Safeguard the sensitive data of Indian residents — and track cross-border data flows
India’s Personal Data Protection Bill (PDPB)
The Personal Data Protection Bill (PDPB) aims to align India’s data protection regime with the EU’s General Data Protection Regulation (GDPR).
PDPB’s scope is broader than GDPR’s. The India law regulates the processing of personal data by the state, any citizen of India, or any person or body incorporated or created under Indian law.
An entity may fall within scope merely by processing personal data in India — even through the use of a processor in India.
Challenges to PDPB Compliance
– expanded definitions of personal data, sensitive personal data, and critical personal data
– new legal bases for processing data
– stricter deletion and remediation requirements
– protections on the cross-border flow of data
– the creation of a new regulating body, the Data Protection Authority (DPA)
– companies need to be able to effectively classify and tag all their high-risk and sensitive data to ensure its protection.
Fulfill Data Access Requests
Under PDPB, data principles receive certain rights similar to those covered by GDPR and CCPA. These data rights include:
– the right to access data
– the right to correction
– the right to data portability
– the right to erasure
– the right to be forgotten
Companies need to ensure data rights access fulfillment — and automate manual processes for individual requests.
Data Minimization and Retention
PDPB includes restrictions around data minimization, in which personal data must be “collected only to the extent that is necessary for the purposes of processing of such personal data.”
The law also calls for specific storage limitations and requires deletion of data unless retention is required by law or consent for retention is obtained.
PDPB’s strict retention requirements create the need to set internal data retention policies that companies can act on swiftly — while also being able to identify duplicate and redundant data.
New Terminology Under PDPB
In addition to personal data and sensitive personal data, PDPB introduces the category of “critical personal data” and creates new definitions for “data fiduciaries” — similar to data controllers — and “data principles,” similar to data subjects.
Companies must contextualize data with identity profiling and indexing that covers all types of sensitive data across the enterprise
Penalties and Enforcement
Penalties under both GDPR and PDPB are similar, with fines of up to 4% of a company’s global annual revenue. PDPB also includes criminal penalties of up to three years of imprisonment and a $3,000 fine.
Organizations must be able to report on whose data they have, enable correction workflows, effectively de-identify data, and more.
How BigID Helps with PDPB Compliance
Identify and Map All Your Data
Find and inventory your sensitive information for a clear, comprehensive view of all the data you store and maintain — not just the data you know about.
Detect Cross-Border Data Transfers
Track data access, usage, and transfer violations across the organization for immediate action — and apply controls for breach risk reduction.
Clean Up Your Data
Minimize duplicate, similar, and redundant data; fix data quality issues; and automate workflows based on retention timelines.
Tag Data for Legal Purposes
Ensure that data is being processed in accordance with the new legal bases established by PDPB to achieve compliance.
BigID for PDPB Compliance
Discover all sensitive and regulated information that falls under PDPB — wherever it’s stored across the enterprise.
Take an ML-based approach to automatically classify, tag, and discover relationships among high-risk, regulated data.
Apply data retention rules based on a disclosed purpose, define custom policies, and apply them consistently across all data types and data sources.
Remediate personal, sensitive, and critical data regulated by PDPB — and manage high-risk data with remediation workflows and audit trails.