The EU’s General Data Protection Regulation (GDPR) has been around for some time now and has set the stage for other countries and regions to follow suit. As such, understanding a new data protection regulation can be fast-tracked by looking at the similarities and differences between the new regulation and GDPR. When comparing these two privacy laws, you’ll find roughly an equal number of elements requiring small or minimal changes compared to significant or large changes.
Similarities Between PDPB and GDPR
If your organization is already GDPR compliant, these elements will require minimal additional effort to support PDPB too:
- Relevant Parties - Terms may vary, but the concepts are mostly the same. GDPR uses controller, processor, and data subjects, and PDPB uses data fiduciary, data processor and data principles.
- Transparency - These requirements have a lot in common, although there are some requirements to provide additional disclosures, contact information, and data recipient information.
- Scope - PDPB could have a potentially larger scope, but it is still focused on data from the country of origin.
- Personal Data - Personal data is protected under both mandates, with anonymous use, personal use, and law enforcement/national security all being out of scope. The specific data included is similar, although PDPB includes a slightly larger scope as it does not consider how likely an individual may be identified. Research exemptions may be wider than with GDPR.
- Breach Notification and Penalties - These are similar, although PDPB is not as prescriptive on notifications.
- Right of Correction and Profiling, Information Security, Appointment of Processors, and Record of Processing - Very similar with limited changes needed.
- Principles - PDPB instead has provisions, but at the highest level they are very similar. The role of consent is more emphasized, storage limitations are more specific, and accuracy guidance is more specific as well.
- Appointment of a representative - PDPB does not have this concept at all.
Differences Between PDPB and GDPR
Despite all the similarities listed above, there is a large gap between GDPR and PDPB. Even if your organization is already GDPR compliant, it will take more time and effort in these areas to also meet PDPB:
- Children - PDPB defines children as under the age of 18, while GDPR has it set under 16 with some states between 13 and 16. Verification of age and parental consent also make this area a significant gap.
- Sensitive Personal Data - While both have several identical definitions, PDPB allows the government to define additional categories for sensitive data and includes financial data, whereas GDPR does not.
- Anonymized Data - PDPB provides the government the ability to require anonymized data to be released.
- Consent - PDPB has more flexibility than GDPR, but this flexibility means more work to adapt appropriately.
- Rights of Access, Portability, and To Be Forgotten - While the rights are similar in concepts, each of these elements will require significant changes. There are some data fiduciary requirements around sharing of data that could be difficult to address without specific documentation and operational changes. Portability is defined more broadly in PDPB.
- Interests - PDPB is quite a lot more stringent with its definition of reasonable purposes. This topic will need significant separate review compared to GDPR, with focus on data fiduciary.
- Lawful Basis - GDPR has six reasons to process data where PDPB has seven, but these are different enough that an organization will need to review these in detail in order to meet the requirements for PDPB.
- Social Media - GDPR has nothing in this space, while PDPB includes requirements to have social media intermediaries verify information and register services.
- Sensitive Data Processing and International Data Transfers - Another area where significant work will be required compared to GDPR, because of a wider definition for sensitive personal data, data storage in India, and explicit consent.
- DPA (Data Processing Agreement) and Audit Requirements - GDPR does not have a DPA nor the audit requirements of PDPB. Any entity that is considered a significant data fiduciary has to register with the DPA. Audit Requirements include independent auditors and even data trust scores to be met. The DPA has the potential to make or impact many requirements.
- Localization and Government Requirements - PDPB requirements for the storage and processing of sensitive data in India are very different compared to the GDPR requirements. Also the PDPB allows the government to exempt itself from many of the requirements.
Dealing with any of the new or emerging privacy laws is a challenge for any organization, so the real question is how to manage all data consistently. Understanding similarities and differences between them can be helpful, but the ability to track and protect any data easily to meet any regulation, standard, security framework, compliance mandates, and of course the various data privacy laws could become one of the most challenging tasks for many organizations in the years to come. If you are interested in an efficient and long term approach to ensure your organization can succeed in this down the road, contact us here.