According to local media reports, Indian authorities are planning to crack down on data breaches and tighten data storage standards. Organizations would be required to report data breaches within 72 hours, putting India into step with countries like the EU, which requires breach notifications under its General Data Protection Regulation (GDPR).
Only card issuers and card networks, such as Visa or Mastercard, would be allowed to hold payment card data in India.
Cardholder information
Starting January 1, 2022, the Reserve Bank of India (RBI) will impose new restrictions on who can keep payment card data.
Only the card issuer and the card network are allowed to keep full card details under the new guidelines.Others, such as shops, are only allowed to keep a limited amount of data for identification or “reconciliation reasons.”
The last four digits of the card number, as well as the name of the card issuer, are included in this information. Any company that retains full card data but is not the card issuer or network must erase it.The new restrictions come after initiatives in recent years to allow card networks to offer tokenization services for payment card information.
Notification of a data breach
Organizations in India would be required to report any data breach within 72 hours, and those who knowingly expose personal data without the agreement of the data processor could face jail time or fines. Following a breach, businesses must report any leaks and take “necessary remedial measures” to protect their customers.
The suggestion comes as a joint committee of the Indian parliament’s lower and upper chambers, the Lok Sabha and Rajya Sabha, considers the Personal Data Protection (PDP) Bill, which was first introduced in December 2019.According to local media sources, India’s Data Protection Authority is expected to begin working on implementing the suggestions within six months, and data-handling firms will be required to register by nine months.
The bill will be implemented in its entirety during the next two years.
The Penalties that will be undertaken
For those who knowingly divulge personal data without permission, penalties include up to three years in prison or fines of up to 200,000 rupees ($2,678).
If a company operating as a ‘data fiduciary’ or data controller fails to report a breach, register with the DPA, undertake the appropriate audits, or employ a data protection officer, it might face a punishment of up to 2% of global revenue, or 50 million rupees (about $669,308).
Social media businesses should be recognised as content creators under the DPA, according to the Joint Parliamentary Committee, unless they “operate as middlemen.”
This means that social media companies will be held liable for anything posted by unverified accounts on their platforms.
Cybersecurity experts on the subcontinent applaud the new legislation for bringing India’s data privacy and security in line with international standards.
“India is evolving its approach to security to match or exceed that of other countries across the world, and to create the correct foundation for the country’s economy to thrive over time,” said Deepak Naik, a Mumbai-based vice president at cybersecurity firm Qualys.
“It will be easier for enterprises to know what security they need to put in place to perform their operations if the necessary standards are in place and codified in regulation.”
This would also aid the growth of digital enterprises in India as reliable, safe firms that consumers can rely on.
“Looking at the PDP bill in particular, it will ensure that India has a uniform set of data security and governance rules and regulations, comparable to those that were implemented in the United States and European Union.”
