Digital privacy bill 2022: Decoding for fintech

Data protection has continued to be in the spotlight, with compliance as the top priority for organizations since the adoption of the General Data Protection Regulation (GDPR) by the EU in May 2018. With this emergence of simultaneous growth of technical focus and eye towards global compliance needs, one would believe Fintechs in India is more focused on building a sustainable business.

In the same vein, the new Digital Personal Data Protection Bill 2022 (DPDP Bill, 2022), which is open for public consultation until 17 December 2022, should only be a confirmatory exercise for these Fintechs. If this is not the case, then let’s see what are the broad areas that Fintechs are required to focus on under this bill in this 7-point format:

Fintechs can play the role of either Data Fiduciary (one that determines the purpose of and the processing of personal data) at certain times or in most cases the role of a data processor (someone who processes personal data on behalf of a data controller). It is important to understand this difference in the roles as all compliance comes out of this basic understanding. Fintechs will need to separate their methods of maintaining and processing data depending on these roles.

Digital Nagriks or Data Principal are persons to whom such personal data belong. The DPDP requires that the data controller has received a specified message in clear and unambiguous language with a description of the personal data sought to be collected and the purpose of the processing.

Consent must be given freely, informed in nature and unequivocal before the adoption of this bill, as the law will require new consent as soon as reasonably practicable. Children’s consent (i.e. persons under 18) can be obtained through verifiable consent from the parents. This age limit under the GDPR is 16 years.

After passing this Bill into an Act, the Central Government shall notify a class of data controllers as important data controllers based on their volume and sensitivity. Predictive foundations, the primary services of large Fintechs, several of them are likely to be classified as Significant Data Fiduciaries. Such mapping will attract further compliance such as mandatory appointment of data protection officer, independent data auditor and conducting data protection impact assessments.

Fintech will be obliged to respond to Data Nagriks if they ask: a. confirmation of whether your personal data is processed, b. provide a summary with details about this, c. correct data if informed, and d. delete data if requested if it.

This DPDP Bill 2022 is the revived version of the Personal Data Act, 2019 which was shelved in its entirety in August earlier this year. The format, scope and approach of DPDP is much simpler compared to the earlier version. There are several provisions that are still open. We all have to wait and see what emerges as the law.

LinkedIn


Disclaimer

The views above are the author’s own.



END OF ARTICLE



You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *