New year, new privacy program
10 foundational questions to ask yourself in preparation for India's DPDPA - who doesn't love a Listicle?
Welcome back to Legitimately Interested, my fortnightly newsletter on data protection and privacy! Wishing you a happy new year, and thank you to everyone who has brought this community to more than 150 subscribers, in just 2 issues!
[Before we get into it, the content of this newsletter will always be free. But, if you would like to support my work, consider taking a paid subscription? If you don’t want to commit to one, I also welcome one time contributions here].
Initially, I was hoping that this issue could be a breakdown of the highly anticipated data protection rules to be notified under India’s DPDPA, 2023 (Rules). However, it looks like we’re going to have to wait a bit longer for them to be released. Until then, I thought to address compliance in anticipation of the Rules.
There’s a lot of brilliant material out there on preparing for DPDPA compliance, and now that we have discussed personal and non-personal data in the previous issues, I’d like to break from broader topics this issue and hone in the question that a lot of businesses, especially founders of early stage companies may be facing with the mountain of information out there - where do we start? [I will be addressing more advanced topics in compliance as we go along (such as Data Protection Impact Assessments or Privacy by Design), and this is meant to be a foundational list.]
Issue in Focus
It’s well settled by now that complying with data protection law from a business perspective has utility - it saves an entity from potential penalties, builds public trust (and by extension, competitive advantage), and when combined with a good information security program, also prevents the business’s own assets from vulnerabilities. So, the first step here is to recognise the importance of compliance, rather an attempt to find loopholes where any non-compliant practices can continue (see my post about this here).
With that, here is a list of questions which should form the base for your DPDPA compliance roadmap:
Does this apply to us? - The DPDPA applies to you if (i) you collect and process data by virtue of being incorporated in India, and (ii) you are located outside India but offer goods/services which need you to collect and process data of Data Principals in India. So, your location does not matter more than whether people in India are able to avail of your goods and services and these are targeted to them. However, this is unlikely to mean just passive access to a website or service. If you are processing (i) data in non-digital form, (ii) data made publicly available or (iii) for domestic purposes, the DPDPA does not apply to you.
Who are we? - Take stock of your products/services. For each, map out if you are a Data Fiduciary (i.e, whether you make the decision about HOW and WHY to process the data) or Data Processor (i.e, whether you process data on behalf of or on the instructions of another entity). This may lean one way heavily depending on whether you’re B2B or B2C, a sole proprietorship and nature of the product/service. But keep in mind - the entity will always be a Data Fiduciary in relation to (i) its employees for which their consent is required, (ii) vendors whose PII you’re collecting, (iii) visitors to your website which needs a privacy policy. If you’re an entity processing a large amount of personal information, for eg., a hospital, a bank, or large social media platform, you are likely to be a Significant Data Fiduciary - a topic we’ll know more about from the Rules and cover in more detail, but it comes with its own set of compliance requirements like appointing a DPO, conducting DPIAs and periodic audits.
What do we collect, why, and do we have consent? - In Column A, set out the personal data you collect. In Column B, map each piece of data against a purpose. If you can’t justify a purpose in Column B, then you know you can’t collect the data in Column A. In Column C, identify if you’re taking appropriate consent (as granular as the consent can be, is advisable) for collection by explicitly telling Data Principals for what their data is collected, if consent is obtained via a contract with your B2B partner, etc. If consent is not the ground but you are utilising any of the ‘legitimate uses’, map that. This will ensure you have a comprehensive set of justifications for data collection. This question will also lead you to ask whether you process the data of children (those under 18) or disabled persons, which have specific requirements.
Do we keep it? Where? How? - For the data you’ve mapped in Columns A to C, understand which data you store and where you store it (this will also be a joint exercise with your infosec team to determine security of the location and level of encryption in transit and at rest). Do you store it in anonymised form or not? If not, does your purpose justify storing it as personally identifiable info? If not, then best to de-identify it. If the purpose does not even justify storing it in de-identified form, then best to delete it altogether. Remember, data minimisation is the key to a happy privacy program.
Where can we do with less PII? - On the note of data minimisation, it’s important to understand where there are opportunities to scrub PII, or make it fuzzy. For example, is it necessary to know that Mr. X is 45 years old? Or is it enough to know that 20% of customers visiting your website are between the ages of 40-50? If you can derive similar utility from a fuzzier dataset, that’s the way to go. This is also a good juncture to do things like delete databases of personal information bought for functions like sales - this is all non-compliant now.
Which sectoral laws apply? - By the time you’re at Question 3, you will also need to consider sectoral laws. For instance, if your company deals with financial information or health related information. These laws will also help with conducting the mapping exercise and understanding the requirement for storage.
Who do we share data with? - With data, sharing increases the value of the information the more one can derive insights from it. So it’s important to map the entities that data is shared with (including group entities), WHY it is shared, and the safeguards incorporated in contracts with these parties to ensure that the data is kept secure, not shared onward, and returned when the purpose for it is fulfilled. Here is where Column B will help as well. This question will also lead you to whether any data is transferred outside India, which for now, is permitted but may be subject to a ‘blacklist’ of countries. More on this in future issues.
Do we have procedures in place? - Data protection compliance comes with the need to institute procedures for (i) addressing the rights of Data Principals (providing access to information, correcting/reviewing/erasing it, nominating someone to handle their PII), (ii) grievance redressal, and (iii) reporting data breaches to the relevant authority (when we know more about it under the Rules). Setting these up now, even in a tentative form will ensure that you’re not scrambling at the last minute.
Do we periodically review and maintain data hygiene? - Processing data doesn’t end at either storage or deletion. If stored, it needs to continually be reviewed to ensure its authenticity (which is an obligation on Data Fiduciaries under the DPDPA), be kept secure from unauthorised access, and be retrievable when needed. This is what is called in the information security space as the CIA triad- Confidentiality, Integrity and Availaibility.
How does our privacy program map against our infosec controls? - The CIA triad gives us a good segue into the last question - a program for compliance with privacy law is incomplete without the right infosec controls (i.e, the ‘technical and organisational measures’ we often see in multiple privacy laws). This will also lead to an evaluation of whether you have the right certifications depending on your business (for eg., ISO 27001, PCI DSS, SOC2), understanding how data is protected at each level and who has access to it within your organisation, and conducting trainings for employees. A joint technical and legal audit is the way to go.
Of course, I would say that literally none of the 10 questions above are straightfoward and each of them could get more complicated depending on the scenario at hand, new technologies, and lawyers arguing for the more favourable position. Stay tuned as we unpack them all through the course of this newsletter!
Privacy Roundup
India sets tentative Jan 31st deadline for notifying data protection rules
European Commission releases Q&A on AI Act
Google settles class action law suit on privacy violations of users using incognito mode
Utah’s consumer privacy law takes effect and New Jersey’s privacy law passes both houses, pending Governor’s assent
Thailand releases requirements for appointing DPOs (a good English summary available here)
A very interesting read on anti-privacy choice architecture from the upcoming book ‘The Privacy Fallacy’
UK House of Lords has second reading of Data Protection and Digital Information Bill
UK ICO releases new guidance on employee monitoring
Listen to IAPP’s 2023 Privacy Year in Review
That’s a wrap on issue 3! Feel free to reach out to me on LinkedIn for suggestions on topics which I could cover, or contact me at the coordinates on my website.