On 11 Aug., India's first comprehensive regulatory framework for privacy, the Digital Personal Data Protection Act 2023, received the assent of President Droupadi Murmu and was published in the official gazette.
While the act's effective date is pending confirmation, and several details are yet to be hashed out, organizations should start evaluating their exposure to get a head start on compliance strategy development. This article outlines five steps privacy professionals can take to build a proactive compliance roadmap, focusing on the most resource intensive and technology-dependent operational elements.
1. Determine applicability
The act's scope is limited to digital personal data, i.e., personal data collected in digital form or collected offline and later digitized. To assess applicability, privacy pros will need to answer the following questions:
- Does the organization process digital personal data within India?
- Does the organization process digital personal data outside India, where the processing is related to offering goods or services to data principals (data subjects) within India?
The act does not apply to data processing by individuals for personal or domestic purposes, or when the personal data has been made public by the data principal or under a legal obligation.
If the answer to one of the questions above is a "yes" and exemptions do not apply, the organization must comply with the Act.
It is important to note that understanding exemptions for specific provisions of the Act will require careful analysis, as there are broad exclusions for government agencies, ambiguous definitions for certain exempt processing purposes and, in the future, the central government is also likely to add additional exemptions for specific data fiduciaries (data controllers) or classes of data fiduciaries, e.g., startups.
2. Build a data inventory and data map
Data governance is foundational for building any privacy compliance program. Although the act does not explicitly call out data inventory or data map as requirements, privacy pros will need to understand what personal data types are processed, where they are stored, what kind of processing activity is performed and which data processors the data is shared with to comply with certain obligations of the Act. Some examples of these obligations that rely on data inventory for implementation are:
- Data fiduciaries must ensure the data's completeness, accuracy and consistency, where personal data is used for decision-making that affects the data principals.
- Data fiduciaries must enable data principal rights such as the right to access, correction and erasure of personal information.
- Data fiduciaries and data processors must enforce data erasure requirements when the specified data processing purpose is no longer being served.
- Data fiduciaries must provide notice to data principals about the personal data being processed and the purpose of processing.
There is no one size fits all solution for data inventory and mapping initiatives. Data discovery, classification and cataloging approaches can range from manual, often starting with interviews/questionnaires, to automated, with code scanning or machine learning-based data classification tools. Before selecting the appropriate method, privacy pros must consider several factors, including data ecosystem complexity, data volume, resource requirements, executive support, tooling availability and scalability.
3. Set up consent mechanisms
If data processing relies on consent, organizations will need to comply with consent requirements under the Act and build a compliance plan that includes the following steps:
- Review data maps to identify which processing activities rely on consent.
- Determine when and where consent is required.
- Develop a consent request process that is accompanied or preceded by a clear notice and the contact information of the data protection officer or authorized individual. Note that consent requests should not be bundled with other terms and conditions.
- Create processes for collecting and managing the verifiable consent of parents of children (individuals under 18 years) and lawful guardians of persons with disabilities, if applicable.
- Build a consent withdrawal process that is as easy as providing consent. Examples include a privacy preference center, a dedicated email address and unsubscribe links.
- Track and synchronize consent across systems to ensure the in-scope data processing is stopped ‘'within a reasonable time" after consent is revoked. Future notifications may specify time frames.
Lastly, the act requires data fiduciaries to prove data principals gave consent under its provisions. Therefore, it is crucial to retain consent logs to demonstrate compliance. At a minimum, these logs should include an identifier of the data principal, timestamp of consent, method of consent and version of the notice associated with the consent request.
4. Enable data principal rights
To comply with the act, organizations will need to create processes to enable data principal rights, such as the right to access information about personal data, the right to correction and erasure of personal data, the right of grievance redress, and the right to nominate. Privacy pros can begin by:
- Leveraging data maps to understand what data is in-scope.
- Build a privacy rights intake process and log all requests. Examples include external-facing web forms, in-app privacy preference centers or dedicated email addresses.
- Implement identity-verification processes for requesters. Identity-verification measures may include a requirement to log in to the account, complete a multifactor authentication process or provide additional information. This step should also account for parents of children, lawful guardians of persons with disabilities and nominees who may request privacy rights on behalf of others.
- Determine if rights fulfillment should be manual with privacy or support teams using standard operating procedures, automated with in-house built tools or privacy technology vendor solutions or hybrid.
- Create processes to pass requests to data processors for correction and erasure rights.
5. Implement technical and organizational measures
To comply with the act, data fiduciaries must implement "appropriate technical and organizational measures" and "reasonable security safeguards to prevent personal data breach." Failure to deploy reasonable security safeguards resulting in a data breach may lead to penalties up to INR250 crores, approximately USD30 million. Selecting the measures and safeguards to implement should be a risk-based decision, considering industry best practices, the context of data processing and privacy harms to data principals. Below are some example measures data fiduciaries and data processors may consider to protect personal information:
Organizational measures:
- Roll out a security and privacy training and awareness program for employees and contractors handling personal information.
- Draft standard operating procedures detailing personal data handling requirements.
- Publish internal policies related to security and privacy. Human resources teams may integrate acknowledgment of these policies into the employee onboarding process or periodic training programs.
Technical measures:
- Leverage techniques to anonymize personal data so individuals are no longer identifiable and validate the methods' effectiveness.
- Implement strong access controls for personal data.
- Establish and maintain the secure configuration of devices and software handling personal data.
Several key provisions of the act have been left to delegated legislation, so privacy pros will need to keep track of future developments and adjust their compliance strategy accordingly.