26.12.2017 Views

C&L_December 2017 (1)

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Cover Story+<br />

When enacted, it is the businesses—data<br />

controllers and data processors as they are<br />

called—will have to comply with them. And it is a<br />

no-brainer that it is the CISOs and CIOs who will<br />

have a major role to play in that compliance; in<br />

most companies, they will lead the roll out<br />

The whitepaper starts by noting that a data protection<br />

framework in India must be based on the following seven<br />

principles:<br />

1. Technology agnosticism - The law must be technology<br />

agnostic. It must be flexible to take into account<br />

changing technologies and standards of compliance. <br />

2. Holistic application - The law must apply to both<br />

private sector entities and government. Differential<br />

obligations may be carved out in the law for certain<br />

legitimate state aims.<br />

3. Informed consent - Consent is an expression of<br />

human autonomy. For such expression to be genuine,<br />

it must be informed and meaningful. The law must<br />

ensure that consent meets the aforementioned criteria.<br />

4. Data minimization - Data that is processed ought to<br />

be minimal and necessary for the purposes for which<br />

such data is sought and other compatible purposes<br />

beneficial for the data subject.<br />

5. Controller accountability - The data controller shall<br />

be held accountable for any processing of data, whether<br />

by itself or entities with which it may have shared the<br />

data for processing.<br />

6. Structured enforcement - Enforcement of the data<br />

protection framework must be by a high-powered<br />

statutory authority with sufficient capacity. This must<br />

coexist with appropriately decentralised enforcement<br />

mechanisms.<br />

7. Deterrent penalties - Penalties on wrongful processing<br />

must be adequate to ensure deterrence. <br />

When enacted, it is the businesses—data controllers<br />

and data processors as they are called—will have to comply<br />

with them. And it is a no-brainer that it is the CISOs<br />

and CIOs who will have a major role to play in that compliance;<br />

in most companies, they will lead the roll out.<br />

For their benefit, we have gone into the<br />

233-page document and have extracted the most relevant<br />

questions that have a direct bearing on compliance,<br />

though it is recommended that they read the entire document,<br />

which is available at http://www.cioandleader.com/<br />

dataprotectionwp<br />

We have selected only close-ended questions, that are<br />

most relevant. Questions about nuanced of legal approach<br />

too are avoided. To help you directly go to questions<br />

that interest you and the corresponding discussion that<br />

precedes them, we have provided the chapter no, chapter<br />

name, question number and the page number along with<br />

each question.<br />

Here are the selected questions.<br />

<strong>December</strong> <strong>2017</strong> | CIO&LEADER<br />

15

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!