We have a Data Protection Law. Now what?
Updated on Aug 24, 2023
India’s Digital Personal Data Protection Act is a landmark piece of legislation.
India is a nation of 1.4 billion citizens and one of the world’s largest digital economies, growing by leaps and bounds on the back of Digital Public Infrastructure such as Aadhaar, PMJDY, UPI, Digilocker, Account Aggregator, and ONDC to name a few. The DPDPA is a critical enabler to ensure that our digital economy continues to scale inclusively and safely.
At its heart, the DPDPA seeks to establish the Data Principal as the owner of her own data, ensure informed consent to allow her to share her data, and specify how businesses use her data.
While we wait for the enabling regulations to be published, here is what you should know and can do right away.
What you should know:
The DPDPA applies to data that was collected digitally or sourced in say paper form and later digitized.
There are two classes of entities:
Data Fiduciaries determine WHAT data is collected, WHY (Purpose) it needs that data, and HOW it will be collected and processed.
Data Processors usually serve Data Fiduciaries with tools and technologies to collect and process data, and are governed by contractual terms with Data Fiduciaries. For example, banks (data fiduciaries) must follow the RBI’s IT Outsourcing Guidelines while using the services of analytics service providers.
Some Data Fiduciaries may be classified as Significant Data Fiduciaries based on the sensitivity and / or scale of data they deal with.
The DPDPA applies to Data Fiduciaries, not Processors
Purpose: You should have a legal and valid purpose for seeking data from your customer.
Consent: You must seek clear and specific consent from your customer for every intended use of the data you collect. For example, a bank statement collected for underwriting shouldn’t be used to assess cross-sell opportunities.
Data Minimization: Collect the absolute minimum data you need for providing the product or service and no more. Avoid the temptation to grab as much data as possible while interacting with customers.
Data Storage and Deletion: Unless required by e.g., financial regulators, you should delete the data you collect once the product or service is delivered.
WHAT YOU NEED TO DO
- Inform your customers about what data you are collecting, which other entities you will share these data with, and how her data will be processed.
- Ensure that customers can correct and/or delete personal data, can nominate others to receive their personal data, and know how to raise a grievance if something goes wrong.
- Seek parental consent before collecting data of children under 18 years of age and avoid behavioral monitoring of children and targeting ads towards them.
- Put in place adequate security measures to prevent the breach of personal data; if you do discover a breach, inform the affected customers and the Data Protection Board immediately.
HOW YOU CAN GET STARTED
It is important to build an organization culture centered around data minimization, protection, security and privacy. The old days of “more data is more opportunity” are now transitioning to “more data is more responsibility and risk”.
You should start with a complete audit of what data you hold, its storage, access controls and sharing with third parties, and then come up with a “gap assessment” of where you need to improve mechanisms of data collection, storage, sharing and security protocols.
Start evaluating your consent mechanisms. If you are regulated by any of India’s financial regulators (RBI, IRDAI, SEBI, PFRDA), Anumati offers a regulated and pre-built solution that not only offers customer- and business- benefits, but also makes you future ready as and when regulations are enacted.
Official Document of DPDPA
Anumati: Your Data | Your Consent | Your Benefit
To Know More, Contact Us