GDPR Update: India – The Latest Data Protection Domino to fall

GDPR Update: India – The Latest Data Protection Domino to fall

In the latest move in global data protection reform, India has taken a large step towards introducing its own data protection law.

The Srikrishna Committee submitted its report on and draft of the new data protection legislation ‘The Personal Data Protection Bill 2018’ (PDP), which is awaiting parliament and presidential approval. Over the past five years India’s online reach has continued to grow and with this fast move towards digitalisation, the PDP was created with the intention of filling the gap that existed in the current data protection regime

Like GDPR, PDP makes informed consent the key to the processing of an individual’s personal data. The Bill will introduce several similar new rights including the right of correction, the right of data portability and the right to be forgotten. There will also be strict rules and regulations on the processing companies, these will comprise of: prescribed breach reporting duties, policies and procedures for data processing, duties to maintain transparency and duties implement security safeguards.

Mirroring the GDPR, international transfers outside of India, must either be made subject to standard contractual clauses approved by a prescribed authority or to a jurisdiction approved by the government. Similarly, the penalties remain largely the same as the GDPR; the maximum penalty being 4% of the annual global turnover. The PDP will also apply to foreign data processors where they have a business connection to India or carry on activities involving individuals in India.

Where a level of interest arises the PDP also states that data processors must store one copy of all personal data on a server/data centre located in India and may even necessitate that certain critical categories of personal data can only be processed in a server or data centre located in India.

The PDP is yet another example of the global importance data has in our current and future society. Considering the current climate surrounding data protection and the public’s desire for safeguards, it is difficult to see how this measure will not pass successfully through the legislative system.

BM Data Services

Blaser Mills Law recently launched a data protection consultancy business, BM Data Services Limited. The consultancy can act as a Data Protection Officer (DPO) for businesses who either under GDPR must appoint a DPO, or due to the nature of their business and data, wish to outsource this responsibility. BM Data Services can also act as an EU Representative for non-EU businesses that are required to appoint a representative in the EU under Article 27 GDPR. For more information about BM Data Services, please email

Note, BM Data Services Limited is a separate business and is not part of Blaser Mills Law. It provides data protection services through qualified GDPR IT governance practitioners. BM Data Services Limited does not offer legal services and is not regulated by the Solicitors’ Regulation Authority.