NAVIGATING COMPLIANCE WITH THE EMERGING DATA PROTECTION REQUIREMENTS – PRACTICAL STEPS REQUIRED TO PREPARE FOR MEETING DPDPA OBLIGATIONS

Need for Action is imminent as it is forecasted that the companies may not be given much time to comply with the requirements set forth by DPDPA.

After reaching the noteworthy milestone of enacting the Digital Personal Data Protection Act (DPDPA) in 2023, India is currently anticipating the government’s announcement of the law’s effective date and the introduction of rules that align with the Act. This underscores the emerging need for entities to prepare and position themselves “on-their-marks” and “get set” before the Government blows the whistle.

India started immersing into a digital era with its robust digital payment infrastructure. Use of digital tools and remote-collaboration tools prolife rated further post COVID driving most entities to document, manage, transact, and communicate digitally. All such digital transactions and handling of data fall within the scope of the regulation, making DPDPA a crucial piece of legislation for the modern business world. Processing personal data in India or processing personal data of people in India digitally, will bring an entity within the DPDPA’s radar irrespective of whether it is a business, healthcare or educational institutions, non-profit organizations, and even the government itself.

Need for Action is imminent as it is forecasted that the companies may not be given much time to comply with the requirements set forth by DPDPA.

A lot has been already discussed in the past at various forums on the application of DPDPA and the requirements it specifies right from consent to cross border data transfer restrictions. This Article will focus on the practical steps that needs to be undertaken to be prepared to meet the emerging requirements set forth in DPDPA.

Practical steps to “get set” for Navigating compliance: Beyond the explicit legal requirements:

Data Mapping is the start-line to data protection. In order to regulate data practices, one must first understand what data we process. Thus, the first step for any entity would be to dig-deep, identify and map what data is collected, how is the data collected, why is the data collected, who is it shared with, and until when is the data stored.

Some entities may be certain about the inventory of applications/data stores that house personal data. The emerging privacy requirements obligate entities to take immediate action and track-down and monitor the data trails. B2B service providers will also have to bifurcate the data processing activities they undertake for their own benefits and those they do on behalf of other entities, as different obligations apply to each case.

Such data mapping exercise is not restricted to data collected post implementation of DPDPA. Most of the steps we discuss here applies also to the legacy data that was collected even earlier and are held by the entities.

Developing Data Governance Framework falls next in line, once there is comprehensive picture of the data that is handled (together its sources and uses). Defining the data governance practices that the company would want to adopt includes analysing the business’s requirements and making crucial decisions that may impact business. Entities are required to keep a tab of the present and emerging requirements when creating the framework. We need to bear in mind that this involves an analysis of DPDPA and other laws that may apply to the nature of processing. For instance, processing of children’s personal data, Aadhar information or financial information may entail additional obligations.

The objective of this exercise is to streamline processes in a manner balancing the businesses’ needs and the legal requirements. Developing a Data Governance Framework thus entails substantial inputs from the top-management and decision-makers of the business and from key stakeholders of different departments. Deciding upon what data is required, at what points should one implement privacy notices and consent mechanisms, adopting internal policies, deciding on the technical safeguards to be implement - have become pivotal.

Internal Awareness, Training, Access Control and Monitoring of behaviour is crucial as employees/personnel within the organisation are frontline defenders of data protection. On the other hand, inadvertent human errors and non-conforming employees have been the cause of most data security incidents. Hence training employees on data protection practices have become indispensable. Beyond focusing on imparting an understanding of data protection and evolving threat landscape, such training sessions should include disperse knowledge on secure data handling, password management and enforce strict adherence to the Data Governance practices adopted by the organisation.

Vendor management and updating contracts have become pivotal as DPDPA has casted substantial accountability on the entity that controls means and purposes of processing the data. This entails the requirement of appropriate vendor assessment and ensuring that all third-party service providers and tools (think of CRM Software, Cloud servers, payroll processors, email services, office productivity and collaboration tools for instance) used by the entity protects the data in the intended manner. Mere NDAs with vendors may not be sufficient the new law has created a stature to contractually pass-on certain other obligations to vendors.

Adopting Technical & Organisational Measures for protecting information security is another key step to data protection. Entities will have to adopt practices in line with the nature of data processed. Preliminarily, measures such as access controls, defined data storage and retention periods needs to be put in place.

Similarly, setting up a grievance redressal mechanism with personnel who will take up roles of handling the queries or requests from individuals has become obligatory. DPDPA enables individuals to request for information on or correction/modification or deletion of their data. Processes have to be set in place to help gather all information in respect of the requesting individual and take appropriate action, either through manual processes or use of automation tools available in the market.

Data breach monitoring and management is a pre-requisite to meet the emerging requirements of rapid breach notification to authorities and affected individuals. Mechanisms should be set in place to monitor and identify any data leak or data incidents and immediately escalate the same for action. Further internal teams should be set up for quickly managing the breach through mitigating and containing the breach.

Deterrent penalties of up to 250 crores, establishment of a separate adjudicatory body in the pipeline, and market pressures are driving the entities towards commencing their compliance journey even though DPDPA has not come into effect yet.

Similar to how compliance with DPDPA extends beyond the explicit stipulations, adherence to the DPDPA surpasses mere legal conformity. It stands as a strategic imperative for businesses aiming to build trust and maintain a competitive edge. As we usher into an emerging data protection era, entities that proactively embrace and implement these measures will not only meet regulatory standards but also foster a culture of responsible data handling driving better business.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.