By Tim Rollins
This article was originally published in May 2023 and has been recently updated in light of recent progress made towards its passage by the Indian Parliament.
On November 18, 2022, the Union Ministry of Electronics and Information Technology (MeitY) released the Digital Personal Data Protection Bill 2022 for public consideration. A drastic revision from its predecessor — the Personal Data Protection Bill of 2021, the new bill proposes a comprehensive data protection regime while easing restrictions on non-personal data collection and cross-border data transfers.
While the new bill is more amenable to businesses in the country, it also levies hefty fines for non-compliance, a clear indicator that organisations need to buckle up and formulate data privacy programs now. These penalties apply to both private sector and government organizations and can result in fines of up to ₹500 crore if authorized by the Data Protection Board constituted under the bill. Individuals will also have the right to seek details about their data collection, storage and processing once the law is implemented.
Currently, data protection in India is governed by the Security Practices and Procedures and Sensitive Personal Data or Information 2011 and the Information Technology Act 2008. But the Digital Personal Data Protection Bill, once enacted, will have significant implications for virtually all organisations operating in India. Thousands of recommendations around the bill were suggested during various stages of public comment, but only a few changes have been made from its introduction last year.
Many companies will be challenged with transitioning from complying with SPDI Rules to the new and more complex law. For many companies in India, aligning business processes with the proposed legislation requires new enterprise infrastructure and radical changes to processes. But one thing is certain: Businesses need to follow four crucial steps to establish a comprehensive, legally defensible data protection programme to comply with the new law. And the glue binding it together is technology that leverages AI and deep learning.
Step 1: Maintain a defensible data inventory
If you don’t know where your data lives, who has access to it, and who in your organisation is responsible for it, it becomes impossible to comply with regulatory mechanisms. For instance, the Digital Data Protection Bill calls for “every data fiduciary (businesses) to have in place a procedure and effective mechanisms to redress the grievances of data principles (its customers).”
For organisations to effectively address the grievances related to customer data, they must have an effective inventory of data that resides across departments, in one centralised repository. This is next to impossible for organisations with large amounts of data without the right technology to ease processes. More importantly, because of the growth in the amount of data held over the last years, the problem gets worse if the data is not inventoried. With tools that are easy to configure and scale, organisations can create a legally-defensible data inventory that provides a roadmap to meet compliance obligations, identify existing vulnerabilities, and demonstrate accountability.
Step 2: Manage data subject access requests
The Digital Data Protection Bill fleshes out specific rights of customers to access information about their personal data. In addition, the legislation calls for organisations to have data pertaining to each subject in one place as each individual is entitled to receive a “summary of the personal data that has been processed by the data fiduciary and with whom the personal data has been shared along with all categories.” Without a defensible data inventory, such subject access requests would take an inordinate amount of time to process, which would be in direct violation of the law.
This is why businesses in India need a robust system that can handle the intake of the request, verify the individual or entity’s ID accurately, and also collect, review, and redact necessary information. Since the new legislation governs employee data too, businesses require tech stacks that can access employee data, requiring integrations with HR systems to ensure that employee records are correctly retained. When technology harmonises data deletion requests with other legal obligations and compliance mechanisms, the process becomes easier.
For instance, the proposed bill gives individuals the right to request deletion of their personal data in possession of an organisation ‘X’. ‘X’ is required to identify the data and delete it and this would take massive amounts of time if done manually. The organisation would have to source information residing across departments, check with legal departments on whether or not other compliance mechanisms require them to retain data and then delete the data. But an automated tool can accurately process such requests in a matter of minutes.
Step 3: Manage third-party risks
The new data protection bill proposes a hefty fine of Rs 250 crore to “take reasonable safeguards to prevent personal data breach”. As data volumes explode, so do organisations’ responsibility to safeguard customer data. With cyber crime increasing year on year, it is not unfounded that regulatory mechanisms require organisations to take measures to protect the privacy of its customers.
When we look at how organisations are handling cybersecurity regulations, there’s typically one area that drives a lot of risk: third parties. More specifically the gap in visibility into third-party activities — which vendors have access to organisational data — and which of those are risks that need to be contained to comply with the upcoming privacy regime?
Let’s simplify this further. About 65% of successful organisations have outsourced operations to some capacity and a vast majority of them have migrated to the cloud. Cloud solutions often connect to other data sources within a business. This means that your critical business data and your customers’ personal information is likely to be accessed by third party vendors. For organisations to be truly compliant with the upcoming legislation, they need to fill a lot of gaps in knowledge about what customer data third parties are accessing and whether it is being done securely. With the right technology, businesses can assess and capture details about vendors to ensure compliance frameworks aren’t compromised.
Step 4: Adopt data retention and minimisation policies
While data minimisation is a great way to establish deterrence against cyber attacks, the reality is that most organisations retain data longer than they need to. The new data protection bill addressed this issue and specifies that businesses only need to retain the data they need. “A data fiduciary must cease to retain personal data when the purpose of such personal data no longer serves the purpose for which it was collected.” But the bill also makes exemptions for businesses that are required to retain data like banks, which are mandated to retain data for six months.
Data minimisation is great in reducing legal and cyber risks. Data you don’t keep can’t be breached when subject to a discovery request. This means that keeping only the data that is important to essential business practices will mitigate risks from litigation and data privacy regulations.
But with so much data and multiple regulatory norms that govern it, organisations may find themselves at crossroads on whether or not they need to retain disparate sets of data they have. With the right tools, data minimisations can be a simple process as it can identify which data is under another regulatory obligation — like a legal hold. Technology can bring about a harmony between data minimisation and retention, all while ensuring organisations stay legally compliant.
A changing legal world requires technology that stays up-to-date, and all compliance needs pertaining to data privacy and protection are met. If businesses in India don’t begin implementing effective data protection programs now, they will have to play catch-up once the new legislation is enacted. Overhauling existing processes can seem arduous but with the right tools, businesses can streamline privacy-related issues and also stay ahead of the game by ensuring their processes are adaptable and scalable.
For more educational and product marketing information on Exterro and privacy, digital forensics, and e-discovery in India, visit our International Content Hub for India. Our recent whitepaper on Advertising and Privacy Compliance in India also offers useful tips for organizations looking to comply with DPDP.