Indian Data Protection Compliance


Our Experts

Sanjay Kaushik
Sanjay Kaushik

Managing Director


Sanjay Kaushik
Salil Kapoor

Associate Director - Cyber Security

Indian Data Protection Compliance

India is one step closer to enacting a law on data protection following the initial assessment and recommendations by the Sri Krishna Committee on Data Privacy and Management. A draft data protection law entitled Personal Data Protection Bill, 2018 is a part of the 176-page report. This is a much-needed development considering the pace at which internet penetration is growing and the corresponding rise in digital payments and online transactions in the country.

The fight for data privacy needs to be multi-dimensional to be effective. Along with strong legislation, technological and human aspects of data safety need to be addressed in tandem. Ensuring data safety and security is a highly technical job, calling for investments in the latest hardware and software to thwart hackers and cybercriminals.

How Private Are We?

India Finally Has A Data Privacy Framework

  • The law will have jurisdiction over personal data that is used, shared, disclosed, collected, or otherwise, processed in India.
  • The law will not have retrospective application and will come into force in a structured and phased manner.
  • It will cover personal data used by companies incorporated under Indian law. irrespective of the data being processed in India, or not
  • The law will cover the processing of personal data by both public and private entities.
  • Sensitive personal data will include passwords, financial data, health data, sex life, sexual orientation, biometric, and genetic data.
  • Such data also covers information that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
  • A regulator—Data Protection Authority of India (DPA)— will be set up for the effective implementation and enforcement of the law.
  • The new regulator will have a chairperson and six whole-time members.
  • For consent from individuals to be valid, it should be free, informed. specific, clear and capable of being withdrawn.
  • For sensitive personal data consent will have to be explicit.
  • Individuals will have the right to access their personal data with entities that make corrections to it and restrict its usage.
  • Penalties may be imposed for violating the data protection law.
  • Any person below the age of to 18 years will be considered as a child under the law.
  • Entities processing children’s data will have to develop appropriate mechanisms for age verification and get parental consent.

Subscribe to our Newsletter

Quick Enquiry

Are you Secured?