One of the recommendations (Recommendation 4) of the JPC regarding DPA 2021, is that the “Authority should ask the data fiduciaries to maintain a log of all data breaches (both personal and non-personal data breaches) to be reviewed periodically by the authority, irrespective of the likelyhood of the harm to the data principal.
This provision means that the Incident Register maintained by the Data Fiduciary should be made available to the DPA from time to time. Since the normal Incident register of an organization may contain many issues which cannot be classified as “Data Breach”, it becomes necessary to maintain the incident register separately for “Data Breach Incidents” and if possible “Personal Data Breach Incidents” separately from “Non Personal Data Breaches”.
The possibility of the DPA having access to the Incident register could mean that if there is a delay between the “Getting the knowledge of a data breach” and the “Reporting of the data breach” then the DPA may be able to penalize the company. The committee suggests that if harm is caused on account of the delay in reporting of the breach, the data fiduciary would be responsible. However, in the event the data breach is reported despite precautions and arising out of business rivalry or espionage, the DPA may consider a temporary reprieve to the data fiduciary regarding reporting of the data breach to the data principal.
While the suggestion of the committee on the sharing of the incident register is appreciated as a measure to ensure prompt reporting, the practicality of the DPA being able to make proper use of this “incident Watch” for the thousands of data fiduciaries coming under its watch is a challenge to say the least. At best these become issues to be considered when there is a data breach report to be investigated.
If we remember, under the CERT IN guidelines for Cyber Cafes, it was stated that monthly reports of the Cyber Cafe server activity has to be shared with the authorities. But it remained an impossible provision completely forgotten by all. This “Incident Report” to be shared with the DPA is also likely to be one such non starter.
However, since this is not part of the actual act, it remains a part of the wish list and is unlikely to be implemented.
Under recommendation 2 it is suggested that the DPA will consider regulations on Non Personal data to be issued in due course. However for several more years, it is unlikely that the DPA will be able to catch up with the burden of regulation of the personal data and the multitude of regulations that needs to be issued from time to time. Hence there would be no time for the DPA to consider regulations on the Non Personal Data. Hence the “Non Personal Data Regulation” is likely to remain only an empowerment for the time being and not likely to be taken up in the first two or three years.
( To be continued…)
Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data