Data fiduciaries should report all data breaches to the Data Protection Authority (DPA) within 72 hours of becoming aware of them, the Joint Parliamentary Committee on the Personal Data Protection Bill 2019 has recommended in its report, which was tabled in Parliament on December 16. The committee has also recommended that the DPA direct data fiduciaries to inform data principals of personal data breaches after considering the severity of the harm caused. The earlier draft of the bill had no provisions for reporting breaches to data principals, and only required reporting to the DPA if the breach was likely to cause harm to data principals. There was also no specific timeline prescribed for reporting breaches. What does the committee report say about data breaches? The committee has recommended significant changes to the role of the DPA during a data breach and obligations of fiduciaries: Scope: Data fiduciaries will be required to report all data breaches to the DPA. Earlier version: The earlier draft only required data fiduciaries to report breaches if they are “likely to cause harm to any data principal.” Reason for the change: The committee was of the view that the carve-out allowed to fiduciaries was presumptive and led to ambiguity. Timeline: Data fiduciaries must be required to submit the notice to the DPA within 72 hours after becoming aware of the data breach, the committee recommended Earlier version: The earlier draft asked data fiduciaries to report breaches to the DPA 'as soon as possible' after accounting for urgent…
