Indian Authorities are set to clamp down on data breaches and tighten rules for holding sensitive data. Indian firms will no longer be able to store payment card information, with only card issuers and card networks such as Visa or Mastercard permitted to do so.
Organizations will be forced to disclose data breaches within 72 hours, bringing India in line with territories such as the EU, which mandates breach disclosures under its General Data Protection Regulation (GDPR).
Payment Card Data
The Reserve Bank of India is adding new restrictions on who can hold payment card data, starting from January 1, 2022. Under the new rules, only the card issuer and card network can hold full card details.
Others, including retailers, (Flipkart, Amazon, Paytm, etc, _) can only hold limited data for identification or “reconciliation purposes”. These data include the last four digits of the card number and the card issuer’s name. Any organization other than the card issuer or network that holds full card data needs to purge it. The new rules follow moves over the last few years to permit card networks to allow tokenization services for payment card details.
Organizations in India will be forced to disclose any data breach within 72 hours, with potential jail terms or fines being introduced for those who intentionally disclose personal data without the consent of the data processor.
Firms will need to report any leaks and take “appropriate remedial measures” to protect their customers following a breach. The proposal comes as the Personal Data Protection (PDP) Bill, first proposed in December 2019, is being considered by a joint committee of the Indian parliament’s lower and upper chambers, the Lok Sabha and Rajya Sabha respectively.
Lawmakers expect India’s Data Protection Authority to start work on implementing the proposals within six months, and organizations handling data will need to register within nine months. The full bill is expected to be implemented in the next two years.
Penalties for breaches include jail terms of up to three years or fines of up to 200,000 rupees ($2,678) for anyone who intentionally discloses personal data without permission.
If any organization acting as a ‘data fiduciary’, or data controller, fails to disclose a breach, fails to register with the DPA, fails to conduct the required audits or fails to appoint a data protection officer, it faces a fine of up to 2% of worldwide turnover, or 50 million rupees (around $669,308).
The Joint Parliamentary Committee has also recommended that social media companies be treated as content publishers under the DPA, unless they “act as intermediaries”. This means social media firms will be held accountable for content from unverified accounts on their services.
By getting the right standards in place and enshrined in regulation, it will make it easier for companies to know what security they must put in place to conduct their operations. This will also support the development of digital businesses in India as trustworthy, secure companies that consumers can trust.
Looking at the PDP bill, this will ensure that India has a standard set of rules and regulations with regards to data protection and governance, similar to those that were created for developed markets like the United States and the European Union.