India's Personal Data Protection (PDP) Bill
Privacy Mode
Privacy Mode

India's Personal Data Protection (PDP) Bill

Understanding Concerns of Stakeholders

All submissions
Bhavani Seetharaman

Bhavani Seetharaman

@Bhavani_21

Conclusion and recommendations

Submitted Sep 12, 2021

Broad recommendations for smaller organizations:

For smaller organizations to comply with PDP, two suggestions have been made:

  1. Differential compliance for small organizations: Put in a different set of rules based on the asset size of the organization and the number of records that they are processing. If organizations have to compulsorily follow a large set of controls or regulations which are beyond their business value, compliance will be weak or even circumvented.
  2. Scaled down Data Protection (DP) practices which can be implemented by small businesses. These can be proportional to a risk score tagged to the business. The risk score needs to be objective, either based on turnaround or size of the (user) community that the business serves.

Small and medium organizations struggle at various stages to establish a business model with unit economics. This is a paramount concern when the policy environment and legislations are create an environment of uncertainty. While there is intent to embed privacy practices in the product-development cycle, small and medium organizations face challenges with respect to people, budgets and autonomy in decision-making to implement the same.

Privacy Mode’s research on privacy practices in India’s tech ecosystem1 clearly explains that adding regulatory pressure does not improve privacy outcomes. On the other hand, regulation can increase the compliance burden, thereby adversely affecting small and medium organizations and turning them into non-viable businesses. Therefore, we sincerely submit that the JPC takes note of the concerns of the industry and provides remedial measures in drafting of the final PDP Bill. This includes taking suggestions from practitioners and incorporating feedback on practical suggestions that will help transition India to personal data protection smoothly.

The Annexure attached with this submission highlights in further detail each clause and the recommendations and justifications that the community believes must be considered in order to pave the way for smoother compliance.

  1. See the recommendations section of the Privacy-tech research at https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/ for an elaboration of this finding. ↩︎

All submissions

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Privacy Mode
Privacy Mode
Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

Omidyar Network India
Omidyar Network India
Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
AWS
AWS
We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more
Meta
Meta