GDPR – Financial institutions will need special skills

Reported by: |Updated: August 3, 2018

Shaily Soni & Shisham Priyadarshini

The committee headed by Justice B.N. Srikrishna, constituted to examine issues related to data protection, recommend methods to address them and draft a data protection law, has suggested that enforcement of the data protection framework must be by a high-powered statutory authority and any violation of obligations on part of data controller, civil penalty not merely as a sanction but as a deterrent may be imposed.

Discussing the suggestions made by the committee in a white paper, Shisham Priyadarshini, partner, and Shaily Soni, associate, at law firm Rajani Associates, say that the committee has also analyzed the GDPR adopted by the 28-member EU and has suggested that it is necessary to keep in mind the EU approach to protection of personal data alongside recognizing the right to privacy by the Supreme Court of India and such other legislative developments.

They say: “Compared to GDPR, the Information Technology Act, 2000 (IT Act) together with the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (Rules) are felt to be insufficient to address the issue of data privacy. Though the IT Act is being criticized, it is pertinent to note that the IT Act and Rules have few similarities to GDPR.”

They also feel that in the growing digitization in India and adoption of new marketing techniques, these sectoral institutions would have to look upon their marketing processes along with other operations involving personal information within the yardsticks of GDPR. “This regulation empowers the individuals by giving them certain rights like right to access, erasure, objection, etc, and thus financial institutions would be required to pace up with structured implementations and adequate data protection mechanisms in their systems,” they say, adding that finance being an important part of market would certainly require special skillset to be able to maintain the harmony between institutional operations and processing of personal information in these operations.