Government Policies and Business Regulatory Environment


The Right to Privacy is a fundamental right and is protected under the Indian Constitution. The Privacy rules in India were contained in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) notified under the Information Technology Act, 2000. The Privacy Rules are applicable to bodies corporate across industries and sectors. The introduction of the Privacy and Data Protection Bill has bought India to the forefront globally with respect to the handling of personal information of an individual person.

The proposed bill emphasizes 'consent' to be the most significant acceptable grounds for processing/ collecting personal data.

Some of the areas organizations need to adhere to comply with the requirements of the bill:

  • Privacy by design throughout the data life cycle - collection, processing, storage, transmission, archival, and data disposal;
  • Limit data collection to the minimum required for the purpose of processing;
  • Respect the rights of the data principal;
  • Organizations will need to store at least one serving copy of the personal data on a server or data center located in India;
  • Parental consent is mandatory for processing children’s information;
  • Provision for notification to the Data Protection Authority (DPA) in case of a data breach;
  • Organizations are required to implement appropriate security safeguards to protect personal information.

Under the Rules, a body corporate handling or collecting personal information from any person is required to:

  • Provide a privacy policy and make it accessible to the providers of the information;
  • Retain information only for such time period as may be required;
  • Keep the information secure and not publish it;
  • Obtain permission of the provider of information prior to the disclosure of such information, unless required to be disclosed by law or to certain government agencies;
  • Permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient is corrected or amended as feasible;
  • Provide an option to the provider of information to not handover the data or information sought to be collected or to withdraw the consent given earlier;
  • Address any discrepancies and grievances of the provider of information with respect to the processing of information in a timely manner. For this purpose, the body corporate has to designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer will have to redress the grievances of the provider of information expeditiously, within one month from the date of receipt of grievance.

Certain industries, where technology and data transfer are critical, are closely monitored by the government, e.g., licensed defense industries in the private sector.

Get in Touch
Virender Bhasin
Executive Director
Entity Set-up & Management/Corporate Services

Subscribe Newsletter

We are constantly working on sharing relevant alerts & publications to keep you informed on the latest developments.

Talk to Us for your India Entry