The author of this article, RV Raghu, is the Director of Versatilist Consulting India & ISACA Ambassador.
Last month, the President of India provided assent for the Digital Personal Data Protection (DPDP) Act, 2023 – a hallmark act intended to ensure that the processing of digital personal data is done in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
I will provide an overview of the act and discuss what organizations must do to ensure compliance with the DPDP act, assuming a green field approach, and then detail what can be done with data already in the organization’s possession.
Understanding the Digital Personal Data Protection Act
The act focuses on actions to be taken by the data fiduciary, AKA the data processor, who determines the purpose and means of processing personal data to protect data belonging to the data principal, i.e., the individual to whom the personal data relates to.
It requires consent to be obtained from the data principal for data that will be collected and the purposes for such data collection, how such consent may be withdrawn, and how the data principal can exercise the right to access information about personal data handled by the data fiduciary.
The act also requires the data principal to be able to correct, complete, or update the data with the data fiduciary and, finally, the right to the erasure of personal data. The act also allows the data principal to have access to a grievance-handling mechanism and recourse to a board established under the act.
Other interesting aspects include the ability of the data principal to nominate another individual to exercise the data principal’s rights in case of the data principal’s death or incapacitation. Additionally, the act envisages fines of up to two hundred and fifty crore rupees. If nothing else makes organizations sit up and take notice, the potential to be fined to the tune of crores of rupees, not to mention the associated reputational damage, should encourage organizations to act proactively.
Lines of Action - Complying with the Digital Personal Data Protection Act
Two broad lines of action may be required – one, to understand what data is collected and why, and two, to manage consent for the data collection and processing. These actions must be applied to existing data within the organization and to data that may be collected in the future.
To comply with the act, organizations must understand what data is being collected and why. This will require a deep dive into business processes and related data collection.
For example, if data is being collected in paper form, what is being collected may be very visible and can be easily connected to the purpose or why the data is being collected. If a customer buys a product and fills up a form with name, address, and contact details, it can be understood that this information is necessary for product delivery.
But online, things get tricky because, along with address and contact details, other data can be collected, such as IP addresses, type of device, browser used, location, etc. This additional data may be collected without the customer’s knowledge.
It is also possible that the business process owner may be unaware this additional data is being collected, especially considering such data may be collected because the technology is available and the IT team/application architect thinks it may be useful for some purpose in the future. Clarity on what is being collected and why, i.e., purpose specification, is paramount to effective consent management, which is a key requirement of the DPDP act.
Organizations will also need to establish consent management systems so that consent as envisaged by the act is met. As the act indicates, “consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.”
Effective consent management will require a deep understanding of what data is being collected and why so that granular consent can be obtained and managed. This granular consent management will also facilitate the use of a consent manager as laid out in the act or even the revocation of specific consent by the data principal.
Data Storage and Retention
Data retention also requires focus. Organizations need to know how long they will retain data, in what format, and how and why.
Retention controls are necessary to ensure that once consent is withdrawn, data about the principal is no longer retained. Of course, the why part regarding retention could be driven by legal or statutory requirements and business requirements. For example, order data may need to be retained until the return window is over or to satisfy warranty or guarantee claims.
The format is also important and can be the source of much trouble. The longer data is retained, the broader the attack surface and the riskier it can be in today’s world of ransomware and cyber-attacks. Due to the traditional design of databases and data stores, it is often easy to connect the collected data to the data principal, which makes exposure a given in case of a breach.
Organizations should anonymize and/or pseudonymize the data and store it so that the data cannot be connected to the data principal easily. Options such as tokenization can also be used so that a direct connection cannot be established in case of a breach or even inadvertently when being used. Control of the format/method of data retention is critical to effectively support erasure/modification/update requests and support future business intelligence needs.
When it comes to handling data already in the organization’s possession, the first step is data discovery. This helps identify what data is available, in what format, and with which entities, both within the organization and outside (e.g., vendors and other business partners).
This can be a sweeping exercise and requires a concerted effort to identify how data is being stored, not just in ready-to-access formats as part of business applications used every day, but also data stored in archives, in backups off-site and/or in the cloud.
Business processes may have to be deeply understood to know what data was collected in the past and in what format—such as in paper format, through an online application or even a mobile application—not to mention the reason why. Understanding the “why” is critical to be able to connect how the data is being processed now and how it may be potentially used/processed in the future, which can facilitate compliance with the act.
For example, an online retailer may have been collecting customer contact data such as email and telephone numbers to share updates/tracking information on products to be delivered and later also be used to send marketing or promotional messages to the customer.
While the consent for the first part may not have been explicitly obtained, the second part may not be covered at all, or the consent, if any, may not cover all scenarios and lead to non-compliance with requirements. Once data discovery is complete and the “why” is understood, organizations should continue to obtain consent from customers and take actions where the consent is not provided, or consent is not provided for the purposes for which it was requested.
Using the ‘by design’ approach for compliance
Some other overarching principles that should be used to drive cost-effective compliance include a ‘by design’ approach combined with data minimization, understanding the data lifecycle, and a focus on data governance, among other actions, so that the necessary risk-based controls can be applied.
A ‘by design’ approach focuses on mapping business processes, the data collected, the purpose for which said data is collected, and the potential use cases for the data. Once this is done, applying a data minimization philosophy will help limit the data being collected and facilitate better data management across its lifecycle.
For example, data minimization can help limit data collection instead of collecting data just because it is technically possible. It also helps limit to whom and how the data is shared. At each step of the process, a minimization lens should be applied to limit the data that is collected.
A risk assessment should also be conducted at all stages of the data lifecycle – i.e., collection, processing, storage, and disposal—so that threats can be minimized, especially from improper data collection/consent management.
As an outcome of the risk assessment, minimum standards such as the following can be established and implemented:
- Encryption.
- Anonymization and/or pseudonymization.
- NDAs with all vendors/partners handling the data.
- Establishing retention periods for all data.
- Destroying/deleting after the retention period.
- Conducting periodic audits to identify and remedy gaps.
In summary, for effective compliance with the act, companies need to be clear on what data they are collecting, why, and how they are obtaining and managing consent. This requires a holistic approach, combining business processes and technologies working in tandem to solve what is essentially a business problem and not a technology one.
ABOUT THE AUTHOR
R.V. Raghu, CISA, CRISC, is the director of Versatilist Consulting India Pvt. Ltd., which is active in India and the Middle East. Versatilist provides consulting, training and auditing services in information security, IT service management, business continuity and enterprise risk management. Raghu has over two decades of extensive, hands-on, global experience across various verticals, such as engineering, manufacturing, IT, ITeS, BFSI, chemicals, mining and telecom.
He has provided training, consulting and implementation support for establishing management systems compliant to ISO international standards and other frameworks, such as CMMI and COBIT. He is a platinum level member of ISACA and has served on the ISACA Global board of directors for five years.