1. Applicability of the Information Technology Act, 2000
- In India, data privacy for Public Limited Companies is primarily governed by the Information Technology (IT) Act, 2000, particularly:
- Section 43A: Liability for failure to protect sensitive personal data
- Section 72A: Punishment for disclosure of information without consent
- Section 43A: Liability for failure to protect sensitive personal data
- Companies handling sensitive personal data (e.g., financial details, health records, passwords) must implement reasonable security practices.
- Non-compliance can lead to civil compensation and criminal penalties for data breaches or unauthorized disclosures.
2. Rules on Sensitive Personal Data or Information (SPDI)
- The SPDI Rules, 2011, under the IT Act, define and regulate how companies must collect, process, and store personal data.
- Requirements include:
- Obtaining consent before collecting personal data
- Providing a privacy policy and the data usage purpose
- Ensuring data access controls, encryption, and secure storage
- Offering data correction and grievance mechanisms to individuals
- Obtaining consent before collecting personal data
- Applies to companies collecting data through digital means or electronic systems.
3. Sectoral and Regulatory Obligations
- Listed Public Limited Companies must comply with SEBI (LODR) Regulations, especially if they manage investor or trading data.
- Companies in specific sectors like banking, insurance, and healthcare must also follow guidelines issued by RBI, IRDAI, or health data regulators.
- Businesses involved in cross-border data transfers may need to comply with foreign data laws, such as the EU GDPR, UK DPA, or California Consumer Privacy Act (CCPA).
4. Corporate Governance and Internal Controls
- Data privacy must be part of the company’s risk management framework and internal audit processes.
- Public companies are expected to have:
- A defined data protection policy
- Appointment of data protection officers or IT security heads
- Employee training programs on data handling and security
- A defined data protection policy
- Board-level audit or risk committees should oversee privacy and cybersecurity compliance.
5. Upcoming Digital Personal Data Protection Act (DPDP Act), 2023
- The Digital Personal Data Protection Act, 2023 (passed but not yet fully enforced), will soon create a comprehensive legal framework for data protection in India.
- Key features expected:
- Mandatory consent-based data collection
- Appointment of Data Protection Officers (DPOs) for significant data fiduciaries
- Data breach reporting obligations
- Rights for individuals to access, correct, and delete their data
- Significant financial penalties for violations, up to ₹250 crore
- Mandatory consent-based data collection
0 Comments