Professional Documents
Culture Documents
Protection Bill
1
GDPR Evolution
The mutually agreed General Data Protection Regulation (GDPR) came into force
on May 25, 2018, and was designed to modernize laws that protect the personal
information of individuals.
Replaced the previous 1995 data protection directive.
GDPR applies across the entirety of Europe but each individual country has the
3
Overview of GDPR
4
Summary
5
Data Privacy in India
Not explicitly laid down in Indian Constitution
Govt. in Aadhar Case hearing took a stand that Privacy was not a fundamental
right relying on - M.P Sharma v. Satish Chandra and Kharak Singh v. State of
UP
Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors is a
landmark judgment of the Supreme Court of India, which holds that the right
to privacy is protected as a fundamental constitutional right under Articles 14,
6
19 and 21 of the Constitution of India.
Justice Srikrishna Committee
Data Fiduciary: Similar to Data Controller
September 2018
Placing privacy at the heart of everything In line with many
9
Bill also introduces and mandates the concept of ‘privacy by
Features
PbD: privacy by Design : Organizations will have to embed this concept in the
entire data life cycle – collection, processing and use, storage, transmission,
archival and disposal.
Mechanism to collect Personal data: Organizations will need to limit data
collection to the minimum required for the purpose of processing. All
organizations, irrespective of their size, turnover or industry, will have to gain
visibility into transactions involving the collection and use of personal data. Alos,
restrict the collection of personal data only to that necessary for providing the
service to the data principal (natural person) or to fulfil the purpose specified.
The data principal (natural person) will have:
-right to confirmation and access
-right to correction of personal data
-right to data portability
10
-right to be forgotten
Limit Storage of Personal data
Organizations will need to retain personal data only as long as it is
reasonably necessary to satisfy the purpose for which it is obtained.
They will have to periodically review the personal data in their possession
from a retention point of view.
All organizations, irrespective of their size, turnover or industry, will have to
draft a data retention policy.
While formulating policies, the sector wise and other statutory/regulatory
requirements also needs to be factored in when determining the retention
period.
Example - the Know Your Customer (KYC) guidelines issued by the RBI
which require information pertaining to the identification of the customer to
11 be retained for at least five years even after the closure of the account.
Sensitive Data
Passwords
Financial health
Official identification
Biometric data
Genetic data
Gender status
Caste/tribe
12
Political belief
PDPB and GDPR
Differences:
1. Scope and Applicability
2. Data Localization and Cross Border Transfer
3. Notice and Consent
4. Data Processing principles and grounds
5. Security and Compliance
6. Breach Notification
7. Storage Limitation
13
8. Grievance Redressal and Penalties