Privacy program management in India — How to get started

With rapid changes in the global privacy landscape, Indian businesses and most importantly privacy professionals are constantly embroiled in critical questions. Are we doing privacy management right? With data breaches increasingly common and affecting organizations of all sizes and scale — from startup sharks, like Dunzo and Unacademy, to giant whales, like Facebook and Twitter — privacy management is undeniably a pivotal project for all in-house legal and compliance teams.

We do expect to eventually see the Indian Personal Data Protection Bill, 2019 take effect in the near future. Understandably, all companies are reviewing the bill and racking brains to figure its requirements, as well as other global legislation. To ensure the consistent data jurisprudence, unfettered international technology trade, and possibly the adequacy requirements of the EU General Data Privacy Regulation, it is unlikely that there would be any more significant changes in the bill before it officially surfaces as India’s personal data charter.

So what should the companies change or implement to err on the safe side?

Below are few advisable activities that every privacy professional (neophyte or an expert) would inevitably undertake in an organization as a part of a streamlined data compliance practice.

Please note that the term "data" is used interchangeably for "personal data" in the interest of limiting the scope of this article to personal data compliance management only.

Organization principles

Once companies accept data compliance as a firm and sustainable goal, the first key task for privacy professionals must be to lay the fundamental principles for data in the organization: lawful basis, data minimization, purpose limitation, accuracy, storage limitation, information security and accountability.

To help build consensus within the organization toward these organization principles and the data privacy goal, it advisable to engage the business team and key managerial personnel early on in seminars that highlight the changing data privacy legislations and the risks of falling behind in compliance.

Data privacy team 

Whether done by consultants, law firms or by an in-house legal team, data privacy compliance needs a specialized or trained data privacy team. Depending on the allocable resources, organization principles and versatility of business teams, a privacy team can comprise several privacy drivers that may be led by one specialized privacy resource.

Data inventory

Nothing is unmanageable about data privacy legislation if the data is accounted for across all business divisions. Personal data invariably makes way to most departments in an organization (human resources, information technology, service providers, etcetera), either through the deployment of several technology applications or during the course of regular filing requirements (e.g., CCTV cameras, employment data portals, biometric access controls, vendor and/or customer applications, etcetera).

This data may identify a person directly or may serve as an identifier or a metadata derivative in inferring the identity. Furthermore, the data can be either personal data or sensitive personal data, depending on how it is specified in the proposed bill. Keeping in mind the elaborate definitions and reporting requirements laid down in the bill (and with greater care and verification for sensitive personal data), personal data can be collated and classified in all departments in a common unique data format (data excel). There are different ways in conducting this activity:

1. Employee portal surveys seeking details of the data excel in a time-limited activity. However, it is advisable to communicate with the relevant business stakeholder of each team to ensure data is collated in the most verifiable and diligent manner.
2. Offline surveys taken by the privacy drivers and/or privacy professional to seek details of the data excel in a time-limited activity.
3. Data discover software tools (may include the existing ones that are deployed for analytics) that identify, collect and present the data in accordance with the criteria specified in the data excel.

Data life chart

While this may seem similar to the data inventory exercise, it is essential to note the importance of a lifecycle of every set of personal data processed by the company and/or by its service providers. One must prepare a separate data life chart for every unique data excel and must include the following:

1. 1. Source of data and mode of data collection.
   2. Purpose of data collection.
   3. Privacy statements shared during collection.
   4. Mode and instructions of processing of data.
   5. Place of processing of data.
   6. Mode and destination of transfers of data, if any.
   7. Storage process, destination and duration of data.
   8. Protection and deletion process of data.

Address loopholes

With the data excel and data life chart in order, the privacy team can identify loopholes in business departments that do not meet the bill requirements or GDPR-recognized obligations. These can vary from inadequacies in consent management and record-keeping to the absence of recognition of data principal rights. The idea is to recognize how data needs to be correctly obtained, securely and timely maintained, carefully monitored and procedurally subjected to data principal’s rights. Loopholes may also be different for different business departments considering the variation in the basis and mode of collection.

Role of IT

When all is understood about the data flows in the organization, it is essential to approach IT to define compliant and automated processes for data management. This would involve:

1. Review of company technology applications in light of process loopholes.
2. Classification of all data as per the data excel.
3. Review of data life chart requirements (especially storage, handling, erasure and secure transfer) under the bill and GDPR best practices.
4. Review of consent management (including express and explicit) and record-keeping requirements and processes for all data.
5. Privacy-by-design policy for all development projects and privacy impact assessments for new processes and changes.
6. Incorporation of mechanism to address rights of all data principals, including the right to access, portability, erasure, etcetera.
7. Recognition of company assets (mobile, laptops and others) and user access management and controls.
8. Backup of data records in compliance with the expectations of bill and other legislations (especially to demonstrate compliance).
9. Review of communication security within and outside the organization.
10. Review of supplier relationship (as joint data fiduciary or processor) and supplier data practices.
11. Review of vulnerability assessments.
12. Review of cryptography controls.
13. Review of Information Security Management System, performance evaluation and internal audits, and data security standards (ISO27701).

Policies and privacy statements

Even though the role of data management is a long and continuing exercise, privacy professionals must be quick to simultaneously frame and release concise, clear and transparent policies, drafted in simple language, to cater to the data management and compliance requirements of the organization.

Data privacy and retention policies, as well as statements, must specify the disclosure requirements provided under the bill and GDPR to help every data principal, including the organization employees, understand the type, reasons, mode and duration of data collection and processing, and the rights over their data.

Privacy management must be a process in practice and be backed by records to demonstrate the accountability and commitment of the company towards managing the data in compliance with its principles and bill requirements.

The above stages can also be summed in a flow diagram to create a simpler approach towards the compliance activity.

While these stage defined tasks can uniformly serve as organizational good practices, it may be noted there is no straight-forward approach to data compliance, and it is unlikely that there may be one in the near future, considering the rapid advancement of technology and the ever-changing regulations governing the same.

However, every company can be best prepared for its national legislation if it chooses to swiftly evolve to the global regulatory regime that inspires these laws. Clearly, the GDPR is playing such a role for India.

Photo by JK on Unsplash