By Sharad Sadadekar, Head Cybersecurity and Data Protection, ICICI Prudential Life Insurance
The Digital Personal Data Protection Act, 2023 known famously as DPDPA recently got the assent of the President of India on 11th August 2023. The act applies to the processing of digital personal data (within the territory of India) collected online or collected offline and later digitised. The act also applies to processing digital personal data outside the territory of India if it involves providing goods and/or services to the data principals within the territory of India. The DPDP Act is India’s first data protection act, and it establishes a framework for the processing of personal data in India.
The DPDP Act aims to recognise the rights of individuals to protect their personal data in digital or non-digital form which is subsequently digitised. The act also aims to restrict use of such personal data of individuals by any other person for unlawful activities.
Rights and obligations
Privacy right typically includes the right to control personal information access to individual data and the right to be protected from unauthorised or unlawful processing or misuse.
Organisations are responsible to adhere to the act and manage data responsibly, inform individuals about data collection, and ensure secure storage and purging after use.
Below chart depicts rights and obligations across the data lifecycle and the responsibilities of the Board of India:
Data Lifecycle | Data Collection | Data Processing | Data Transfer | Transparency and Accountability | ||
Data Principal | Consent and Consent withdrawals | Right to access information about personal data | Right to correction of personal data | Right to erasure | Right to grievance redressal and nominate | Duties of data principal |
Data Fiduciary | Notice | Grounds of processing personal data | Certain legitimate cases | Security safeguards | Accountable for data processor | Data privacy impact assessments |
Verifiable parent / guardian consent | Additional obligations of significant data fiduciary | Data Processor engagement | Data retention | Data protection officer | Independent data audits | |
Personal data breach notification | Processing of personal data outside India | Consent managers | Complying to Government notifications | |||
Data Protection Board of India | ||||||
Penalty | Grievance Redressal | Review and Appeal | Dispute Resolution |
Critical components and strategies for a successful DPDPA compliance implementation
A successful implementation of DPDPA compliance requires a holistic approach, incorporating critical components and strategies. Here are key components and strategies to consider:
1. Leadership Commitment and Cross Functional Teams Collaboration:
• Obtain commitment from senior leadership to prioritise and support DPDPA compliance. Ensure they understand the importance of data privacy
• Encourage collaboration between different departments and teams to ensure a coordinated approach to DPDPA compliance. Legal, IT, and business units should work together and be part of the project to ensure they provide necessary support
2. Data Mapping and Inventory:
• Conduct a comprehensive data mapping exercise to identify what personal data your organisation processes, where it is stored, and how it is used. Maintain an up-to-date data inventory
3. Data Protection Gap Assessment and Impact Assessment (DPIAs):
• Perform DPIAs to assess and mitigate the privacy risks associated with data processing activities. This helps in identifying and addressing potential vulnerabilities
4. Data Subject Rights:
• Establish procedures for honouring data subject rights, including the right to access, correct, and erase personal data. Ensure data subjects can exercise rights easily
5. Consent Mechanisms:
• Implement and manage user consent mechanisms for data processing activities. Ensure that users have the option to provide or withdraw consent
6. Data Minimisation and Erasure:
• Review and minimise the data organisations collect to ensure that they only collect and process data that is necessary for their intended purposes
• Define data retention and implement erasure practice
7. Third-Party Risk Management:
• Assess and manage the risks associated with third-party vendors and service providers that process personal data on organisation’s behalf
• Ensure that they also comply with DPDPA requirements
• Have necessary clauses embedded in the agreement
8. Privacy by Design:
• Incorporate privacy by design approach into all products and services. Privacy should be an integral part of the design process from the outset
9. Documentation and Records:
Maintain thorough documentation and maintain records of all data protection and privacy activities to demonstrate compliance to regulatory authorities
10. Security Testing and Validation:
• Regularly test and validate the effectiveness of data protection and privacy controls to identify vulnerabilities and gaps
By implementing these critical components and strategies, organisations can successfully achieve DPDPA compliance, protect personal data, and demonstrate a commitment to respecting the privacy rights of individuals.
Steps to initiate compliance with the Data Protection and Data Privacy Act (DPDPA)
To simplify process, it is suggested to categorise the approach in four major areas mentioned below and harmonise it with cybersecurity strategies for reducing the risk of data breaches and non-compliance.
This can be further grouped based on readiness into before and after the rules and enforcements are communicated by the DPDPA board.
1. Plan and Access:
• Understand the DPDP Act:
o Start with thoroughly understanding the provisions of the DPDPA. Familiarise yourself with the key requirements, principles, and standards outlined in the legislation
• Leadership Commitment:
o Educate leadership on DPDPA and privacy best practices
• Data Mapping and Inventory:
o Conduct a comprehensive data mapping exercise to identify what personal data your organisation processes and where it is stored. Create a data inventory to document this information
• Privacy Impact Assessment (PIA):
o Perform a privacy impact assessment to evaluate the potential risks to individual’s privacy associated with your data processing activities
• Gap Analysis:
o Conduct a gap analysis to identify areas where your organisation’s existing data protection and cybersecurity practices fall short of DPDPA requirements
2. Define and Document:
• Define roles and responsibilities of Data Protection Officer (DPO), grievance officer, CRO, CDO, CIO and data privacy managers:
o DPO would be SPOC for external entities and is responsible for ensuring compliance with the DPDPA while others need to strategically support
• Privacy Policies and Procedures:
o Develop and update your organisation’s privacy policies and procedures to align with the DPDPA. Ensure that employees are aware and trained
• Incident Response Plan:
o Develop and implement an incident response plan to handle data breaches and incidents that could compromise the security of personal data
• Data Subject Rights:
o Establish procedures for honouring data subject rights, including the right to access, correct, and erase personal data
3. Integrate and Implement:
• Consent Mechanisms:
o Implement consent mechanisms to obtain and manage user’s consent for data processing. Ensure users have the option to opt in or opt out of data collection
• Data Request Mechanisms (DRM):
o Implement DRM to obtain and manage users’ requests to update or erase data. Ensure users have access request status tracking mechanism
• Security Measures:
o Enhance cybersecurity measures to protect personal data. This includes encryption, access controls, regular security audits, and updates
• Data Minimisation:
o Review and control data that is collected to ensure it is for intended purpose
• Vendor Assessment:
o Assess and ensure the DPDPA compliance of third-party vendors and service providers that process personal data on the organisation’s behalf
• Cross-Border Data Transfer:
o If you transfer data internationally, ensure that cross-border data transfers follow the DPDPA, which may require standard contractual clauses or other mechanisms
• Privacy by Design:
o Implement a privacy by design approach when developing new products or services, integrating privacy into the development process from the outset
• Appoint a DPO:
o DPO is responsible for ensuring compliance with the DPDPA and ensure proper reporting
4. Audit and Sustain
• Training and Awareness:
o Conduct training and awareness programmes to educate employees on data protection and privacy best practices
• Documentation and Records:
o Maintain thorough documentation and records of data protection and cybersecurity activities to demonstrate compliance to regulatory authorities
• Legal and Regulatory Consultation:
o Consult with legal and regulatory experts to ensure your organisation is fully compliant with the DPDPA
• Testing and Validation:
o Test and validate the effectiveness of your cybersecurity measures and privacy controls to identify vulnerabilities and gaps
• Reporting and Accountability:
o Establish a reporting and accountability framework to track and report data breaches, compliance efforts, and data protection activities
• Regular Audits and Assessments:
o Conduct regular audits and assessments of your data protection and cybersecurity practices to ensure ongoing compliance with the DPDPA
Key learnings from common challenges
Learning from common challenges and avoiding mistakes during DPDPA implementation is crucial for the success of the project. Some common challenges and ways to avoid them and navigate the complexities of DPDPA implementation successfully are mentioned below:
1. Lack of Leadership support:
• Challenge: Without support from the senior leadership, DPDPA implementation can face resistance and insufficient resources
• Avoidance: Secure commitment from top management early in the process, emphasising the legal and reputational risks of non-compliance
2. Resistance to Change:
• Challenge: Resistance from employees or stakeholders can impede DPDPA implementation efforts
• Avoidance: Ensure Top-Down approach and get buy-in from your key stakeholders. Communicate the benefits of compliance, provide training, and involve employees in the process to mitigate resistance
3. Inadequate Data inventory and Data Mapping:
• Challenge: Inaccurate or incomplete data mapping can result in non-compliance due to unknown data processing activities
• Avoidance: Conduct a thorough data mapping exercise, involving relevant stakeholders, and maintain an updated data inventory
4. Granular Data retention:
• Challenge: Non-availability of data lifecycle management for function or process specific data
• Avoidance: Define policy for data lifecycle management for function or process specific data with purpose, need and its retention period so that it can be purged if not required
5. Insufficient Access Controls:
• Challenge: Weak access controls can result in unauthorised access to personal data, leading to data breaches
• Avoidance: Implement strong access controls, role-based permissions, and regular access reviews to limit access to authorised personnel
6. Lack of Consent Management:
• Challenge: Failure to implement effective consent mechanisms can result in non-compliance with DPDPA requirements for user’s consent
• Avoidance: Implement and manage user-friendly consent mechanisms that allow users to provide and withdraw consent easily
7. Inadequate Incident Response Plan:
• Challenge: An ineffective incident response plan can lead to poor management of data breaches and non-compliance with reporting requirements
• Avoidance: Develop a robust incident response plan, conduct drills, and ensure it complies with DPDPA reporting requirements
8. Third-Party Vendor Risks:
• Challenge: Unmanaged third-party vendor risks can expose personal data to non-compliant processing
• Avoidance: Assess and manage the risks associated with third-party vendors and ensure that they comply with DPDPA, and include data protection clauses in contracts
9. Lack of Accountability:
• Challenge: Inadequate accountability and reporting structures can result in unaddressed compliance issues
• Avoidance:
o Establish a reporting and accountability framework to track and report data breaches, compliance efforts, and data protection activities
o Define the roles and responsibilities at the organisation level
10. Legal and Regulatory Compliance:
• Challenge: Ignoring legal and regulatory counsel can lead to non-compliance and legal issues
• Avoidance: Consult with legal and regulatory experts to ensure full compliance and stay informed about changing regulations
11. Test your work:
• Challenge: It is initiated as a project and then the team disintegrated
• Avoidance: Ensure there are proper roles and responsibilities defined and the data lifecycle processes are tested / audited regularly