How Blancco Helps Organizations Comply with India’s Personal Data Protection Bill

India’s much awaited Digital Personal Data Protection Act (“DPDP Act”) became law August 11, 2023, following an earlier withdrawal of the Personal Data Protection Bill described below.

Look for updates here soon.

In 2018, the Justice Srikrishna Committee of India released its much-awaited draft Personal Data Protection Bill. This bill is set to be finalized in late 2019 or early 2020, and when it does, it will have far-reaching applications for any global company that processes personal data for India’s residents. Until now, privacy regulations in India, such as the Sensitive Personal Data and Information, 2011, offered little in the way of data protection. The new bill is modeled after Europe’s General Data Protection Regulation, with penalties for sharing or processing data without permission. Fines can be as much as ₹15 crore, or 4 percent of a company’s total worldwide turnover.

How Does the Bill Define ‘Data Processing’?

The term “processing” is referred to throughout the bill. Therefore, before we go into more specifics, let’s look at how the Committee defines this term. The bill states: “‘Processing‘ in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organi[z]ation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”

What Does Data Processing Mean Regarding Data Sanitization?

As stated in the definition above, data processing includes data erasure or destruction. A few points must be considered in this:

  1. Always Sanitize – Data removal should be carried out in a way that data cannot be recovered through any forensic means. (Thus, formatting, deleting and other methods that don’t achieve full data sanitization are insufficient).
  2. Always Verify – Perform an automated read operation to confirm data erasure/destruction. Many data security and privacy regulations mandate verification as a part of the data sanitization process.
  3. Always Certify – It’s best practice (see NIST SP 800-88 Rev. 1) to use data erasure methods that automatically generate certified, tamper-proof erasure reports for auditing purposes.

Download the Solution Brief.