Data Privacy Day: In conversation with Supratim Chakraborty, Partner, Khaitan & Co. on 5 Steps Business Entities need to follow in case of Data Security Breach under the PDP Bill

Please allow us a peek into your illustrious journey in law. Where did this journey begin, who were your mentors, and what keeps you busy when you’re not working.


My legal journey began from a boutique firm, Thakker & Thakker, where I got exposed to both corporate and tech law-related work. After 2.5 years, I joined Khaitan & Co and since then I have been here. It has been an exciting journey throughout, and I am fortunate that I always got to do what I like most – corporate/M&A and tech/data work. Two of my mentors in the profession who need special mention are Ketan Kothari and Anand Mehta. Both of them are excellent professionals and fabulous human beings. Apart from mentoring me on aspects of legal practice, they taught me life lessons as well. As hobbies, I love sketching (mostly caricature) and swimming.


Your message to the new crop of lawyers wanting to make a mark for themselves in this industry. There’s no elevator to success, but how steep is this climb up the ladder?


If you really love your profession, you will feel the ease of an elevator even when you are climbing up a steep ladder. I never felt any of the all-nighters at work to be exhausting as the love for the profession always over-powered any such thought.


Regarding data privacy and protection, while we do not have one consolidated legislation, do we have any protection currently under the law? 


Yes, contrary to what many people think, there is a patchwork of laws in India that addresses issues relating to data privacy and protection. On a sector-neutral basis, the Information Technology Act 2000 and rules framed thereunder play a cardinal role. In addition, there are other laws, such as the Indian Penal Code 1860, Indian Contract Act 1872, Consumer Protection Act 2019, etc. There are sectoral laws as well which impose data related obligations, e.g. laws/regulations governing sectors such as banking, telecommunications, insurance, etc.


The Personal Data Protection Bill has been in the making for some time now. Tell us about its journey and when is it expected to see the light of the day?


Yes, the process to devise a data protection legislation had commenced way back in August 2017. A committee was formed, headed by Retd. Justice B. N. Srikrishna, which crafted the Draft Personal Data Protection Bill (PDP Bill). Over the past years, multiple rounds of consultations have taken place and stakeholder inputs have been obtained in relation to the draft Bill. It also underwent a version change in between. Finally, the Joint Parliamentary Committee is now going to present its report on the Bill in the upcoming budget session of 2021. Thereafter, the PDP Bill is proposed to be debated in the Parliament and hopefully, we will have a dedicated data protection legislation very soon.


Once the PDP Bill is passed as a law, how long do you think organizations would be given to prepare for the law. What would be your recommendation to business organizations regarding preparations?


The earlier version of the PDP Bill in 2018 had specified certain timelines within which the law was to come into force after notification. However, in the current version of the PDP Bill, no definite time frame has been prescribed. Our recommendation to entities will be to commence preparation for the new law at the earliest as the EU General Data Protection Regulation (GDPR) experience has shown that it takes time for entities to equip themselves for such a law. Despite the preparation time of 2 (two) years that was allowed under the GDPR, even mature entities struggled to meet the compliance requirements. As our PDP Bill is largely modelled around the GDPR, it is advisable for entities to kick-start the compliance process as early as possible.


What are the key compliance responsibilities that business entities will have once the PDP Bill is passed as a law and will it be an easy task?


Evaluating from previous foreign law experiences on this subject, aligning the extant policies and data handling practices with the requirements of a new legal regime may prove to be an uphill task. The PDP Bill comes with enhanced compliance obligations in terms of well-defined consent requirements, a more elaborate privacy notice, rights conferred upon data principals (akin to data subjects) that entities must cater to, etc. Entities will also be faced with strict obligations in relation to personal data under the PDP Bill such as adherence to limitation on purpose and collection, restriction on unreasonable retention, maintenance of accuracy and completeness, etc.


What should be a business entity’s plan of action when they suffer a data security incident?


Entities need to embrace the lessons from data security incidents that happen across the globe. Personal data breaches can have far-reaching implications in terms of possible business interruption, reputational damage and regulatory fines. As per the PDP Bill, in case of a data security incident entities would need to follow the 5-steps set out below: 

  1. Draft a notice containing the incident details such as nature of personal data breached, number of data principals affected, possible consequences and immediate remedial action taken by the entity.
  2. Inform the data protection authority by way of the notice, as soon as possible.
  3. Notify the victims of such data security incident, if directed by the authority. 
  4. Take appropriate remedial action, if directed by the authority.
  5. Post the details of the incident on your website, if directed by the authority.


What are the penalties for failing to comply with the PDP Bill?


The PDP Bill places increased accountability on entities which process personal and sensitive personal data. The range of fines stated under the PDP Bill are similar to those stated under the GDPR. There is also a provision of imprisonment that can be imposed on any person who attempts to re-identify anonymized data. Entities should tread with caution and note that violation of core principles attract the maximum penalty stated under the PDP Bill, which is INR 15 crore or 4% of the total worldwide turnover, whichever is higher. Other violations will attract a penalty of INR 5 crore or 2% of its total worldwide turnover, whichever is higher. Entities may even be directed to pay compensation to individuals who have suffered because of the entity’s violation of the provisions of the upcoming law. 


As a final note, would you please recommend to our readers your favourite book or movie/series that left a lasting impression on you.


I really liked this book - “Leader” by Devdutt Pattanaik, which is a collection of 50 insights from mythology. The book has amazingly crafted lessons for modern-day leaders, taking examples from mythology. Mr Pattanaik is a master story-teller and he has aced it in this book, I believe.


Thank you so much for taking our questions and speaking with us, Supratim.


Supratim is a Partner in the Corporate and Commercial Practice Group of Khaitan & Co. He specialises in corporate and commercial transactions such as mergers, acquisitions, joint ventures and general corporate law advisory. Supratim has advised eminent clients in relation to information technology laws in India including data privacy and cyber security related issues. He is a member of ASSOCHAM’s National Council for FinTech, Digital Assets and Blockchain Technology. He has spearheaded some of the important stakeholder consultation meets / feedback sessions organised by industry associations on the draft Personal Data Protection Bill. Supratim holds a GDPR FAS Certification and DPO Certification.

Supratim has been recognised as a Notable Practitioner and a Recommended Lawyer by prestigious publications and platforms. Supratim has been recognised as a ‘Leading Individual’ in 2021 in the Legal500 edition for Data Protection in India.

Also Read

Stay in the know with our newsletter