Deloitte’s Privacy and Data Protection (PDP) services

Executive Summary

Protection of personal data of data principal is at the core of draft Personal Data Protection Bill, 2018 (hereafter referred as “PDPB” or “bill”). This means once the bill is enacted and enforced, privacy will no longer be optional and cannot be ignored. Among many significant provisions, the PDPB proposes substantial penalty for violation of the stated requirements. Such provisions, along with heightened focus on collection and use of personal data, will require organizations (referred in the bill as Data fiduciary and Data processor ) to revisit their risk acceptance criteria and establish a robust privacy and data protection framework.

Draft PDPB includes a provision to issue penalties on a two-tier system depending on the type of violation and the history of prior violations. Under one tier system, penalties for data fiduciary may extend up to `15 Cr (approx. USD 2.25M*) or 4 percent of its total worldwide turnover of the preceding financial year, whichever is higher. Under another tier-system, data fiduciary may be penalized up to 5 Cr (approx. USD 0.75M*) or 2 percent of its total worldwide turnover of the preceding financial year, whichever is higher.

In our view based on prior experience helping organisations with similar global regulations, penalties can potentially be reduced by demonstrating continued focus and efforts towards establishing a strong privacy and data protection framework. Deloitte Touche Tohmatsu India LLP (DTTILLP, Deloitte) offers a comprehensive range of Privacy and Data Protection (PDP) services to help organizations establish, implement, operate, and sustain a robust privacy and data protection program.