Potential Impacts of Draft India Personal Data Protection Bill (PDPB), 2018 on Global Capability Centres (GCC)

Since late 1990s, there has been a significant rise in the establishment of Global Capability Centres (GCCs) within India. There are currently GCCs operating across numerous sectors including information technology (IT), financial services, telecommunication, manufacturing, oil & gas, aerospace, healthcare, automobile, and biotech.

The Personal Data Protection Bill (PDPB) needs to be applicable to organisations operating in India and abroad that process personal data of Indian data principals . Thus, GCCs will also come under the purview of PDPB as they process the personal data (or may be in some cases, sensitive personal data) of their employees based in India and/or any other individuals within the territory of India. This will trigger GCC to revisit their current ecosystem (across people, process, and technology layers) to align with the requirements under the PDPB.

Given the nature of the industry structure and operations carried out by GCCs, a large volume of personal and sensitive personal data is collected, stored, processed, retained, and disposed in India. For this reason, the PDPB would impact many areas of GCCs such as legal, IT, human resource, sales and marketing, procurement, finance, and information security, etc.

PDPB’s key requirements and potential impact on GCCs

• Notice: PDPB requires data fiduciaries to provide notice about its personal data processing activities and associated purpose at the time of collection. This needs to be in a clear, concise, and easy to read language. Hence, organisations would be required to update their website privacy policy to include elements such as consent, purpose of processing personal data, and security controls for protecting personal data etc., with respect to transactions related to Indian data principal.
• Cross-border transfer and data localisation: PDPB requires organisations to store at least one serving copy of personal data on a server or data centre located in India. Localisation of personal data would affect organisations due to the additional costs involved in the establishment of servers and data centres to store the data. In addition, by the way of enhanced vulnerability considering that there would be multiple copies of personal data at multiple locations. Organisations need to incorporate standard contractual clauses (data privacy oriented contractual language) and obtain explicit consent of the data principals for certain categories of personal data.
• Privacy by design: PDPB requires data fiduciaries that launch new services, products, innovative technologies or expand into new geographies to include data protection from the very onset of the designing of systems. Organisations would have to incorporate privacy into design, operations, and management of their systems and business processes.
• Choice and consent: PDPB requires data fiduciaries to describe the choices available to the data principal. In addition, obtain implicit or explicit consent for the collection, use, and disclosure of personal information. Therefore, organisations would have to update their standard operating procedures (SOPs). They also need have to identify the personal data collection points to implement the privacy requirement to provide choice and consent to data principals.
• Data protection impact assessment (DPIA): PDPB requires data fiduciaries to conduct a data DPIA. This is done to evaluate risks that result from data processing, particularly when large volumes of personal data and/or sensitive personal data are processed.
• Rights of data principals: PDPB provides data principals with rights such as right to access their data, right to seek correction of their data, right to portability of their data from one entity to another, and the right to be forgotten, wherein an entity can be prevented from further disclosure of personal data. Hence, organisations need to update their processes and technical controls to comply with data principal’s rights in a timely and efficient manner.
• Data breach notification: PDPB requires data fiduciaries to notify the Data Protection Authority within a reasonable period of time. They need information related to nature of the personal data affected by the breach, the number of individuals affected by the breach, the possible consequences of the breach, and the mitigating measures taken by the organisation. Organisations would be required to develop procedures to identify and report data incidents by implementing process and technical solutions.
• Culture and communication: PDPB requires organisations to develop a culture of privacy by making employees aware about the best practices to handle personal data including disclosure to only authorized recipients. Therefore, organisations would be required to undertake specific privacy trainings that allow employees to understand all privacy-risks related to the personal data they process.
• Third party compliance: PDPB requires organisations to expand the scope of due diligence of third parties by adding privacy-related requirements and conducting a data privacy impact assessment while on-boarding new third parties. Therefore, GCCs need to make sure their third parties comply with privacy requirements and follow strict policies and controls, aligned with their policies and controls.
• Data disposal: PDPB requires that personal data should only be stored for a time period necessary for its processing and thereafter, it should be securely destroyed. The end of data lifecycle requirement would obligate organisations to prepare a data lifecycle procedure, data retention and secure destruction procedure, and update contracts to govern the data disposal obligations in a timely and secured manner.