Will the new data protection bill pose challenges for startups?

With the growth of the digital economy, data has come to play a critical role in how people communicate with one another. Protecting personal data is as much a fundamental right as the right to privacy. The Personal Data Protection Bill, 2018 intends to foster a free and fair digital economy and comprises some provisions from the European Union’s General Data Protection Regulation (GDPR).

In Section 2 of the Bill, if a company collects the personal data of anyone in India, even as part of a marketing survey, that company would have to protect the data. The jurisdiction of the Bill is vast, including territorial and extra-territorial limits, similar to the GDPR. The provisions of the Bill are applicable to any data processing carried out within India by the State, Indian companies/citizens as well as to any entities not present within India and providing goods and services in India.

Startups, which constantly collect personal data for various business reasons, including research, analysis, marketing, etc., will need to obtain consent from their customers. Startups may find it challenging to get consent from every individual or inform them about why their data is being taken or how it will be used.

Additionally, Section 69 of the Bill calls for large penalties when companies fail to comply with these new obligations. Entities in breach of the law can be fined up to 2% of the total global turnover of the preceding financial year or Rs 5 crore, whichever is higher.

If an entity/company acts as a data fiduciary, which determines the purpose and means of processing personal data, or a data processor, which analyses personal data on behalf of a data fiduciary, then the company must be aware of some key provisions covered by the Bill:

• The individual is the focus of the new regulation and has the right to correction, data portability, right to be forgotten, etc.
• The individual should be notified about how his or her data is used and be given the choice to decline to offer his/her data
• Accountability
• Privacy and data protection do not dilute the right to information
• Data that flows across borders should also be protected

Some actions that companies may undertake to determine how to manage personal data are as follows:

• A company must identify all the persons with whom it shares/receives personal data
• It must assess the nature of data sharing with such persons
• It must have written documentation to clearly define the segregated obligations and risks between the data fiduciary and data processor

Roma Priya is the founder of Burgeon, a legal services firm specialising in startups. Views expressed are personal.