How India’s Data Privacy Rules can affect US I.T Companies
What do the Privacy rules state?
In accordance with the Privacy rules, organizations ought to notify individuals when their personal information is collected via letter, fax, or email ; make a privacy policy available ; take steps to secure personal information and offer a dispute resolution process related to the collection and use of personal information, etc. Any personal data collected within India or moved into and outside India from another country also comes under the preview of the Privacy Rules.
Details of the Privacy Rules:
- The Indian Government has now been empowered to obtain sensitive personal information about individuals from companies without a warrant or the concerned person’s consent;
- Provisions for body Corporate or its agents to have a security program and information security policies in place, etc.
There are concerns about nearly unchecked power of the government (to obtain sensitive personal information). Under current rules, authorities’ request for obtaining information must be made in writing, stating the reason for seeking such information. The privacy policy also states that every corporate, person or agent who collects, possess, stores, deals or handles information should have in place a privacy policy for handling and/or dealing in personal/ sensitive information. Such a policy must be consistent with the rules and the same should be made available to providers of information. Such policy must also be published on the website of the corporate.
Prior consent of data providers and use of such data
A corporate body or any person on its behalf must not only obtain a prior consent in writing from the provider of sensitive personal data/information, but also ensure that the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf. It is pertinent to note that a holder of sensitive personal data or information must not retain that information for longer than is required for the purposes for which the information may lawfully be used. Also, any collected information can only be used for the purpose for which it has been collected. Data providers shall enjoy the right to review the information that they have provided. They also have the right to amend any personal information which they have found to be inaccurate or deficient.
This effects outsourcing providers who may need to notify calling in at a call center about their data handling practices and to obtain consent to handle personal data. Companies also need to ensure their client’s data handling practices match the requirements laid down in the new rules.
Companies have to take inot account a certain risk factors while expanding business overseas. . If unchecked, these risks have the capacity to destroy an organization’s reputation and financial viability of the organization. You can gain a business advantage with the help of a business partner, as they have the knowledge and expertise to ensure that the rules and regulations of each country are followed and can also provide services in areas of HR, payroll,international accounting,expat tax advice, etc.