Personal Data Protection: What MSMEs must know

As always, let’s start simple. 

Let's say your enterprise, ABC Ltd., is collecting data from a new customer. You collect the customer's name, phone number and other basic details while signing them up for your company's products or services. Your company however does not have the infrastructure to store and process large amounts of data, so you hire the services of XYZ Ltd. to do it for you. Now let's understand who's who:

Data Principal: The customer whose data is in question

Data Fiduciary: Your company, ABC Ltd. The entity that determines the purpose and manner of data processing. 

Data Processor: The company, XYZ Ltd. The entity which processes the data on behalf of the data fiduciary.

Personal Data: Data which is directly or indirectly used to identify a person, in this case, the customer. For instance, name, address, phone number, Aadhaar card number, etc.

With these basics in place, let's go forward to understand the world of data protection laws, and how it is relevant for MSMEs. 

Put very simply, data is poised to be the super-resource, some are calling it the 'new oil'. True or not, data and its security is the top priority for progressive nations across the globe. India is taking steps for ensuring and safeguarding data privacy, and this is happening via the new data protection laws. The much talked about and awaited Personal Data Protection Bill will cover the mechanisms for the protection of personal data. 

The bill will lay down rules and frameworks for agencies collecting personal data (data fiduciaries like your company) to collect only the data that is required for a specific purpose. This must only be done with the express consent of the data principal (in this case, the customers). These provisions are aimed at safeguarding the essential data, preventing fraudulent activities such as data theft, security breaches and data leakages. The bill confers the right to restrict or prevent the disclosure of personal data. The companies will have the right to obtain personal data, correct inaccurate data, erase, update, port them to other fiduciaries.

The key element for MSMEs to implement is to balance the rights of the data principals while harnessing the power of the data and its insights for business benefits. This is why it is critical to understand the rights of the data principals before collecting or processing it. 

Rights of the Individual/Data Principal

In the new data regime, the individual or data principal will have the right to: 

1. Receive confirmation from the service provider on the processing of personal data.

2. Seek correction of personal data which is inaccurate, incomplete or obsolete. 

3. Seek erasure of data that is no longer useful for the purpose for which it was initially collected.

4. Transfer personal data to any other service provider under certain circumstances.

5. Restrict disclosure of their personal data by a fiduciary, if the purpose of processing is over or the consent is withdrawn. 

A data principal who believes their rights have been compromised can raise this with the service provider. In case of non-compliance, the aggrieved person can approach the proposed Data Protection Authority for enforcement of his right under the framework of this bill.

Data Protection Authority of India (DPAI)

This is a key part of the data ecosystem that is being envisioned. The Personal Data Protection Bill envisages the creation of a Data Protection Authority which, is required to protect the interest of individuals, prevent misuse of personal data and ensure compliance with the Bill. They have the right to impose penalties in the case of violations of data protection norms. 

Implications for MSMEs

The ultimate objective of this legislative framework is to create an atmosphere that promotes greater ease of doing business. This will be achieved with the establishment of the DPAI and clearly laid down processes and redressal mechanisms. The body will protect the interest of the MSMEs, as much as those of the data principals. It must begin with the prevention of misuse of personal data, ensuring compliance, and will also include promotion of awareness about the subject. 

In conclusion…

The basis for holistic growth for MSMEs is the setting of rigorous, effective standards enabling the greatest amount of access and accountability while also protecting the citizens and their data. The DPAI and associated mechanisms and controls that the Government of India is setting up are key in terms of promoting a basic standard of rights to the citizens with respect to data. This has a strong correlation with a sense of self and security, an area in which the citizens have historically had the least amount of control over. I expect this sense of security over data to change with the advent of a new era of regulation-based models that are aimed at promoting business success.



Arvind Gupta

Head and Co-Founder | Digital India Foundation

Featured Member

He has over 27 years of industry experience, having worked in diverse sectors in a variety of leadership, policy and entrepreneurial profiles in India and Silicon Valley, USA. He has considerable experience in Consumer Internet, Digital Media, Payment Systems, Analytics and Data Economy.

Visit Profile