Data Privacy (SDG 16)

With the emergence of the digital era where data is collected, stored, transmitted and processed digitally, data security has become important. In August 2017, a landmark judgment declared that “privacy is a fundamental right”1. Following this, a 10-member committee under Justice B.N. Srikrishna was constituted to work on a legal framework for data protection. The committee submitted a white paper on “The Personal Data Protection Bill, 2018” for consideration by the Ministry of Electronics and Information Technology.

On the global front, General Data Protection Regulation (GDPR) passed by EU in May 2018 is another momentous regulation with far-reaching implications. The GDPR is applicable to companies which conduct transactions in the EU leading to the collection and/or processing of data2. This makes it imperative for companies to adapt to the regulation by drafting a stringent data privacy policy. Failure to adapt to the regulations by the deadline have punitive measures.

1https://indianexpress.com/article/india/what-india-needs-data-law-regulator-5118806/

2https://www.thehindubusinessline.com/opinion/we-must-adapt-to-eu-data-privacy-rules/article23943555.ece

3Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Currently, in India, data privacy/protection is governed by The Information Technology Act, 2000 (amended in 2008) and Information Technology3 Rules, 2011. The Act in its current form is applicable to the protection of sensitive personal information as defined in it. Additionally, financial institutions which are regulated by RBI are mandated to maintain data privacy, unless consented otherwise by the customer. Separately, Indian companies with securities issued/listed in stock exchanges outside India or with operations outside of India, are required to comply with data privacy regulations of those countries/regions. As a result, most of the companies with multinational operations or with securities listed on stock exchanges outside India have Information security policy/cybersecurity policy.

In light of the changes to the legal landscape dealing with digital information, we find that Indian companies recognize data privacy as a material aspect of their operations. Around 90% of the companies studied have clauses on customer data privacy, either as a separate policy or as part of their code of conduct. Service industries outpace manufacturing by a wide margin. Banks lead, followed by energy, IT and telecom. Automobile companies have improved significantly over the past year, while capital goods has seen a slight decline.


Customer data privacy

Customer data privacy


Going forward, we expect all companies to follow better customer data management practices. The accountability to maintain data confidentiality, to obtain pre-consent for disclosures and notifications on breach will all be part of the new regime.