Conclusion and recommendations
For smaller organizations to comply with PDP, two suggestions have been made:
- Differential compliance for small organizations: Put in a different set of rules based on the asset size of the organization and the number of records that they are processing. If organizations have to compulsorily follow a large set of controls or regulations which are beyond their business value, compliance will be weak or even circumvented.
- Scaled down Data Protection (DP) practices which can be implemented by small businesses. These can be proportional to a risk score tagged to the business. The risk score needs to be objective, either based on turnaround or size of the (user) community that the business serves.
Small and medium organizations struggle at various stages to establish a business model with unit economics. This is a paramount concern when the policy environment and legislations are create an environment of uncertainty. While there is intent to embed privacy practices in the product-development cycle, small and medium organizations face challenges with respect to people, budgets and autonomy in decision-making to implement the same.
Privacy Mode’s research on privacy practices in India’s tech ecosystem1 clearly explains that adding regulatory pressure does not improve privacy outcomes. On the other hand, regulation can increase the compliance burden, thereby adversely affecting small and medium organizations and turning them into non-viable businesses. Therefore, we sincerely submit that the JPC takes note of the concerns of the industry and provides remedial measures in drafting of the final PDP Bill. This includes taking suggestions from practitioners and incorporating feedback on practical suggestions that will help transition India to personal data protection smoothly.
The Annexure attached with this submission highlights in further detail each clause and the recommendations and justifications that the community believes must be considered in order to pave the way for smoother compliance.
See the recommendations section of the Privacy-tech research at https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/ for an elaboration of this finding. ↩