white_paper_on_data_protection_in_india_171127_final_v2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The EU GDPR focuses <strong>on</strong> a ―risk based approach‖ for c<strong>on</strong>t<strong>in</strong>ual assessment and adopti<strong>on</strong> of<br />
mitigati<strong>on</strong> measures. It does not menti<strong>on</strong> whether the organisati<strong>on</strong> should adopt a specific risk<br />
assessment <strong>in</strong>dustry standard (eg. ISO 27001, ISO 31000 etc). The <strong>on</strong>ly security practice it<br />
recommends is the use of pseud<strong>on</strong>ymisati<strong>on</strong> of pers<strong>on</strong>al <strong>data</strong>.<br />
Accountability demands proactive acti<strong>on</strong>s from organisati<strong>on</strong>s <strong>in</strong>clud<strong>in</strong>g c<strong>on</strong>t<strong>in</strong>u<strong>in</strong>g<br />
<strong>in</strong>vestments to ensure that security safeguards are up to date. Organisati<strong>on</strong>s are expected to<br />
empower customers with tools and technologies to protect their <strong>data</strong>.<br />
Under the exist<strong>in</strong>g privacy framework <strong>in</strong> India, Rule 8 of the SPDI Rules, menti<strong>on</strong>s security<br />
practices that a body corporate should have <strong>in</strong> place for the purpose of protect<strong>in</strong>g sensitive<br />
pers<strong>on</strong>al <strong>data</strong>. These security practices and standards should be supplemented by a<br />
comprehensive documented <strong>in</strong>formati<strong>on</strong> security programme and <strong>in</strong>formati<strong>on</strong> security<br />
policies that c<strong>on</strong>ta<strong>in</strong> managerial, technical, operati<strong>on</strong>al and physical security c<strong>on</strong>trol measures<br />
that are commensurate with the <strong>in</strong>formati<strong>on</strong> assets be<strong>in</strong>g protected with the nature of<br />
bus<strong>in</strong>ess. 676 It also menti<strong>on</strong>s mak<strong>in</strong>g use of <strong>in</strong>ternati<strong>on</strong>al Informati<strong>on</strong> Technology Security<br />
Standards such as ISO 27001 and the use of code of best practices created by self-regulatory<br />
bodies, <strong>on</strong>ce approved and duly notified by the government. 677 The use of empanelled<br />
auditors to ensure compliance was these practices was also mandated.<br />
Security safeguards obligati<strong>on</strong>s should provide adequate protecti<strong>on</strong> to the pers<strong>on</strong>al <strong>data</strong> of the<br />
<strong>in</strong>dividuals while tak<strong>in</strong>g <strong>in</strong>to account the f<strong>in</strong>ancial and organisati<strong>on</strong>al capabilities of <strong>data</strong><br />
c<strong>on</strong>troller. A risk-based approach of deal<strong>in</strong>g with potential security and associated privacy<br />
<strong>in</strong>cidents could be the general norm. The approach should def<strong>in</strong>e the risk criteria, the<br />
mitigati<strong>on</strong> measures and mechanisms to ensure report<strong>in</strong>g and c<strong>on</strong>t<strong>in</strong>ual improvement.<br />
2.3 Internati<strong>on</strong>al Practices<br />
European Uni<strong>on</strong><br />
The EU GDPR provides that a <strong>data</strong> c<strong>on</strong>troller would be resp<strong>on</strong>sible for, and must be able to<br />
dem<strong>on</strong>strate compliance with pr<strong>in</strong>ciples relat<strong>in</strong>g to the process<strong>in</strong>g of pers<strong>on</strong>al <strong>data</strong> (these<br />
<strong>in</strong>clude the purpose limitati<strong>on</strong> pr<strong>in</strong>ciple, <strong>data</strong> accuracy pr<strong>in</strong>ciple, storage limitati<strong>on</strong> pr<strong>in</strong>ciple<br />
etc.). 678 The obligati<strong>on</strong> requires <strong>data</strong> c<strong>on</strong>trollers to implement appropriate technical and<br />
organisati<strong>on</strong>al measures to ensure and be able to dem<strong>on</strong>strate that <strong>data</strong> process<strong>in</strong>g activities<br />
are performed <strong>in</strong> accordance with the <strong>data</strong> protecti<strong>on</strong> obligati<strong>on</strong>s set out under the EU<br />
GDPR. 679<br />
Data c<strong>on</strong>trollers must also review and update such technical and organisati<strong>on</strong>al measures<br />
whenever necessary. 680 The measures <strong>in</strong>corporated would take <strong>in</strong>to account the nature and<br />
676 Rule 8(1), SPDI Rules.<br />
677 Rule 8(3), SPDI Rules.<br />
678 Article 5(2), EU GDPR.<br />
679 Article 24, EU GDPR.<br />
680 Article 24(2), EU GDPR.<br />
151