GDPR and Indian Data

Protection Bill

1
 GDPR Evolution
The mutually agreed General Data Protection Regulation (GDPR) came into force

on May 25, 2018, and was designed to modernize laws that protect the personal
information of individuals.
Replaced the previous 1995 data protection directive.

Previous UK law was based upon this directive.

GDPR applies across the entirety of Europe but each individual country has the

ability to make its own small changes.

In the UK, the government has created a new Data Protection Act (2018) which

2 replaces the 1998 Data Protection Act.

 GDPR Principles

3
 Overview of GDPR

4
 Summary

5
 Data Privacy in India
Not explicitly laid down in Indian Constitution

Govt. in Aadhar Case hearing took a stand that Privacy was not a fundamental

right relying on - M.P Sharma v. Satish Chandra and Kharak Singh v. State of
UP
Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors is a

landmark judgment of the Supreme Court of India, which holds that the right
to privacy is protected as a fundamental constitutional right under Articles 14,

6
19 and 21 of the Constitution of India.
 Justice Srikrishna Committee
Data Fiduciary: Similar to Data Controller

Data Principal: Similar to Data Subject

Report tabled in May 2018. Leaked during Aadhar Judgment in

September 2018
Placing privacy at the heart of everything In line with many

regulations across the globe, the Indian Personal Data Protection

9
Bill also introduces and mandates the concept of ‘privacy by
 Features
PbD: privacy by Design : Organizations will have to embed this concept in the
entire data life cycle – collection, processing and use, storage, transmission,
archival and disposal.
Mechanism to collect Personal data: Organizations will need to limit data
collection to the minimum required for the purpose of processing. All
organizations, irrespective of their size, turnover or industry, will have to gain
visibility into transactions involving the collection and use of personal data. Alos,
restrict the collection of personal data only to that necessary for providing the
service to the data principal (natural person) or to fulfil the purpose specified.
The data principal (natural person) will have:
-right to confirmation and access
-right to correction of personal data
-right to data portability
10
-right to be forgotten
 Limit Storage of Personal data
Organizations will need to retain personal data only as long as it is
reasonably necessary to satisfy the purpose for which it is obtained.
 They will have to periodically review the personal data in their possession
from a retention point of view.
All organizations, irrespective of their size, turnover or industry, will have to
draft a data retention policy.
While formulating policies, the sector wise and other statutory/regulatory
requirements also needs to be factored in when determining the retention
period.
Example - the Know Your Customer (KYC) guidelines issued by the RBI
which require information pertaining to the identification of the customer to
11 be retained for at least five years even after the closure of the account.
 Sensitive Data
Passwords

Financial health

Official identification

Sexual orientation and activity

Biometric data

Genetic data

Gender status

Caste/tribe
12
Political belief
 PDPB and GDPR
Differences:
1. Scope and Applicability
2. Data Localization and Cross Border Transfer
3. Notice and Consent
4. Data Processing principles and grounds
5. Security and Compliance
6. Breach Notification
7. Storage Limitation
13
8. Grievance Redressal and Penalties