‘New Data Protection Law Will Make Companies Ensure Holistic Cyber Security Controls’: Munish Gupta, Inspira Enterprise

What has been your and industry’s contribution to discussions leading up to the new Digital Personal Data Protection bill in India?
Whenever legislation is passed,  a draft process passes through stakeholders including people, industry and academia. So unofficially through various channels like the Data Security Council of India and NASSCOM, and in discussions when we were part of some delegations, such as when I represented India recently in a delegation to Israel, and before that in a cybersecurity delegation to UK and then to Amsterdam, all initiatives of Prime Minister Modi, industry’s needs from such a law were discussed.
Unofficially, the feedback or pulse of the market has been that if such a legislation is passed, it would address people’s concerns and would help India as a brand ambassador, that we take our data security or data privacy seriously. This legislation will open wider opportunities for us, for more business from North American and Europe also.

How will individuals be enabled to protect their data better by the new legislation?
The way the new legislation has been structured is that on the one hand there is the ‘data principal’, the people like you and me whose data is collected, for example our personal, identifiable information including our date of birth, our medical history, our employment history, those kind of things.
The other aspect is the ‘data fiduciary’, the one acquiring that information from you. For example, at the time of your recruitment, you may have to share some of that information, you may share a hard copy that may be scanned. And now, every organisation is going to come under the digital personal data protection legislation.
From a user perspective, the one good thing is that now, every corporation or organisation has to show that safeguards are built in for protecting this data’s privacy. This is obligatory in nature, so organisations that do not do that will face severe penalties that may affect their brand standing too.
The next thing is the Data Protection Board, which is going to be constituted by the Government of India. If you see the 2019 bill, it only highlighted that organisations  need to have a data protection officer to facilitate or ensure adherence to the guidelines. But this time, the law explicitly mentioned that while we need to have a data protection officer, we also need to have a consent manager.
While the data protection officer has to show how data is processed and stored within the organisation, whether we are complying with government guidelines or not, the consent manager has to explicitly say what data we are collecting, whether while hiring somebody if end user’s consent is being asked explicitly, if the user is made aware of why we're seeking consent.
As of today, in India there is no way to know what consent has been taken for historical data. So for example, I may reasonably say I have not provided a consent for my information to be shared, or something like that.  But as per the new law, every organisation has to ensure that for a set period, let's say five years, six years, they are going to retain that data. So if there is a dispute, they can showcase that on this particular date, two years back, consent was given and was not revoked.
Now every organisation has to safeguard itself because this mandates  that everybody gets to complain or raise a dispute. And even if it's a false complaint, the maximum penalty for a user is Rs 10,000, while for a company it is up to Rs 250 crore.  
So it's more favourable to the end user, while for organisations it's a liability in the sense that they would need to make investments in technology to ensures this consent is taken, how they would dispose, manage the whole lifecycle of it after  acquiring the data, processing the data, storing the data and then disposing it also.

What about social media companies and the big tech companies who end up having a lot of our data because we voluntarily gave it to them at some point of time? How would all of them be impacted by the new law?
Social media companies, whether Telegram, Facebook, Instagram or any other now need to ensure that they are adhering to the Digital Personal Data Protection Act. I think Meta has already hired a senior person to look into these aspects.
The second thing is that currently, the data they take from us may be posted on a  US server, in a cloud. But now, they have to ensure that there is a dedicated cloud infrastructure built for India. And that the data is not crossing India’s boundaries without explicit approval from the Government of India. They need to invest to keep data locally.
The next thing is cookies. You might have noticed that you search for a TV on Google and soon after, while you are browsing the internet, or even in your apps, you start seeing a lot of ads for a TV. That happens because of your cookies, through which information is shared with a third party.
Now sharing such information is going to be difficult for them. Because when they asked for your consent for cookies, it was only for the purpose stated. They have to specifically mention that we need your consent to share this information, and if they are going to share that with a third party, they have to disclose it.
Another scenario is that what happens at the multinational companies comes to India and they acquire existing small organisations for inorganic growth. Even in such cases, if company A is being acquired by company B,  they have to seek consent for the data being acquired. They cannot use that data without the user's explicit consent. 

Time for enforcement is likely to be in the range of 12 months. We are waiting to know exactly how much time organisations will be given for compliance.

From the point of view of cyber security, as our data is also being held by banks or E-commerce companies we did transactions with, what is going to be the impact of the data protection law?
In many cases, entities are not aware of what data they have collected and are storing. Or the user may not be aware what data belonging to him / her is in the public domain. With the new law, this information is moving from unstructured data to a structured form, where anyone who is acquiring data must ensure it is in a proper organised shape and form.
The second thing is that they have to maintain historical data as well. You can only provide controls or apply something if you know what you are going to protect.
Also, this will bring awareness into the industry. Companies do not want to be on the wrong side and will make sure that while they are storing information, processing the information, they also have holistic cyber security controls around so that the information is not compromised.

What kind of companies would these include?
I think everybody has to ensure compliance, whosoever is taking your data. Even a small organisation with 200 employees taking personal data will have to ensure that they have enough cybersecurity measures to protect the data itself. It's not only the consent management but they have to show that the data is being stored rightly, processed rightly and disposed of also in the right way.

So for example, I go to a hospital for surgery and my detailed medical history is taken. Will they now have to take my consent to keep my data?
Yes, and they're obligated to dispose of it at some point in a legal manner, and they will be subjected to other standards serving organisations of global hospitals,  a healthcare-specific compliance.

Overall from the point of view of end users, do you think that the new law is going to be like a paradigm shift for data and security in India?
For India it is a big shift. Because from a user perspective, there were not enough controls, and the user was not aware. So I think this whole thing is going to address two aspects. One is that it will bring more user awareness because whenever companies have to take somebody's consent, they have to advertise also.
And we expect a dedicated campaign from the government on the right to privacy. Even for certain users like in rural areas, where users may not be aware, the government will treat every user equally and companies have to ensure the same kind of safeguards for the broader umbrella.