C&L_December 2017 (1)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cover Story+<br />
When enacted, it is the businesses—data<br />
controllers and data processors as they are<br />
called—will have to comply with them. And it is a<br />
no-brainer that it is the CISOs and CIOs who will<br />
have a major role to play in that compliance; in<br />
most companies, they will lead the roll out<br />
The whitepaper starts by noting that a data protection<br />
framework in India must be based on the following seven<br />
principles:<br />
1. Technology agnosticism - The law must be technology<br />
agnostic. It must be flexible to take into account<br />
changing technologies and standards of compliance. <br />
2. Holistic application - The law must apply to both<br />
private sector entities and government. Differential<br />
obligations may be carved out in the law for certain<br />
legitimate state aims.<br />
3. Informed consent - Consent is an expression of<br />
human autonomy. For such expression to be genuine,<br />
it must be informed and meaningful. The law must<br />
ensure that consent meets the aforementioned criteria.<br />
4. Data minimization - Data that is processed ought to<br />
be minimal and necessary for the purposes for which<br />
such data is sought and other compatible purposes<br />
beneficial for the data subject.<br />
5. Controller accountability - The data controller shall<br />
be held accountable for any processing of data, whether<br />
by itself or entities with which it may have shared the<br />
data for processing.<br />
6. Structured enforcement - Enforcement of the data<br />
protection framework must be by a high-powered<br />
statutory authority with sufficient capacity. This must<br />
coexist with appropriately decentralised enforcement<br />
mechanisms.<br />
7. Deterrent penalties - Penalties on wrongful processing<br />
must be adequate to ensure deterrence. <br />
When enacted, it is the businesses—data controllers<br />
and data processors as they are called—will have to comply<br />
with them. And it is a no-brainer that it is the CISOs<br />
and CIOs who will have a major role to play in that compliance;<br />
in most companies, they will lead the roll out.<br />
For their benefit, we have gone into the<br />
233-page document and have extracted the most relevant<br />
questions that have a direct bearing on compliance,<br />
though it is recommended that they read the entire document,<br />
which is available at http://www.cioandleader.com/<br />
dataprotectionwp<br />
We have selected only close-ended questions, that are<br />
most relevant. Questions about nuanced of legal approach<br />
too are avoided. To help you directly go to questions<br />
that interest you and the corresponding discussion that<br />
precedes them, we have provided the chapter no, chapter<br />
name, question number and the page number along with<br />
each question.<br />
Here are the selected questions.<br />
<strong>December</strong> <strong>2017</strong> | CIO&LEADER<br />
15