Cyber Security Impact Of Data Protection On Ease Of Doing Business In India -Shahana Chatterji
Over the last few years, digitisation and emerging technologies have been disrupting businesses across industries. Reports project the growth of India’s consumer digital economy from $85-90 billion in 2020 to $800 billion in 2030. With the pandemic providing the push for greater digitisation, cyber security has taken on greater importance. As per the Ministry of Electronics and Information Technology (MEITY), 6.07 lakh cases of cyberattacks were reported in India in the first half of the year 2021. The pandemic driven remote working set-ups and enhanced investments by enterprises in digitization, has led to an increased demand for monitoring newer digital surfaces and infrastructures.
Given the importance of data driven economies, the Indian parliament had undertaken an exercise to formulate a new data protection legislation. In the year 2019, the draft Personal Data Protection Bill was tabled in the Parliament and was referred to a Joint Parliamentary Committee (JPC) for further consideration. After multiple series of consultations with key stakeholders, the JPC published its report along with a draft Data Protection Bill (DP Bill) on 16th December 2021.
The DP Bill as part of cyber security incident reporting, obligates the data fiduciaries to mandatorily report personal data (PD) as well as non-personal data (NPD) breaches within 72 hours of gaining knowledge of the occurrence of such breach to the data protection authority (DPA) in a form specified by the Government. The DPA in its role is empowered to assess the impact of data breaches on the data principals. The JPC also recommends that the DPA should follow certain guidelines while framing rules and regulations concerning data breaches. These include requiring the organisations to maintain a log of data breaches for periodic review by the DPA and to the extent there is delay in reporting, the organisations need to justify that the delay was reasonable. Further, if data breaches occur despite precautions taken by a data fiduciary as an act of business rivalry or espionage, the DPA may use its discretion to authorize temporary order non-disclosure of details keeping in mind the data principals’ interests.
To the extent the data fiduciary fails to take appropriate remedial action under the DP Bill, the data fiduciary can be liable to a penalty of up to INR 5 Crores or 2% of its total worldwide turnover whichever is higher. In addition, the DP Bill also provides the data principal to claim compensation in case they suffer personal harm due to a data breach.
The DP Bill if enacted would make it imperative for organisations especially start-ups and small businesses to invest in relevant digital infrastructure and assets across all levels to ensure compliance with these obligations, at the risk of significant penalties.
Organisations will need to focus on expanding existing competencies of key personnel with skills to effectively identify and report cyber security breaches. Internal information technology policies will need to be reformulated or overhauled to align with the cybersecurity incident reporting requirements of the DP Bill. This includes developing adequate incident response policies, practices and procedures to identify and mitigate potential data breaches.
While the cyber security challenges faced by organisations cut across jurisdictions, the regulations to combat such challenges are fragmented in nature leading to compliance conflicts and increased costs. For an economy that seeks to establish itself as a hub of digital innovation, it is critical to balance legitimate regulatory concerns with an atmosphere that enables ease of doing business in India.
The author is Partner Shardul Amarchand Mangaldas & Co.
Disclaimer: The views expressed in the article above are those of the authors’ and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.