| 5. | Restriction on Cross Border transfer | Mandatory to maintain a copy of data. | No copy needed. |
| 6. | Condition for Cross border transfer | Any condition is followed:
Contract is formed |
One of the conditions is followed:
Explicit consent is required from Data Subject. |
| 7. | Breach notification to the individual |
|
|
| 8. | Personal Data | Classification of data is done | No such Classification of Data |
| 9. | Data Protection Officer (DPO) | Data fiduciary will appoint DPO | The controller and processor will appoint DPO. |
| 10. | Data Protection Authority | Responsible for Promoting Awareness. | Responsible for ensuring compliance and promote awareness with respect to the Regulation. |
| 11. | Right to be forgotten/ Right to erasure | No provision is there | Rights are defined |
| 12. | Right to portability | Right has restrictions | Rights are defined. |
| 13. | Right to Object and automated individual decision making | No such right has been defined. | Rights are defined |
| 14. | Right to restriction of processing | No such right has been defined. | Rights are defined |
| 15. | Right to rectification | Not defined | Rights are defined |
| 16. | Data Audit | Conducted by independent auditor. | Supervisory Authority conducts it. |
| 17. | Compliance | Auditor provides data trust score (state of compliance) to data fiduciary. | Data protection certification mechanism and Data protection seals are used. |
| 18. | Redressal | Issue related to processing of data – DPO / grievance officer.
Violation of bill- Adjudicating Officer |
Issue related to processing of data – DPO
Violation of bill- Supervisory Authority.
|
| 19. | Responsibility of Data Fiduciary/Controller | Not clearly mentioned in the bill | Clearly mentioned under article 24 of GDPR |
| 20. | Size of the organization | Not mentioned | Does not apply to the companies lesser than 250 employees. |
GRANDMARK & ASSOCIATES offer an array of end-to-end financial services like Audit and Assurance, Taxation-Direct & Indirect, Merger & Acquisition, Valuation, Accounting, Financial Advisory Services, etc. to various sectors.
Please visit https://www.grandmarkca.com
Comments are closed.
