Understanding the Data Privacy Law

Choose language:
The Personal Data Protection Bill, introduced in the Indian Parliament in 2019, has made it essential for all businesses to emphasize on the protection of personal data of individuals. As a small or medium business owner, are you still trying to understand what personal data is? To answer it simply, personal data refers to any information that can be utilized to recreate an individual's identity. In other words, any information that can outline the identity of an individual can be termed as personal data. It includes any exclusive information about one particular individual.
Understanding the Data Privacy Law
Now, a valid question could be what information constitutes personal data? According to the Information Technology Act, 2000, "Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person. Here is some information that is commonly considered personal either in combination with other data or on their own:
  • Name and surname
  • Contact numbers and e-mail addresses
  • Bank account details
  • Date and place of birth
  • Appearance details, such as height, weight, retina profile, and facial geometry
  • Usernames, passwords, IP address, and social media activities
  • Location history, purchase history, browsing history, preferences, and ratings
  • Cookies
  • Facial images, marital status, and information about family members
  • Workplace information, such as job titles, office address, salary details, tax details
  • Subjective private data, such as religious beliefs, sexual orientation, and political opinions

Tenets of Data Protection

Context is key to determining whether a piece of information can be considered personal data or not. Some information might not come under the category of personal data unless combined with other related information. For example, information such as a person’s name, job title, or place of work cannot individually be termed as personal data because it is possible that many individuals have the same name or have the same job title and share the same place of work. Therefore, merely knowing people’s name, their job titles, or their place of work cannot help identify one particular person. However, when combined, such information can pinpoint an individual. It is only then that the information becomes personal data.

Data protection involves a secure storage and usage of personal data. It also prevents illegal access and misuse of any personal data. Data protection is beneficial for a company because it increases the faith of consumers in the company and encourages them to purchase items without the fear of data compromise. This, in turn, potentially increases customer conversion rates, sales, and profits. Faulty data management makes a company prone to data thefts by competitors or other malicious agents. Effective data protection also reduces risks and financial losses, and provides an advantage to a company over its competitors.
Tenets of Data Protection

The Indian Data Protection Bill of 2019

The Indian Data Protection Bill of 2019
Since the advent of the digital era, data privacy has been a matter of great concern in India. In fact, almost 43% Indians feel that their personal data might be leaked online. However, the genesis of Indian Data Protection Bill lies in the Justice KS Puttaswamy v. Union of India case of 2017. In the judgment of this case, the Supreme Court of India ruled that privacy is a fundamental right. During the course of the case, the court had ordered to set up a committee to analyze the data privacy issues in India. This committee submitted a report and a draft bill. In 2018, the Supreme Court instructed the government of India to make robust data privacy laws and the same draft bill became the prototype for the present bill. The Indian Parliament passed the Data Protection Bill on December 11, 2019, and this bill aims at:
  • Setting rules for storing and processing personal data
  • Restricting sharing of personal data
  • Deciding people’s right over the usage of their personal data by others
  • Outlining the grounds of exemptions
  • Setting up the Data Protection Authority (DPA) – a regulatory body to carry out the law
The Bill is undergoing amendments and certain provisions may change or will be amended. As and when the Data Protection Bill becomes an enforceable Act, it would be mandatory for all businesses to follow these regulations:
  • All businesses will have to seek consent of their consumers before collecting and using their personal data. They would also require to provide customers clarity on their data collection practices.
  • The consumers would have the right to withdraw their consent at any point of time. So, the businesses would also need to set up systems to ensure seamless consent withdrawals.
  • It will empower consumers to erase access or correct their personal data. Businesses would thus need to formulate ways to ensure that consumers can easily do the same.
  • All businesses will need to make necessary organizational changes and improve their security framework to ensure better data protection.
  • All critical personal data of consumers will have to be stored and used within India. Any transfer of such data outside India will be deemed illegal. Sensitive personal data (data that requires extra security, such as genetic and biometric data) would have to be stored within India, but can be transferred abroad if it is permitted by the government or if it is being transferred for health and emergency purposes.
  • Companies will need to appoint data fiduciaries (people who would ensure all personal data of customers is stored and used securely).
  • The government can demand sharing of non-personal data of consumers.
  • If any company or individual sells, transfers, or stores personal data to cause deliberate harm or tries to re-identify and process personal data without necessary consent, it will be deemed illegal and will attract penalties.
  • Penalties for not complying with the regulations will lead to a maximum fine of INR 150 million or 4% of the global annual turnover of the company.
  • Small businesses, which handle their customers’ personal data manually, will be exempted. The DPA will decide which companies are exempted.

Digital Data Management and Infringement Risks

Most of the consumers’ data is stored on digital platforms and this brings with it considerable digital risks that need to be managed. Almost 3.2 million debit and credit card details were reportedly stolen in 2016. With technology spreading its roots deeper in the society, businesses have emerged as the most vulnerable target of digital data infringement risks. Today, it is exceedingly difficult for businesses to survive without technological assistance in the constantly growing competition. It is projected that USD 2.3 trillion would be invested worldwide by 2023 to ensure digital transformation.

It is therefore paramount for businesses to ensure robust digital data management and negate infringement risks. Digital data infringement risk refers to any dangerous consequence that creeps through along with the adoption of technology to store data. Owing to the grave consequences of digital data infringement, its management should get immediate attention of every 21st Century enterprise.

Here are few steps that businesses can follow to ensure better data privacy of consumers:
  • Companies must try to limit the information they collect from their consumers. Only the information that is necessary for the enterprise must be collected.
  • There should be greater emphasis on storing consumers’ personal data. All sensitive and critical personal data should be thoroughly encrypted. A strong cyber-physical security model should be employed to prevent any abuse of legitimate access to personal data.
  • Transparency must be maintained while collecting consumer data. Privacy policies must be explained to customers in simple language. They must be notified about the information that is being collected, its usage, and the need for its storage. No data should be collected, used, stored, or transferred without customer consent.
  • It is important to ensure that customers can easily communicate with businesses in case they have concerns or queries about their data privacy.
  • Employees must be informed about digital data infringements and must be trained to prevent the same.
  • It is important to ensure timely updates of data protection programs.
Digital Data Management and Infringement Risks


With a few changes in their data management systems, companies can very easily comply with the new provisions of Indian Data Protection Bill. If you are an e-seller who is still worried about compliance, register on Amazon as a seller to ensure data security and risk management by Amazon’s effective data security policy.
Disclaimer: Whilst Amazon Seller Services Private Limited ("Amazon") has used reasonable endeavours in compiling the information provided, Amazon provides no assurance as to its accuracy, completeness or usefulness or that such information is error-free. In certain cases, the blog is provided by a third-party seller and is made available on an "as-is" basis. Amazon hereby disclaims any and all liability and assumes no responsibility whatsoever for consequences resulting from use of such information. Information provided may be changed or updated at any time, without any prior notice. You agree to use the information, at your own risk and expressly waive any and all claims, rights of action and/or remedies (under law or otherwise) that you may have against Amazon arising out of or in connection with the use of such information. Any copying, redistribution or republication of the information, or any portion thereof, without prior written consent of Amazon is strictly prohibited.

Get the latest updates on all things business

Share you information to subscribe and get updates on business guides, trends, tips
Share the knowledge of Bizzopedia
© 2023 Amazon.com, Inc. or its affiliates. All rights reserved.