The recommendation of the Joint parliamentary committee that the PDPB 2019 should be amended to be called the “Data Protection Act.20xx” and include some aspects of Non Personal Data Governance into the PDPB2019/DPA20xx has created a certain confusion as to the status of the Governance of the Personal Data Protection in India.
Though the PDPB 2019 has been suggested to be amended to include its applicability to “Anonymised Personal Data” and mandate that the non personal data breach should be reported to the Data Protection Authority created under this Act, the act in most of its part still apply only to the Personal Data Protection. Hence in terms of compliance requirements, the PDPSI remains in tact with the addition of the following two requirements related to this change.
- The Consent notice shall include a clause ” I agree that after the purpose for which my personal data was disclosed has been fulfilled, it may be anonymised as approved under the Indian law and used as required”.
- Any data breach related to non personal data shall be reported to the Data Protection Authority as may be required.
There is however some reports to suggest that the Government of India is still undecided as to the inclusion of Non Personal Data aspects in PDPB2019/DPA20xx.
We need to await the passage of the bill for clarity on this aspect.
Until such time, we shall call the PDPSI as DPCSI or Data Protection Compliance Standard of India.
Accordingly the Data Protection Management System will be called “Data Protection Compliance Management System” or DP-CMS. This term will be comparable to ISMS or PIMS or DPMS used in other compliance frameworks.