You are currently viewing What are we required to do for DPDPA?

What are we required to do for DPDPA?

Once we have determined that DPDPA applies to us as a company, the next question is what we must do to ensure that we are DPDPA compliant.

We saw that there are two roles from the business side – Data Fiduciary and Data Processor. We could have either one or two roles.

As a Data Fiduciary, you decide why and how personal data is processed. Data Processor is the one who actually performs the operations on the instructions from Data Fiduciary.

Let us understand this concept with an example. Techno Giant Ltd (TGL) outsources its employee payroll to Swift Pay Services (SPS).

In this example, TGL is the Data Fiduciary. It decides why employee data is processed, what data is collected, and how long data is retained.

SPS is the Data Processor. It processes employee personal data only on instructions from Techno Giant Ltd. It performs payroll calculations, pays salaries, and generates payslips. It does not use the data for its own independent purpose.

There are Supporting Processors or Sub-processors. They include the Bank that makes the payments to employee accounts, Cloud Hosting Provider that hosts the data and so on.

Just a simple act of payroll requires at least 4 organizations to comply with the requirements of DPDPA – TGL, SPS, Bank and Hosting Provider. As you can imagine, this only gets more complicated if you are providing financial services or are selling goods and services online, because in such situations more companies, vendors and sub-contractors are involved.

What are the Principles of Data Protection?

In the above example, both TGL and SPS are required to follow Data Protection principles that ensure that data is captured, stored, protected and used ethically and legally during their operations.

  • Lawfulness, Fairness & Transparency – Data capturing must be legal, fair and clearly explained to Data Principles 
  • Purpose Limitation – Data collection must be for specified and legitimate purpose
  • Data Minimisation – Only necessary personal data required for the stated purpose should be collected
  • Accuracy – Reasonable steps must be taken to keep data accurate and updated
  • Storage Limitation – Data should only be kept as long as needed for its intended purpose
  • Integrity & Confidentiality – Technical and organizational safeguards are required to prevent unauthorised access or breaches
  • Accountability – Final accountability is usually with the Data Fiduciary, in this case TGL.

What are TGL and SPS required to do?

In this example, the Data Fiduciary TGL has the responsibility to protect digital personal data of employees. To achieve this, TGL needs to put a framework of legal, technical, and organizational measures of personal data protection in place, as well as ensure that these measures are enacted by the processors, namely SPS, the Bank and the Hosting organization

The steps TGL takes can be largely categorized under 5 areas: Justification; Consent; Inventory – RoPA; Governance and Exception and Breaches.

Justification

The first step is to assess the Justification for collection of PII and other data.

Purpose Limitation & Data Minimization

The purpose of employee data collection by TGL is for salary payment and other compliance such as Income Tax, Fund, Pension and other benefits.

Companies can keep this data till employees are in the service and as per the Government’s regulation (e.g. 3 years, 7 years or 10 years).

Impact Assessment

TGL conducts Impact Assessment to ensure that this collection is justified. It assesses the operational, financial, or compliance implications of not collecting this data. It also assesses if the processing of personal data presents significant risks to consumer privacy or security.

Consent

TGL then works on getting the valid, transparent, demonstrable consent from the Data Principals (DP).

Transparency & Notices

TGL displays clearly and directs users to a page where their Privacy Policy is mentioned. It explains what data is collected, why it’s collected, how long it will be kept and how users can exercise their rights.

TGL provides notice regarding the above in an easy-to-understand language in English as most of their employees are familiar with the language.

Consent Related

On the intranet portal of TGL, a consent form is displayed that makes clear the lawful purpose of collecting the data. It captures the consent from individuals (employees) and stores it in their system.

Data Principal Rights

TGL makes it easy for their employees to place requests to access their personal data, correct or update inaccurate data, and erase data when it is no longer needed.

TGL’s Grievance redressal policy mentions the timeframe within which it will respond to queries and complaints.

Inventory – ROPA

The next step TGL follows is assessing its visibility of PII and other data that they are collecting. They also need to be aware of special provisions for certain sections and conditions.

Identification & Data Mapping

Data required for Payroll processing includes Employee name, Bank account number, PAN/Aadhaar, Salary details etc.

TGL needs to document clear data flow from HR for attendance and leaves to Finance for approval to SPS for processing which is recorded in a Data Flow Diagram.

Children’s Data – A Crucial Part of DPDPA Provisions

This is a crucial and sensitive requirement of DPDPA in case a company is handling data of children below 18 years. Verifiable parental or guardian consent is required. Profiles of children should not be created, tracked or made targets of advertisement.

TGL employees may have minor children. TGL provides family insurance benefits and therefore gathers children’s data. TGL, SPS and the insurance provider, are all responsible for security of their data.

Significant Data Fiduciaries (SDFs)

TGL is categorized as a Significant Data Fiduciary (SDF) as it processes a large volume of sensitive data. They have appointed a Data Protection Officer (DPO). DPO ensures that the rights of Data Principles are protected.

TGL wants to ensure that it spots risks beforehand, so it conducts Data Privacy Impact Assessments (DPIAs).

TGL Undergoes Audits twice a year to remain on top of the DPDPA   compliance

Data Processors & Vendors

TGL has contracted SPS for processing its payroll data. It shares the required employee information with SPS. TGL’s contract with SPS includes clear data protection responsibilities and security and confidentiality obligations.

It is understood that TGL is the main organization and it remains accountable for compliance.

Cross-border Data Transfers

Apart from India, TGL has operations in other South Asian countries. Employees work from offices outside India. Since there is no restriction from the government to allow data transfers, employees’ data from other countries is transferred to SPS for processing.

Both TGL and SPS monitor and follow government notifications.

Governance

The next crucial step that TGL performs is to assess and establish if they have appropriate processes for governance of Data being collected and stored.

Data Security Safeguards

TGL has implemented reasonable security measures such as encryption, pseudonymization and access control to prevent Data breaches, Unauthorized access and Loss or misuse of data.

If, despite all carefully implemented measures, data breach occurs, TGL will notify the Data Protection Board of India. It will also assess the impact of the data breach and inform the individuals when required.

Monitor & Awareness

TGL conducts awareness sessions for employees, other stakeholders and vendors including SPS.

Two primary types of dashboards are required: a User Consent Dashboard for data principals (individuals) and a Compliance Management Dashboard for data fiduciaries (organizations). 

Exception & Breach Response

While it is important to follow the designated steps in Data Privacy, it is equally important to determine and assess if TGL has adequate processes and systems for handling exceptions and data breaches. Data breaches can happen intentionally or unintentionally.

TGL has a documented incident and data breach response plan for Containment, Investigation, Remediation, and Recovery from such incidents.

TGLs’ employees and team members including 3rd party teams are trained regularly with latest aspects of recognizing and reporting exceptions and potential data breaches.

TGL and SPS are aware that the Penalties for non-compliance include fines that can go up to ₹250 crore, depending on the violation. If there are grievances raised by Data Principals that are not addressed within the given timeframe, The DPBI can levy fines. If the companies fail to comply further, the government can intervene and TGL’s operations can come to a standstill.

Tags: , , , , , , , , ,

Leave a Reply