India-PDPB Implementation

As a natural corollary to the growing infusion of technology into regular economic transactions, it becomes imperative to safeguard every individual personal data from potential insecurity in the process of collection, storage, processing and utilisation or disclosure. While the prospects of data protection became relevant with Information Technology Act, 2000 and recognition of Right to Privacy, a specialised statutory regime has only been sought to be established with the introduction of the Personal Data Protection Bill, 2019.

Scope of the Personal Data Protection Bill

Essentially, the Bill identifies informational privacy manifesting as personal data as an “essential facet” of the fundamental Right to Privacy. It sets out provisions to regulate the processing of personal data within Indian Territory or by the Indian Government, entities incorporated under Indian law and Indian citizens or outside Indian Territory but with some tangible connection in India. Under the Bill, a data principal is an individual whose personal data is being processed.  The entity or individual who decides the means and purposes of data processing is known as data fiduciary.   This bill has a wide application and includes within its ambit everything from e- commerce, social media, IT companies, to brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies.

Compliance Obligations

  • To ensure accountability, the bill provides a comprehensive outline of obligations of the entities responsible for deciding the means and purpose of data processing, with corresponding penalties for violations.
  • Processing of personal data is prohibited except for any specific, clear and lawful purpose. Under these provisions, processing of data is mandated to be subject to certain purpose, collection and storage limitations.
  • Grievance redressal mechanisms must also be implemented to address complaints of individuals.  
  • There is a separate categorisation of certain entities as significant data fiduciaries which is based on certain criteria such as volume of data processed and turnover of fiduciary.
  • There are additional obligations on these fiduciaries that include accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs). 
  • The Bill also talks of transparency and accountability measures such as the Privacy by Design Policy which has to be in place for all data fiduciaries.


The Bill focuses on financial penalties to regulate compliance with the obligations. Processing or transferring personal data in violation of the Bill is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher. Secondly, the failure to conduct a data audit is punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.  Punishment of imprisonment of up to three years, or fine, or both has been provided for the re-identification and processing of de-identified personal data without consent.

Enforcement Mechanism

Lastly, the Bill provides for establishing the Data Protection Authority and sets an adjudication mechanism in place with Adjudicating Officers. This Authority will have members with expertise in fields such as data protection and information technology.  Any individual not satisfied with the grievance redressal by the data fiduciary can file a complaint to said Authority.  There is a mechanism for appeal of such Orders of the Authority to an Appellate Tribunal and from there the Appeals will go to the Supreme Court.

Benefits of the PDPB Implementation Program

  • Comply with Indian Privacy Laws efficiently and effectively.
  • Recognize, Access and Strategize Personal Data within your organization
  • Adapt, Improvise and leverage your existing privacy compliance in order to comply with the PDPB.
  • Policy and Notice Management and maintain data privacy structures within the organizations.

Reach out to us