The term data protection refers to the protection of user data safely and securely. It is a protocol that defines the numerous policies on how to restrict the user’s personal data usage and save it from data breaches.
The Personal Data Protection Bill of 2022 defines the compliance regulations for companies taking responsibility for using users’ personal data.
Personal data protection is built based on technologies like Data Loss Prevention (DLP) which ensures end-to-end encryption, built-in data protection, firewalls, and more. It is essential in business operations such as research and development, finance business, etc.
In this blog, we are sharing the details of the Personal Data Protection (PDP) Bill and how HRMS data management will change based on the personal data management policies defined in the Bill.
What is Personal Data Protection (PDP)?
Personal data protection bill is a legislative framework that is designed to regulate the collection, processing and storage of personal data of employees by the organization. It is a bill that ensures the safety of personal data of employees by outlining how personal data should be handled in compliance with privacy principles, especially in the context of growing digital activities.
In India, the personal data protection bill was introduced to reconstitute the old norms and match the standards of EU’s General Data Protection Regulation (GDPR). It has gone through several iterations, with the Digital Personal Data Protection Bill, (DPDP) 2023 being the most recent one.
The key elements included in the personal data protection bill are:
- To protect the rights of individuals for protecting their personal data
- To outline the obligations of law to protect the personal data of individuals
- Procedures of protecting personal data lawfully
- Rights of citizen to file a contempt if the personal data protection law privacy is breached
- Duties of citizen to safeguard the personal data
The Digital personal data protection bill ensures compliance of the personal privacy of citizens by safeguarding their personal data.
The digital personal data protection bill was passed with the intention to replace the old personal data protection bill and enhance the security of personal data of citizens by obtaining informed consent from individuals before processing their data.
The fiduciaries are also responsible for processing data and informing the concerned individual in case the data protection law is breached. The bill is implemented to protect the fundamental right to privacy as recognized in the Indian Supreme Court’s 2017 judgment in the Justice K.S. Puttaswamy v. Union of India case.
It ensures the safety of personal data of citizens while supporting India’s digital mission to reach every nook and corner of the nation. To regulate the growing use of personal data by businesses and government to ensure accountability of citizen, this bill plays a pivotal role in safeguarding data while ensuring access to fiduciaries.
➔ PDP Rules and Policies
The Personal Data Protection Bill was first introduced in 2019 by the Parliament in December. The main objective of the public draft was to analyze the user’s personnel data and protect it securely from theft.
The Personal Rule and Policy actions are bifurcated into 16 chapters thoroughly, for a comprehensive outlook.
➔ The Personal Data Protection (PDP) Bill, 2023
The parliament cleared the 16-chapter PDP Bill in July 2023. While the previous draft remains the same, the Bill outlines the practices of collecting personal data, storing them securely without any breaches, choosing the parties with whom data is being shared, and more.
If any violation is taken place, the penalty will be borne by the individuals or companies using the personal data. These organizations will have to pay a maximum of ₹250 crores with the upward revision of ₹500 crores to larger entities. In the case of individuals, they must pay a minimum ₹10,000 as a penalty in case of breaches.
What is Personal Data Protection Act?
The Personal Data Protection Act (PDPA) refers to the legislation enacted to govern the collection, storage and processing of personal data of individuals in a country. The Personal Data Protection Act varies as per varied jurisdiction and laws of various countries. However, the fundamental aim of the act is to protect and safeguard the personal data of citizens that are accessed by government bodies or organizations to check the accountability and credibility of Individuals.
In India the Digital Personal Data Protection Act, 2023 has been in enactment since the year 2023 that aims to protect the digital personal data of the individuals while ensuring responsible data processing and access by the fiduciaries.
Key features of the Digital personal data protection Act is as follows:
➔ Rights of Individuals to Data Principles):
- Access, rectify and remove personal data
- Withdraw consent for data processing
➔ Obligations of Organizations (Data Fiduciaries):
- Ensuring data transparency and fairness in processing of personal data
- Protecting data from unauthorized access
- Ensuring no breaches in the digital personal data protection law.
The primary objective of the digital personal data protection law is to regulate organizations and ensure ethical handling of personal data of individuals. Also, to keep the individual’s access to their personal data in case they need to withdraw consent of processing the data or removing it from the system. This builds trust in individuals on the digital system which as a result increases the economic growth of the country and fastens the process of credibility scrutinization by digitalization.
Furthermore, it safeguards the personal data of employees ensuring access of data to authorized personnel and implementing harsh penalties (up to ₹250 crore for certain offences) in case of breach of law or norms mentioned in the personal data protection act.
What is the Draft Personal Data Protection Bill?
Draft personal data protection bill is a proposed legislation that introduced by the government outlining the framework for regulation of the collection, storage and processing of citizen’s personal data while ensuring individual’s privacy rights.
In India, the Draft Personal Data Protection Bill, 2019, and its subsequent iterations, including the Digital Personal Data Protection Bill, 2022, which eventually led to the Digital Personal Data Protection Act, 2023.
Draft personal data protection bill was aimed to regulate the personal data of both the private and government entities while safeguarding individual’s privacy. Let us understand its evolution in details:
Key Features of Draft bill
the key features of the draft bill is as follows:
1. Data Classification
It divides personal data into categories such as sensitive data (financial details, health data, etc), or other personal data like age, etc.
2. Rights of Individuals
It includes:
- The rights of individuals to withdraw consent to access personal data
- Right to be informed about individual’s personal data processing
- Rights to access, correct or remove data.
3. Obligations of Fiduciaries
- Obligations of fiduciaries (organizations) to protect the data of individual’s from getting leaked or tampered.
- Obtain consent before collecting or processing personal data.
4. Cross-border Data Transfers
It outlines the framework for transferring personal data in cross border but is often restricted in case of sensitive or critical data.
5. Government Exemptions
The government could process personal data without consent under certain circumstances, such as national security or public interest, which raised concerns about overreach.
Key points of the Personal Data Protection Bill
Let us discuss the key parameters of the PDP Bill:
➔ Applicability
The PDP Bill is applied to Government and private entities involved in the processing and securing the personal data in India. The Bill has provisions for protecting the personal data of Indian citizens processed outside of India as well.
➔ Data Protection Authority
The PDP Bill ensures the protection of user data under the Data Protection Authority of India (DPA). The DPA will be an independent regulatory body responsible for the enforcement and implementation of the provisions of the bill.
➔ Rights of Individuals
With the Bill, individual users will gain the authority to access their personal data, correct inaccuracies, perform data portability, and more.
➔ Sensitive Personal Data
The PDP Bill classified the user’s personal data into various categories, such as financial data, health data, biometric data, etc. Any data protection violation reflects a minimum ₹500 Crore penalty for organizations and ₹10000 for individuals.
➔ Data Localization
The PDP Bill also has provisions related to data localization, which requires personal data to be stored and processed only within India. Under the Bill, the organization should encrypt personal data within a region.
➔ Cross-Border Data Transfer
The Bill also allows for cross-border transfer of personal employee data. In this scenario, the employees and employers must fulfill numerous conditions, including the requirement for a copy of personal data to be stored in India.
Also Read:
How PDP will change HRMS Data Management?
By deploying HRMS software, organizations can store their employees’ personal data safely and securely. A robust HRMS software encrypts sensitive and confidential employee information so that any random entity cannot access them.
Usually, organizations hire cybersecurity experts and consultants who can provide further insights and guidance on strengthening data security in their companies.
However, with an HRMS at your disposal, the provisions of the Personal Data Protection Bill will be automatically followed since it will be updated by the software vendor for maintaining compliance. It will also automate the entire data security process.
Let us discuss how deploying a robust HRMS will help automate personal data management as required by the PDP Bill:
➔ Access Controls
HRMS software provides robust access controls for the private and public sectors by implementing user authentication mechanisms such as strong passwords, multi-factor authentication, role-based access controls (RBAC), etc.
As defined by the provisions of the PDP Bill, an employee can process their personal data and analyze whether there are errors in the data or missing information.
➔ Data Encryption
HRMS software plays a crucial role in employing encryption. HRMS software also ensures the personal data protection protocol (DPD) by securely transmitting data over networks and encrypting sensitive data stored in databases to prevent unauthorized access.
➔ Data Backup and Recovery
Regular data backups are essential to ensure data availability and provide protection against data loss or system failures. HRMS software has mechanisms for performing automated and secure backups of employee data and establishing procedures for timely data recovery in emergencies.
Hence, it helps comply with the data backup provisions of the PDP Bill automatically.
➔ Audit Trails and Logs
Maintaining comprehensive audit trails and logs helps monitor and track user activities within the HRMS software. Additionally, HRMS detects any unauthorized access or suspicious behaviour and provides an accountability mechanism for data handling.
With the PDP policy requiring organizations to maintain audit trails and logs, personal data transactions can be accounted for with the help of HRMS.
➔ Compliance with Data Protection Laws
HRMS software will help in staying compliant with the Personal Data Protection Bill to ensure data protection and security of the employee data. Since HRMS deals with the employee management process, the data related to onboarding, offboarding, attendance, payroll, etc. should be stored securely.
The HRMS will ensure that the data is stored as well as accessed securely since it will be compliant with the provisions of the PDP Bill.
Also Read:
How does Pocket HRMS ensure compliance with PDP?
It is evident that the HRMS software is directly responsible for ensuring compliance with the Personal Data Protection Bill in handling employee data.
HRMS software developers like Pocket HRMS have already implemented employee data protection policies in their systems and are striving towards providing enhanced data protection to secure employees’ personal data and company databases.
Pocket HRMS employs Microsoft Azure cloud infrastructure, which provides advanced military-grade 256-bit encryption for saving company and employee data securely. This system prevents the database from unauthorized access and data breaches.
By complying with the PDP Bill rules and regulations, Pocket HRMS can store Sensitive Personal Identifying Information (SPII) data securely with a multi-layered encryption system.
➔ Features of Pocket HRMS Data Protection:
- A centralized data maintenance service that encrypts, decrypts, and maintains employee personal data.
- Enterprise-grade 256-bit encryption with Microsoft Azure cloud infrastructure.
- User access control to ensure effective data abstraction.
- Well-scrutinized database for convenient application maintenance and compliant MIS reporting.
- Bulk data processing for simplified data imports and report generation.
End Note
Personal data protection is an essential aspect of safeguarding every individual’s privacy. Hence, every organization should have the right HRMS software which is compliant with personal data protection policies and practices.
Data protection laws and regulations, like the Personal Data Protection Authority Bill of 2022, are established to enforce and regulate personal data protection at the country level. These laws set out obligations for individuals, organizations, and governments regarding collecting, using, storing, and sharing of personal data.
