wordpress blog stats
Connect with us

Hi, what are you looking for?

, ,

Bureau of Indian Standards Establishes Data Privacy Standard for Businesses


By Bhavana M.

The Bureau of Indian Standards (BIS) on November 20, 2020 established standards for personal data protection for businesses in India to adopt. The BIS is India’s national standards body. The Data Privacy Assurance standard — IS 17428 — was published to promote the standardization of practice in protecting personal data for businesses that deal with the collection and processing of individual information. The standard is available to download from BSB Edge; we are not linking to a copy as reproduction is prohibited.

Businesses have so far developed and adopted their own standards and practices to protect user data. The standards released by BIS seek to facilitate a consistent and approved practice of protecting personal data. Businesses might be interested in the standards given that BIS standards are generally accepted in other industries and are often used by the government to evaluate compliance. In formulating the requirements, experts from relevant industries, academia and the government have been consulted (see full list of entities below). 

IS 17428 provides for requirements that a business must comply with in order to promote an effective Data Privacy Management System. However, it is only complementary to the regulatory framework applicable for personal data protection and does not apply to businesses that process Non Personal Data. Given that India’s Personal Data Protection Bill has not yet been passed by Parliament, this standard may well be the closest there is to a reference point for businesses. The standard can be adopted by both data processors and data controllers. 

The BIS has also published in a separate document the guidance to IS17428 which provides additional details on how business can be compliant with the standards. However, businesses must comply with part 1 of the standard to be fully compliant with the BIS Standards.

Advertisement. Scroll to continue reading.

Key features of the Data Privacy Assurance standard — IS 17428

The standard prescribes that businesses must develop their privacy requirements based on the product/service/solution they provide. Such privacy requirements must be developed in view of applicable laws and regulations. Further, the basis for collecting and processing data must be based on recognized privacy principles such as lawfulness, fairness, transparency, accuracy, purpose limitation, storage limitation and data minimization. Additionally the businesses must also ensure adequate security controls are adopted to ensure protection of the collected personal data and also imposes transfer restrictions

The standard suggests that entities must enable a data privacy function (DPF). The DPF will be an independent structure within the business entity which will exercise oversight on how personal information is processed and privacy controls are managed. It also provides for a data privacy management system (DPMS) that will guide the business in implementing the privacy requirements. The DPMS will clearly lay out the criteria for classifying information, procedure to introduce processing of new personal data elements and such other requirements. The business must take reasonable measures in periodically evaluating and updating the DPMS.

The standard also provides for periodic privacy impact assessments that must be carried out by business. As and when the business perceives that a change in its practices could potentially affect privacy of the individuals, impact assessments must be carried out. Yet another significant requirement the standard prescribes is how data processors that process information on behalf of the data fiduciary must be periodically evaluated. The standard stipulates that data processors must be evaluated and any transfer of obligation can only take place contractually to mitigate risks of breach.

Businesses must specifically ensure that their staff and contractors are aware of the gravity of dealing with personal information and must be sensitized to adapt utmost care in dealing with the same. It must be ensured that there is adequate provision to trace and hold staff accountable in case there is breach of duty and care. 

The standards might go a long way in charting out industry good practices for personal data protection at least until a regulatory framework is introduced. However, it remains to be seen if the standards will see widespread adoption in the absence of a regulatory mandate. 

It is still a step in the right direction and definitely reassuring to see government agencies taking the issue of data protection seriously.

Advertisement. Scroll to continue reading.

Who was consulted

The following organisations or people were consulted and involved in the development of the standards:

Ministry of Electronics & Information Technology; Bharat Electronics Limited; C-DAC; Centre for Internet & Society; Data Security Council of India; Department of Science and Technology; HCL; Indian Cellular & Electronics Association; Infosys; Dr. Gargi Keeni & Ms. Amutha Arunachalam; the Indian Statistical Institute; KCPIL; Larsen & Toubro; National Accreditation Board for Certification Bodies; Narnix Technolabs; NEC India Pvt Ltd; Oxygen Consulting Services Pvt Ltd; Patanjali Associates Pvt Ltd; Qualcomm India; ReBIT; Smart Chip Private Limited; Standardisation, Testing & Quality Certification (STQC); Tata Communications; Tata Consultancy Services; Telecommunication Engineering Centre (TEC), Department of Telecommunications; The Perspective (Rahul Sharma); the Unique Identification Authority of India; WYSE Biometrics Systems Pvt Ltd; BIS Directorate General; Reliance Jio, Genpact; and KPMG.

Bhavana M. is a Technology Law and Policy Fellow at Daksha Fellowship ’21. 

Also read

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ