In light of India’s oncoming Personal Data Protection (PDP) bill, how can global organizations best manage local risks?
It’s now five years since the EU General Data Protection Regulation (GDPR) was adopted and three years since its 2018 implementation. Yet its ripples are still being felt as regulators across the world adapt to this ‘gold standard’ by changing their existing legislation or bringing in new rules. From California to China, the direction of travel is much the same, but the spotlight now swings to India, where the much-delayed Personal Data Protection Bill (PDPB) is closer to being passed into law – although reports suggest it may be enacted by end of 2021.
Why Does it Matter? India as the World’s Data Capital
With a population of well over one billion, India is the world’s second-most populous country and the fifth largest in terms of GDP. This alone makes India a key trading partner from both a western and eastern perspective. However, India’s importance in the global data privacy world extends even beyond its huge domestic market and global export capabilities. India is a leader in IT and managed services, making it essentially the world capital of data handling and processing with over 55% of the global outsourcing market share. 
Let’s start with the good news: whatever the outcome of the drafting process, the majority of the PDP Bill requirements will almost certainly be the same or very similar to existing GDPR rules. Given that most organizations – whether EU-based or not – have already been through the process of aligning with GDPR, this de-risks much of the compliance journey. However, that still leaves many significant differences in definition, scope, and application to contend with. For those who would like to study this in detail, the International Association of Privacy Professionals (IAPP) has published an excellent chart highlighting the variances and congruences: Indian Personal Data Protection Bill 2019 vs. GDPR. 
The Data Localization Challenge
One key divergence and area of concern for global organizations (although such is the reach and scalability of modern businesses that many start-ups and Small Medium Enterprises (SMEs) will also be affected) is the PDP Bill’s data localization requirements. These require that sensitive personal data relating to Indian citizens must be stored in India, but a copy of such data may be transferred outside the country in accordance with data transfer requirements set forth in the PBPB.
The Reserve Bank of India or RBI has already mandated since April 2018, all financial institutions implement data localization norms for all payment systems operated by them.
However, with PDPB the scope of data localization would extend beyond payments data and financial institutions.
As per media reports, the authorities are pushing for data localization to help with easy access to data during investigations and regulatory enforcement. The RBI has also been swift in its enforcement where two large global payments companies were banned from issuing any new cards until they implement data localization for all of their payments systems.
Time to go Global on Localization?
India is not the first county to introduce data localization rules, nor will it be the last. This means that data localization is becoming an increasingly global challenge as national regulators recognize the need for certain types of data to be stored locally and seek to better control of cross-border data transfer.
For global companies operating across multiple countries and selling products and services that typically rely heavily on data, this creates a major challenge. How best can they comply with a variety of different and complex national regulations, while also managing their global operations efficiently and taking full advantage of emerging, data-driven technologies?
So, before returning to India, let’s look briefly at the models being developed by organizations to deal with the global data localization challenge.
Centralized, De-centralized or Hybrid?
Some multinationals with a relatively mature data privacy program are deploying a decentralized model. This means that technical, security and governance aspects of data privacy are operationalized on a country-by-country basis. As such, they are driven by the risk landscape of each region or jurisdiction in which they operate. While this has advantages in terms of responsiveness to local markets and minimizing compliance processes, it does risk a lack of continued alignment and consistency. It’s also not a model that suits all businesses, particularly those with more centralized structures and standardized products or services.
Others are adopting a centralized model which, in order to meet local rules, is not ‘one size fits all'. It relies on companies’ existing global privacy framework being aligned to the GDPR, which in itself will ensure compliance with the majority of standards across the globe. Its strong risk and control measures then help the company recognize and respond to any local differences. As the data rules will impact many parts of the organization from marketing to HR and from data processing to finance, it’s essential to engage across the business, whether you are Chief Data Officer, Chief Risk Officer, Data Protection Officer, or Chief Information Officer.
In reality, because even the strongest global privacy framework is going to need some special ‘in country’ measures, the hybrid model is likely to win out over the two described above.
Scale and Size Matter
The approach taken on data localization may also depend on the resources available. For example, large tech players may have the funds and scale of operations to justify the creation of a separate cloud solution that holds and processes local data, thereby addressing localization requirements.
For other businesses, particularly tech start-ups and SMEs, this option will be unattainable, but a lot can be achieved by taking a deep dive into data flows to highlight high risk. However, in some sense, data localization norms will not impact local SMEs and start-ups who in India for instance extensively use Cloud infrastructure available locally from global and local Cloud providers. Then it’s a case of strengthening controls and systems so local personal data is clearly flagged as requiring special attention. Once a solution – whether, for example, using a local service provider to process sensitive data or reviewing existing data transfer rules such as binding corporate rules (BCRs) so that they satisfy a local DPA – has been identified, it is about having the governance in place to make sure it is adhered to strictly. As cybersecurity becomes an ever-increasing concern, it will be worth building this in alongside new and existing data privacy systems.
The Pandemic Adds Pressure
With the restructuring and cost optimization taking place across hard-hit industries like aviation and automotive during the pandemic, risks can emerge around data localization. For example, the closure of local operations may require data to be transferred out of India to another region or global headquarters. More generally, rapid change, budget reduction, and change in structures are all likely to raise risks. Conversely, for the tech firms which have grown rapidly during the pandemic and where M&A activity is bouncing back, such expansion means new territories, new third parties, and new vendors. This brings risks and requires compliance approaches that must go beyond a tick-in-the-box approach and simulation through applicable risk scenarios.
With the India PDP Bill yet to be finalized and the enforcement rules, penalties, and regime likely to take a while to bed down, why should organizations act now rather than leave it until later? The answer is the opportunity it provides to adapt, not only to India’s new requirements but to a future in which data privacy and cybersecurity will be a local, global and pressing problem far into the future. In other words, don’t be reactive, be proactive.
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
This article was originally published in ETCIO: The last mile of Indian Personal Data Protection Bill, IT News, ET CIO (indiatimes.com)