Planning and implementing best-practice compliance

← Back to index

The worldwide web has evolved from a read-only format to a more interactive and social media-driven format. The latter, however, poses significant challenges to security, privacy and data protection, thus becoming popular for data breaches and scandals.

Therefore, the need to have legislation in place for data protection emerged across the globe. What was needed was legislation to protect privacy and to address the challenges and security threats posed by the increased use of data. Several countries/jurisdictions immediately saw the need to deliver the best data protection standards, among them the EU with the General Data Protection Regulation (GDPR) and the US state of California with the California Consumer Privacy Act, 2018 (CCPA).

India’s Digital Personal Data Protection Act, 2023 (DPDP), is new and yet to be tested. Earlier iterations of the DPDP (from 2017 onwards) were borrowed learnings from the EU and US. The current act is simple yet heavily based on compliance. The rules under the act have yet to be formally released, and entities are cautious, but prepared for what could be the potential pitfalls of the DPDP. We have created a conceptual note with guided compliance strategies for entities to proactively measure their standards against the DPDP.

Data processing contract

Entities sharing collected personal data with third-party data processors must ensure that a data processing contract is in place. Ordinarily, the data processing contract must set out:

1. Subject matter and duration of processing;
2. The type of personal data shared for processing;
3. The way the data shall be processed;
4. Purpose of processing; and
5. Rights and obligations of the data principal, data fiduciary and the data processor.

A data processing contract must include among its clauses the following:

1. Data shall be processed only on documented instructions of the data fiduciary;
2. Duty to maintain confidentiality;
3. Undertaking appropriate security measures to prevent data breaches;
4. Assisting in fulfilling a data fiduciary’s obligations towards the data principal;
5. Deleting or returning personal data shared by the data fiduciary immediately after completion of services; and
6. Audit and inspection by a data fiduciary.

Identified and unidentified users

Consent differs for identified and unidentified users. When users submit any form of data on a digital platform, they would generally be classified as identified users, i.e. signing up for a promotional email or newsletter. The rest are classified as unidentified users. Unidentified users are given cookie banners with various forms of selections.

In the case of identified users, both “opt in” and “opt out” choices must be provided. The “opt in” model enables the data principal to make informed decisions. This is a low-risk compliance strategy as it stresses obtaining meaningful consent from the data principal.

In “opt out”, the data principal is informed about privacy invasive practices with an option to broadly object to the same. Unless there is a strict objection, there is a default assumption that the data principal has agreed to the said data activity.

A hybrid “opt in” and “opt out” model where the data principal can “opt in” to receive information through SMS, but “opt out” of e-mails, newsletters, etc., is a preferred option. This can be done by providing the data principals with the option to customise consent preferences.

Cookie compliance

A best-practice strategy is to display a cookie consent banner immediately when the digital platform has been accessed. Prior consent is not necessary for strictly necessary cookies, but the purpose of tracking should be explicitly mentioned to the data principal.

It is important to ensure that third-party cookies are auto-blocked, as prior consent is mandatory for allowing third-party cookies. The DPDP explicitly prohibits tracking or behavioural monitoring of children, or targeting them with advertising. Therefore, when a child’s personal data is processed, entities shall not place preference cookies, statistics cookies and marketing cookies onto the device.

Data mapping

Data mapping is the process that identifies and verifies data processing to understand the way the data flows in an organisation. As a compliance functionary, every data fiduciary and data processor must map every single piece of information that is collected, stored, shared and processed. Data mapping training via certification courses should be provided to employees.

Data minimisation

As a practice, every data fiduciary should limit the collection of data to what is relevant, necessary and essential for the provision of services to the data principal. Additionally, such data should be retained only until the purpose has been fulfilled. For example, details such as PAN (permanent account number) card and passport would neither be relevant nor essential to an aggregator for the delivery of a T-shirt to a data principal. At best, the aggregator will need the contact information of the data principal to ensure smooth delivery of the T-shirt, after which the contact information must be deleted.

Conclusion

The DPDP provides for penalties up to INR2.5 billion (USD30.2 million) on breach of provisions. The employees involved in processing the personal data play a key role in preventing data breaches and regulatory investigations. Educating employees about the various provisions of the DPDP and using techniques like data mapping to understand the flow of data is vital.

Another compliance tool in which to invest is a robust cybersecurity mechanism. This can play a role in preventing data breaches, which can carry heavy costs. Co-ordination between IT, cybersecurity, legal, and marketing and other teams is essential to ensuring smooth implementation of practices and strategies and the immediate reporting of breaches.

← Back to index