You are currently viewing Top 5 Reasons for Non-Compliance with DPDPA

Top 5 Reasons for Non-Compliance with DPDPA

Where are the GAPs in my Digital Data Protection Compliance?

If I have one hour to save the earth, I will spend 55 minutes identifying the problem and five minutes resolving it – popularly attributed to Albert Einstein

One must identify the right problem to find a solution!

Why is this relevant to us? Here. In the context of DPDPA Compliance.

My colleagues Hari and Savita and I have talked about the nature of Data Privacy Laws – specifically DPDPA. 

We have talked about what DPDPA is, how to to figure out whether it applies to your company, and if it does, what are you expected to do, how to establish if you are doing the things you are expected to do, whether you are compliant.

Where lies our problem?

I will cover a related topic in this blog today – how do I figure out where the gaps in my compliance are. How do I assess my level of compliance? Where are the likely GAPs in Digital Data Protection Compliance?

Applicability of DPDPA – Hint: It applies to virtually everyone

As I mentioned in my blog on how to figure out whether DPDPA applies to a company, the answer lies in asking 3 simple questions

  • Do we collect or process or store personal data of individuals?
  • Is this data currently in digital format, irrespective of how it was collected?
  • Are these individuals located in India?

If the answers to these three questions is yes, then we can be reasonably sure that we fall under the scope and jurisdiction of DPDPA.

If you are directly providing goods and services to individual, then you are likely collecting some or all your customer’s personal information (PII) like Names, Addresses, Demographics, Financials, Payment information. In this case you are directly covered by the obligations of DPDPA. You are the likely Fiduciary of PII in this case.

However, your obligations to DPDPA may not be obvious. Some non-obvious examples of companies that fall under the purview of DPDPA are companies based outside India providing services to Indian consumer, companies providing security services at various facilities where they gather Names, Demographics, Contact Information of Individuals. Last but not the least, and I covered this in my previous blog, companies paying salaries to their employees or making payments to contractors – which is every company doing business in India.

The 5 Potential Areas of Failure – Areas to Focus

There are 5 specific areas that a company needs to focus on from the point of comply with requirements Digital Personal Data Protection.

Justification

The first set of questions that we should ask ourselves are about justification of data. Some of these questions are – Are we justified in asking for PII that we are asking for? Is there a business justification for this data? Is it necessary for us to hold the data that we are holding? Are there any ethical concerns with the data that we have? Are we holding more than what we need?

Consent

Once we establish the justification for the data in question, the next set of questions we have to ask are related to our authority to use this data. Do we have the Data Principal’s consent to collect and use the PII that we are using? Is the Consent valid? What is the scope of the consent? Does the Data Principal have a way of managing their Consent? Does the Data Principial belong to one of the protected classes, i.e. are they a child or are they handicapped?

Inventory

Ok, so we have established that we are justified to have the PII data, and we have the consent to use it. Once we start using the data, it starts to spread within the organization. Digital data moves at the speed of light. And even with the tightest of controls it is surprising how many places digital data will travel to over time. Therefore, the next, and probably the biggest area of Digital Personal Data Protection compliance is to make sure we have knowledge of visibility of the data of which we are supposed to be responsible stewards. Some of the questions we must ask are – Do we know what PII data we are holding? Do we know where we are holding it? Is it in all the places it is supposed to be? Is it in places where it is not supposed to be? Who is in-charge of this inventory?

Governance

Once we have established where the data resides, the next set of questions to assess our compliance with Digital Personal Data Privacy Compliance should pertain to processes in place for governance of maintenance of this data. We need to answer questions about processes that automate workflows and bring about method and transparency for obtaining, maintaining, and revoking informed consent; managing use, security and protection of data – whether the data is used by Fiduciaries or by Third Party Vendors acting as Processors.

Exceptions

And finally, as with all business processes, we have to ask ourselves if we are geared to handle exceptions to data handling processes, data breaches, and other exceptions.

I have summarized the 5 areas that require our attention as stewards of PII data, and some of the questions we need to answer in order to assess the level of our compliance with requirements of Digital Personal Data Protection regulations.

If you want to know how well prepared is your company to meet these obligations, you could use this no-obligations assessment.

Tags: , , , , , , , , ,

Leave a Reply