PDPB Compliance

India’s Personal Data Protection Bill (PDPB)

The Personal Data Protection Bill (PDPB) aims to align India’s data protection regime with the EU’s General Data Protection Regulation (GDPR).

PDPB’s scope is broader than GDPR’s. The India law regulates the processing of personal data by the state, any citizen of India, or any person or body incorporated or created under Indian law.

An entity may fall within scope merely by processing personal data in India — even through the use of a processor in India.

Challenges to PDPB Compliance

expanded definitions of personal data, sensitive personal data, and critical personal data
new legal bases for processing data
stricter deletion and remediation requirements
protections on the cross-border flow of data
the creation of a new regulating body, the Data Protection Authority (DPA)
companies need to be able to effectively classify and tag all their high-risk and sensitive data to ensure its protection.

Fulfill Data Access Requests

Under PDPB, data principles receive certain rights similar to those covered by GDPR and CCPA. These data rights include:

the right to access data
the right to correction
the right to data portability
the right to erasure
the right to be forgotten

Companies need to ensure data rights access fulfillment — and automate manual processes for individual requests.

Data Minimization and Retention

PDPB includes restrictions around data minimization, in which personal data must be “collected only to the extent that is necessary for the purposes of processing of such personal data.”

The law also calls for specific storage limitations and requires deletion of data unless retention is required by law or consent for retention is obtained.

PDPB’s strict retention requirements create the need to set internal data retention policies that companies can act on swiftly — while also being able to identify duplicate and redundant data.

New Terminology Under PDPB

In addition to personal data and sensitive personal data, PDPB introduces the category of “critical personal data” and creates new definitions for “data fiduciaries” — similar to data controllers — and “data principles,” similar to data subjects.

Companies must contextualize data with identity profiling and indexing that covers all types of sensitive data across the enterprise

Penalties and Enforcement

Penalties under both GDPR and PDPB are similar, with fines of up to 4% of a company’s global annual revenue. PDPB also includes criminal penalties of up to three years of imprisonment and a $3,000 fine.

Organizations must be able to report on whose data they have, enable correction workflows, effectively de-identify data, and more.

Get A Demo

How BigID Helps with HITRUST Compliance

Get A Demo

Identify and Map All Your Data

Find and inventory your sensitive information for a clear, comprehensive view of all the data you store and maintain — not just the data you know about.