It is clear from its name Digital Personal Data Protection Act – DPDPA, that it is about protecting personal data of individuals that any organisation maintains.
So, if an organisation needs to answer this question – “Are we compliant?”, then the first step would be to determine what personal data of clients is an organization collecting and how is it being maintained?
Taking a step back, it’s essential to classify the data that is being collected, used, and maintained. The organization also needs to ensure that it has the required consent from individuals to use the data the way it’s being used.
Let’s start with a simple example.
To open a bank account, one must typically submit their Name, Phone Number, Email ID, Address Proof, Identify Proof, Photograph, Income Details to the bank.
For Identity proof, the bank would ask for Driver’s license or Adhaar Card. These same documents could be used as Address proof as well. The Bank will also ask for your PAN number to link it up with your income proof.
If we were to classify this information, we will start with
Personal Data
Data that can be used to uniquely identify the individual. In this case Name, Phone Number, Email IDs, ID Proof fall in this category. Any information that can be used to impersonate a person comes in this category. So, this information needs to be protected with utmost care.
Phone numbers and Email IDs can also be for spam calls and WhatsApp Scams. If leaked this information can be used to run phishing attacks or it can be used by whoever gets their hands on this information to run some campaigns for personal gains.
Sensitive Data
Next comes the sensitive data. Any information that can be used to harm an individual, in this case say Aadhar Number or PAN Number.
Examples of these are many like fraudsters using someone’s Aadhaar to get a new SIM card for subscribing to government welfare schemes to get benefits.
Examples of misuse of PAN include using it for taking loans using this information which could result not only in a drop in credit rating for the individuals, but also them being saddled with financial liabilities.
Sensitive data combined with personal data, which include complete Aadhar details, the fraudsters could Open bank accounts, take loans, create shell companies and Launder money. All of this can result in financial liabilities and legal troubles.
Net-net if some has your persona and sensitive data, they can become you. Your data is you.
Children’s Data
This category is the data of children (anyone below 18 years of age) and this includes both Personal and sensitive data. The only difference being the consent that needs to be obtained to collect and maintain this data is from the parents or guardians of the children.
Examples of this include, Student name, Roll number, School ID, class, section, EdTech login credentials, etc.
All these have the same level of importance / risks as discussed above.
Non-Sensitive data
The final category is the data that is typically collected along with personal and sensitive data and is used for sub categorization, analysis, reporting and other decision making.
Example of this could be Age category, Gender, Region, Product preferences.
Common misconception is that this data does not need to be protected. But this category of data can be misused for phishing, can be combined for identity profiling and can also triggers penalties if not protected properly or misused.
Minimum safeguards like access control, purpose limitation and retention limits should be applied for this type of data as well.
Having understood the data classification, we can now focus
on the real question that every organisation has – Are we Compliant?
We will discuss this in detail in the next Blog.
