Why is Data Privacy and Protection required?
Can you send me some money urgently?
One of my former colleagues saw this message popup on her WhatsApp feed.
It happened not once. Twice!
Someone took my LinkedIn picture and reached out to my ex-colleague on WhatsApp asking her to swiftly handle a transaction for me. Phone number was not mine, but the person had access to my picture knew the organization where I worked and my colleagues’ names. Of course, my colleague didn’t fall prey to it. She immediately called me on phone to inform.
I realized that there are two breaches here – One, my personal profile was impersonated with my profile picture. Two, the impersonator had somehow connected me to my ex-colleague.
The other case happened with my cousin earlier this year. He got a call from someone who called him by his name, took his teenage daughter’s name and the institute where she was studying in another city.
The caller said that his daughter and a couple of other students had been caught while performing some illegal act. He was asked to pay a fine of a hefty sum to bail them out of the situation. When my cousin asked to speak with his daughter, some female voice came on the phone crying inconsolably, so he couldn’t even recognize the voice. The caller hung up saying they would call again. Cousin tried to call his daughter on mobile, but the phone was not answered. He panicked completely and was deciding what to do next. Thankfully, his daughter called back after an hour wondering why her father had called. She was in the classroom so could not take the call. After talking to her he was relieved that she was safe and nothing bad had happened.
A few other cases include a woman in Chandigarh who lost over ₹11 lakh and a retired RBI employee who lost ₹49 lakh. A Bengaluru woman was scammed of ₹2 crore after being told her son was in danger.
Imagine, the chaos and the panic. And the real reason why it is happening!
The first and foremost reason is we are living in a digital world.
Our digital data is ‘us’.
A lot of our personal data is lying everywhere, on different public sites, with different companies, on different servers, in different locations.
If this data falls into the wrong hands they can take over your life, they can “become you”.
People can impersonate you, forge the documents, take your identity, apply for loans, vanish with the money and you are left with either having to pay for the loan or battle the lawsuits.
When there was no DPDPA or any such Act,companies could freely access any data without much restriction. Personal privacy was not protected. You had no control over your data.
DPDPA tries to correct this situation.
What is DPDPA?
DPDP Act refers to India’s Digital Personal Data Protection Act, 2023, a landmark law regulating how organizations process digital personal data.
DPDPA places you, the individual,in the driver’s seat. DPDPA requires that the companies follow strict rules while handling digital information. Examples of Personal Data include details such as names, addresses, phone numbers, email id, biometric data, account numbers, or even photos.
Very often, companies need to gather your personal data to provide youproducts and services. Anexample is that of e-commerce websites need to knowyour name, phone number, delivery address and online payment details to deliver the products you ordered at your doorstep. They end up storing this data for Quick Commerce to give that quick turnaround time to customers which needs speed and hyper local focus for quick gratification.
Another example is that of banks that need to do KYC checks (name, gender, age, address and other details) to provide banking services to you.
DPDPA tries to strike the balance between protecting privacy rights and allowing necessary lawful use of the data. It tries to slow down things and introduce deliberation so that appropriate privacy steps are introduced right at the inception. For example, for certain transactions providing Aadhar Card may be mandatory, but instead of showing completely unfiltered data mask the ID.
What are different roles in DPDPA?
To get slightly technical, we will look at the terms used in the law.
- Data Principal (Data Subject): The individual to whom the personal data belongs (e.g., a customer, user).
- Data Fiduciary (Data Controller): The entity that decides the purpose and means of processing personal data (e.g., a company, bank)
- Data Processer: The person or entity that processes data on behalf of the Data Fiduciary to provide certain services (e.g. an airline, or a products company)
- Significant Data Fiduciary(SDF): A Data Fiduciary who is processing large amount of data and therefore has more responsibilities.
- Data Protection Officer(DPO): An officer appointed by an SDF in India to oversee data protection compliance.
- Consent Manager: A registered entity that helps Data Principals give, manage, and withdraw consent.
- Data Protection Board of India(DPBI): The regulatory body that enforces the Act, adjudicates complaints, and imposes penalties.
These terms will be used often in this entire series of the DPDPA articlesme and my colleagues are writing.
