In the ever-evolving landscape of data privacy, India stands at a critical juncture, poised to shape its future through strategic policymaking and technological innovation. As the digital economy surges ahead, stakeholders grapple with challenges and opportunities that ripple across sectors. Manish Sehgal, Partner at Deloitte India, shares his insights into this dynamic arena, shedding light on key imperatives and emerging trends.
Some edited excerpts:
Given India’s evolving data privacy landscape, what are the key challenges and opportunities for policymakers in crafting a comprehensive and effective data protection framework?
The key challenge for policymakers is to balance the need for robust data protection laws and create an environment that facilitates technological innovation. As technology advances further, especially with the adoption of AI, policymakers will have to focus on updating the law accordingly at regular intervals. Going forward, this presents India with the opportunity to establish itself as a global leader in data privacy. Moreover, it will facilitate collaboration with other jurisdictions and aid the overall growth of the economy.
From a CIO’s perspective, how has the evolving data privacy landscape impacted their approach to data governance and security?
The evolving data privacy landscape requires a fundamental shift to handle personal data. Instead of the traditional perimeter-based security models, organisations should adopt data-centric approach which starts from the basics of data discipline – to understand what is the minimum data to be collected, how data flows within the functions and with third parties, how data is collected, how it is stored and processed, who accesses it, and most importantly when does data ends its lifecycle. Hence, CIOs are now focused on implementing robust controls across data lifecycle from collection to safe disposal. Compliance with data privacy regulations like the DPDP Act has become a top priority for majority of organisations and CIOs play pivotal role to make it happen.
What practical steps can CIOs take to ensure compliance with the DPDP Act and build trust with their customers?
CIOs can play a critical role but shouldn’t be made solely responsible for compliance to DPDP Act. Other executives across functions should equally sponsor and contribute for joint success of such regulations which require transformation and not just transactional approach to compliance.
To begin with, once the definition of personal data is agreed, CIOs should conduct KYD ‘Know Your Data’ exercise to know where the data is and do a thorough data inventory to comprehend the extent and sensitivity of the information they collect and process. Secondly, a robust gap assessment needs to be carried out to study the current state with respect to policies, procedures, technology, governance, and accountability against the requirements of DPDP Act. Thirdly, from a remediation standpoint, once a framework is designed, focus may shift to privacy-enhancing technologies and to strengthen current data security solutions to protect customer data. A strong eye on third party risk management is equally important to identity data processors in the value chain of personal data which should work hand-in-hand for organisation’s DPDP Act compliance. This is especially important because mishandling of data can attract heavy penalties, according to the law.
What role do emerging technologies like blockchain and AI play in enhancing data privacy for Indian businesses? Can you give us some examples or use cases?
Use of blockchain technology has grown significantly across sectors. Blockchain, being a decentralised ledger that can be used to record transactions across a peer-to-peer network, ensures secure, authenticated, and accurate transfer of digital assets such as money, contracts, and documents. For example, the banking sector has started using core features of blockchain to maintain transaction history and audit trail, enable real-time settlement, and support cross border payments. AI, too, has had a resounding impact across industries. It is guiding how organisations interact with customers, build products, and introduce efficiencies in business operations. For example, with the proliferation of AI powered privacy enhancing tools, various organisations can now identify and classify large volumes of personal data they are processing, automate consent management, and address individual privacy rights, as AI speeds up the end-user authentication and compliance timelines at scale. At the same time, it is important for these technologies and infrastructure to mature to be able to harness their full extent, and like any new technology, there should be risk management processes to mitigate risks emanating from the use of these technologies.
How can India collaborate with other countries on data privacy issues, particularly in a globalized digital economy?
India being one of the leading digitally progressing economy is suitably placed to set a benchmark that may guide other countries to maintain the fine balance between people’s privacy rights, data protection regime and nations’ economic growth.
For this, it is important to address problems related to cross-border data flows and ensure that data protection laws across regions are enforced actively. Towards that end, India may focus on working together with designated international organisations to create a platform where best practices can be shared, and regulatory approaches harmonised. Additionally, bilateral agreements can be used for the purpose of cooperation on data privacy enforcement.
Your insights on the potential economic implications of strong data privacy regulations in India
Robust data privacy laws in India have the power to stimulate economic growth by boosting consumer confidence, encouraging innovation, and attracting foreign capital. Businesses can distinguish themselves in the market and develop a competitive edge by implementing strict data protection policies and maintaining strong compliance procedures. Strong data privacy laws can also foster the expansion of sectors that focus on privacy, like cybersecurity, data analytics, and privacy consultancy, resulting in the creation of new jobs and a boost to the economy. By investing resources in building comprehensive laws and ensuring their enforcement, India would also gain trust and credibility in the international market and increase its investment potential.
The future of data privacy in India – what are the key trends and developments we should be watching?
Future changes and trends in India’s data privacy landscape include the ongoing growth of legal frameworks, a rise in the use of technologies that improve privacy, and a stronger focus on accountability and openness in data processing procedures. Organisations will need to modify their data governance and security plans to satisfy changing customer expectations and compliance needs, because of the DPDP Act and technological developments. Additionally, new opportunities and difficulties for data privacy management will arise.