By - King Stubb & Kasiva on November 24, 2023
A data centre is a facility, whether physical or virtual, that supports data storage, upkeep, and the using applications, whether shared or otherwise, which may be based on a network of computing and storage resources. The key components of the data centre design include routers, switches, firewalls, storage systems, servers, and application-delivery controllers.
With the advent of new technologies, the new age data centres have transformed data centres from physical to virtual data centres. These new data centres are more robust eco-systems that are built by integrating technologies like artificial intelligence, machine learning, cloud computing, robotic process automation and convergence of four technologies which are Social, Mobile, Analytics and Cloud (SMAC).
New Age data centres provide more advantages to businesses when compared to traditional data centres. The major ones include the following:
There is a rapid growth of advancement of e-commerce, production of mobile phones and growing acceptance of cloud computing. This steady growth of the digital economy has fuelled the demand for more data centres. However, the expansion of data centres is accompanied by new security risks and challenges. Data centres are the chief targets of cyberattacks which could be disastrous for the company and its business.
It is very crucial for companies to protect the business data of the company and personal data of customers, employees, business partners and associates to comply with laws and regulations, maintain reputation, avoid financial losses, ensure business continuity and gain a competitive edge in the market.
Organisations must take action to safeguard their data which is being stored in data centres established by them or with third-party data centre service providers. This entails putting in place strong security measures in accordance with all the applicable cybersecurity and data protection regulations.
India has introduced its new Digital Personal Data Protection Act, 2023 (“The DPDP Act”) which governs the processing of personal data of individuals. The table given below explains the legal compliances that are applicable to entities providing data storage facilities under the existing regulatory framework and the new law in India which is going to be enforced soon.
|Consent and Notice
|The Information and Technology (Guidelines for Intermediaries and Digital Media Ethics Code), 2021 Rules mandate the intermediaries to disclose the terms and conditions, privacy policies and procedures to their users. It also states that the information provided voluntarily by the User to the significant social media intermediary for the purpose of verification cannot be used for any other purpose without the expressed consent of the User.
|Data Fiduciaries have the obligation to take specific, informed, unconditional and unambiguous consent from the Data Principal with a clear affirmative action. The processing of data should be limited to the purpose mentioned while taking the consent. The consent should be accompanied or preceded by a notice which contains the following: The personal data that is collected and the purpose for which it is proposed to be processed for.The rights of the Data Principal and the manner in which they can exercise their right. The manner in which the Data Principal can file a complaint with the Data Protection Board.
|Reasonable Security Standards
|The Information and Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules of 2011 (“SPDI Rules”), mandate the use of reasonable security practices by the body corporates who collect and process personal data of individuals. The international standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System Requirements" was advised as a best practice of reasonable security standards under the guidelines.
|The Data Fiduciary is responsible for maintaining reasonable security safeguards to secure the Data Principal's personal data, even if he has appointed a Data Processor to process such data. Before appointing a third-party vendor to process data on their behalf, the Data Fiduciary may conduct an Audit to find out the acceptable security safeguards used by them. They can also continue to perform frequent audits to ensure that the system is safe and secure.
|Notification of Data Breach
|The Indian Computer Emergency Response Team (“CERT-In”) guidelines issued under Section 70B (6) of the Information and Technology Act mandates the companies to report cyber incidents that impact national security, economy, public health or safety. They have to report the cyber incident to the nodal agency within 6 hours of knowledge of occurrence. If they fail to comply with these directions, it will lead to imprisonment of upto 1 (one) year or with a fine upto INR 1,00,000 (Rupees One Lakh) or both.
|The Data Fiduciary is responsible for notifying the breach to the effected Data Principal and the Data Protection Board immediately. The manner in which the notification should be given is yet to be clarified by the central government. Breach in giving this notice may lead to a penalty which may extend to INR 2,50,00,00,000 (Rupees Two Hundred and Fifty Crores).
|The RBI direction vide circular DPSS.CO.OD.No.2785/06.08.005/2017-18 dated April 06, 2018, mandated storage of data collected during payments, which is sensitive data and the financial data of the user, to be stored in the serves located within the territory of India. Section 3(9) of the IRDAI (Maintenance of Insurance Records) Regulation, 2015 mandates that all insurance data relating to insurance policies and claims made in India shall be stored and maintained within the territory of India.
|The DPDP Act, allows processing of data outside the territory of India. However, the Central Government of India has the power to restrict the transfer of personal data to any country or territory outside India as notified by them. Note: This does not interfere with the sectoral regulations which mandates Data Localization.
|The Information and Technology (Guidelines for Intermediaries and Digital Media Ethics Code), 2021 Rules mandate the intermediaries to appoint a grievance officer capable of handling user grievances about violation of the rules.
|The Data Fiduciary is obligated to setup a grievance redressal mechanism for the Data Principal. They should have a person who acts as a point of contact between the Data Fiduciary. It can be the consent manager or Data Protection Officer in case of Significant Data Fiduciary, or any person appointed by the Data Fiduciary. They have to publish the contact details of the grievance redressal officer in the manner prescribed by the central government. The Data Principal should first exhaust the right to grievance redressal before approaching the board with their complaints.
Note: New Law which is DPDP Act is an extension of the existing laws and regulations. Once the rules from the central government are released, the DPDP Act will be fully enforced. As a result, Section 43A of the Information and Technology, and the SPDI Rules of 2011 will be omitted and will be replaced by the DPDP Act once it is enforced.
The rules regarding obtaining consent, serving notice, grievance redressal mechanism, implementation of reasonable security safeguards, manner are going to be published by the Central Government soon. Along with the Rules they will also establish a Data Protection Board and release the list of countries/territories outside India where personal data cannot be shared.
A data centre is a facility, whether physical or virtual, that supports in data storage, upkeep, and the using applications, whether shared or otherwise, which may be based on a network of computing and storage resources.
New age data centres are more robust eco-systems that are built by integrating technologies like artificial intelligence, machine learning, cloud computing, robotic process automation and convergence of four technologies which are Social, Mobile, Analytics and Cloud (SMAC).
The DPDP Act permits extraterritorial data processing linked to services in India, doesn't impose current restrictions on transfers but allows the government to specify terms later.
The DPDP Act increases compliance costs for businesses, especially SMEs, and proposes penalties of up to ₹250 crore for non-compliance, emphasizing the importance of adhering to data protection standards.
 Rule 4 (7) of the Information and Technology (Guidelines for Intermediaries and Digital Media Ethics Code), 2021
 Section 2(I) of the DPDP Act defines the Data Fiduciary as any person who alone or in conjunction determines the purpose of the processing of personal data.
 Section 2(j) of the DPDP Act defines Data Principal as an individual to whom the personal data relates and includes the parents or lawful guardians in case of a child or a person with disability.
 Section 2(x) of the DPDP Act defines processing as a wholly or partly automated operation(s) performed on digital personal data and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction.