Demystifying India’s Digital Personal Data Protection Bill for Hotel Industry

In recent years, the hospitality industry in India has witnessed a significant shift toward digitization. From online bookings and reservations to digital payment options, the use of technology has become an integral part of the hospitality industry.

With this shift towards digitization comes the need to protect the personal data of guests and customers.

This blog will discuss India’s Digital Personal Data Protection Bill and how it impacts the hospitality industry.

I will break down the key provisions of the bill and explain how it aims to simplify and strengthen the protection of personal data in this digital age.

By understanding the same, hoteliers and other players in the hospitality industry will be able to ensure compliance and protect the personal data of their guests.

What Is the Digital Personal Data Protection Bill?

In 2019, India’s Personal Data Protection Bill was removed from Parliament with a focus on creating new legislation that aims to foster a thriving and innovative digital landscape in the country.

This is where “The Digital Personal Data Protection Bill 2022” came into the picture.

The Digital Personal Data Protection (DPDP) Bill 2022 is a legal norm in India that aims to regulate the collection, storage, and use of personal data in the digital space. The bill was introduced in Parliament in December 2020 with the aim to give individuals greater control over their personal data and ensure that it is handled responsibly and transparently.

“The Digital Personal Data Protection Bill 2022 is designed to safeguard the privacy of the citizen (Digital Nagrik) and their personal data in the digital age.”

– Ministry of Electronics & IT (Press Information Bureau of India)

What Kind of Data Does the Personal Data Protection Bill Cover?

The DPDP Bill 2022 covers personal data that is collected, stored, and processed in the digital space.

Personal data is defined as any information that relates to an identified or identifiable natural person. This can include a wide range of information, such as name, address, phone number, email address, date of birth, and financial information.

The bill applies to the collection, storage, and use of personal data by data controllers and data processors. 

In simple terms, data controllers are entities that determine the purposes and means of processing personal data, while data processors are entities that process personal data on behalf of data controllers.

When Is the Data Transfer Permitted Outside India?

According to the Digital Personal Data Protection Bill, the transfer of personal data outside of India is permitted to countries that have been notified by the Indian government. These countries will be determined based on an assessment of various factors deemed necessary by the government.

In order to transfer personal data to these countries, data controllers and data processors must comply with the requirements and conditions set out in the Bill.

The Core Principles of the Digital Personal Data Protection Bill

The Digital Personal Data Protection Bill is based on several principles that aim to ensure the responsible handling of personal data in the digital space.

These principles include:

• Transparency: Data controllers and data processors must be transparent about their data collection, storage, and processing practices. They must provide individuals with clear and concise information about how their personal data will be used and must obtain the individual’s consent for the processing of their personal data.
• Purpose limitation: Personal data must be collected and processed for specific, explicit, and legitimate purposes. Data controllers and data processors must ensure that the personal data they collect is necessary and relevant to the purposes for which it is collected.
• Data minimization: Data custodians and data handlers must minimize the amount of personal data they collect and retain.
• Data accuracy: It must be ensured that the collection and processing of personal data are accurate and up-to-date, and must provide individuals with the opportunity to rectify any inaccurate or incomplete personal data.
• Data security: Appropriate technical and organizational measures must be taken to protect the personal data they collect and process from unauthorized access or misuse.
• Data accountability: Data controllers and data processors must be able to demonstrate that they have taken appropriate measures to protect personal data and that they have a process in place to address any grievances or disputes that may arise.

What Rights Do Individuals Have?

Under the Digital Personal Data Protection Bill, individuals have the following rights with respect to their personal data:

• The right to access: Individuals have the right to access their personal data and request information about how their personal data is being collected, used, and shared.
• The right to rectification: Individuals have the right to request that any inaccurate or incomplete personal data be corrected or completed.
• The right to erasure: Individuals have the right to request that their personal data be erased in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
• The right to restrict processing: Individuals have the right to request the processing of their personal data be restricted in certain circumstances, such as when they contest the accuracy of the data.
• The right to object: Individuals have the right to object to the processing of their personal data in certain circumstances, such as when the processing is based on the legitimate interests of the data controller or data processor.
• The right to data portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller or data processor.

These rights are intended to give individuals greater control over their personal data and to ensure that it is handled in a responsible and transparent manner. Data controllers and data processors are required to respect these rights and to provide individuals with the means to exercise them.

To Whom Is This Bill Applicable?

Well, anyone who even came across this bill’s mention in the news must have had a common question.

Is this bill applicable to me?

And that’s just natural. When rules and regulations are concerned, you NEED to know what are you getting into.

So, let me clear your doubts.

This data protection bill in India is a sector-less law and applies to ALL categories of the industry, including the hospitality industry.

The Digital Personal Data Protection Bill is applicable to data controllers, regardless of their location or the location of the individuals whose personal data they collect and process. In simple words:

• Government, 
• Companies incorporated in India, and
• Foreign companies dealing with Indian citizens’ personal data. 

Additionally, the Digital Personal Data Protection Bill also applies to other entities that are involved in the collection, storage, and processing of personal data, such as data intermediaries and data processors.

That being said, the hotel industry, and in fact, all the businesses in India will have to keep a look out for these facts involved in the bill.

What if Someone Violates the Personal Data Protection Bill?

The Digital Personal Data Protection Bill 2022 also includes provisions related to the appointment of a Data Protection Authority to oversee compliance with the provisions of the Bill and to address any grievances or disputes that may arise.

The Authority would have the power to investigate complaints, issue orders, and directions, and impose penalties for non-compliance.

Simply put, if someone violates the provisions of the Digital Personal Data Protection Bill, they may be subject to penalties and other enforcement measures. The specific penalties and enforcement measures will depend on the nature and severity of the violation.

How Can the Hospitality Industry Align With the DPDP Bill?

In the hospitality industry, personal data is often collected and processed in connection with online bookings, reservations, and payment transactions. This is why the Digital Personal Data Protection Bill is expected to have a significant impact on the hospitality industry.

Here are some steps that hospitality businesses can take to align with the provisions of the Digital Personal Data Protection Bill:

• Review and update data protection policies: Hotels and other hospitality providers should review their current data protection policies and procedures to ensure that they are in line with the provisions of the Bill. This may involve updating policies related to data collection, storage, and use, as well as policies related to data security and data breaches.
• Obtain consent for data collection: Hospitality organizations must provide individuals with clear and concise information about how their personal data will be used and obtain their explicit consent before collecting and processing their personal data.
• Implement technical and organizational measures: Accommodation providers must implement appropriate technical and organizational measures such as encryption, secure servers, and access controls, to protect the personal data they collect and process from unauthorized access or misuse. 
• Respect individuals’ rights: It is a must that businesses respect the rights of individuals with respect to their personal data, including the right to access, rectify, erase, and restrict the processing of personal data. They should have processes in place to address any requests or complaints related to these rights.
• Appoint a data protection officer: Hospitality businesses may wish to consider appointing a data protection officer to oversee compliance with the provisions of the Bill and to address any grievances or disputes that may arise.

How Can the Hospitality Businesses Implement These Changes?

Hoteliers need to start preparing themselves to be DPDP Bill ready and ensure the absolute safety of their guests’ data.

Below are some key steps you should take to easily implement the DPDP bill changes:

• Ensure that your technology provider adheres to the rules and obligations mentioned in the PDP Bill.
• If your tech vendor isn’t compliant, then it’s time to change it.
• Hoteliers need to ensure that the data is rightly collected, stored, and handled with the guests’ consent.
• Software providers as well as integrators with third-party software should assure that the software they provide is bill ready.
• Indian hotels dealing with OTAs and hotels receiving bookings OTAs (of Indian guests) need to make sure that those OTAs are bill ready.

For example: If a guest from India is booking with you via an OTA or through third-party sites; you need to ensure that the OTA (third-party) is DPDP bill compliant. In addition, you need to guarantee that the data received is not misused in any case.

Long story short, hotels and restaurants will now have to be DPDP Bill compliant through the software they use. In addition, they’ll also need to ensure that their software is bill ready, thus safeguarding their guests’ data from potential exploits.

eZee’s Role in Being DPDP Bill Compliant

eZee’s hotel solutions are already PCI DSS compliant. This means that our products are already keeping your guests’ credit card details secure from any potential theft or misuse. Thereby, making it easier for us to become bill ready. 

Additionally, our solutions are also GDPR compliant ever since the bill has come into effect.

Apart from these, here are a few steps we’ll be taking to be PDP bill ready:

• Update our privacy policies for Indian users
• Bring changes in our products relevant to the bill
• Let our customers know about the concerned changes

Naturally, our course of action is mainly dependent on the bill’s passing and the changes it brings to the ways businesses are conducted.

We also have a guide that will help you get the best solution for your hotel.