Navigating the Digital Personal Data Protection Act of 2023: Approach for REs and FinTech Companies
The advent of the Digital Personal Data Protection Act (DPDPA) marks a pivotal moment for the Banking, Financial Services, and Insurance (BFSI) sector, underscoring the imperative of safeguarding personal data in an increasingly digitized landscape. This legislation imposes rigorous measures and obligations on BFSI organizations, emphasizing the secure management of the personal data they collect, store, and process.
The Act delineates responsibility for organizations, primarily the “Data Fiduciary,” who is an entity determining the methods and the purpose for processing of personal data. Implementing comprehensive measures to protect processed personal data, ensuring data accuracy, and promptly responding to any communication from the Data Principal are among the principal obligations.
So far, Absence of any regulatory framework didn’t demand data fiduciary to have complete responsibility and need for complete oversight on Third party data processors but now things have changed data processors shall be strictly governed by the data fiduciaries and in case of any negligence, data fiduciaries will be answerable to the board.
Strategic Evolution of Digital Banking – Open & Embedded
The BFSI sector has undergone a rapid digital transformation, ushering in customer-centric interfaces including internet banking, mobile banking, Whatsapp, Fintech Platforms delivering digital financial products such as digital deposit accounts, digital loans, Cards, digital insurance. Whole banking & financial services has also gone through transformation for engagement through onboarding of customers using electronic Know Your Customer (e-KYC) & video KYC, Auto data pull from sources etc. These transformations have been fueled by increased smartphones adoption & internet accessibility, and the sector is poised to leverage advanced technologies such as Machine Learning (ML), and Artificial Intelligence (AI) to streamline processes involving personal data and maximize value out of collected & data.
In parallel, the new age strategic growth imperatives adopted by banks & financial institutions, such as Open Banking, Embedded finance, and the ascent of Digital banking, hold immense potential. To achieve digital growth, the BFSI sector is substantially dependent on collaborations with third-party entities for various aspects of its operations, necessitating the sharing of personal information during procedures of customer onboarding & continued engagement throughout customer life cycle.
It is crucial to recognize that the implications of the DPDPA play a pivotal role in shaping the attainment of these strategic objectives. Ensuring data protection remains at the forefront of BFSI’s endeavors is not only a legal requirement but also an ethical imperative in an era where personal data has become a valuable currency. Navigating the DPDPA requires a comprehensive understanding of its provisions and a commitment to implementing robust data protection measures. This strategic approach will not only help BFSI organizations comply with the law but also build trust with their customers, a priceless asset in the digital age.
Growing significance of the “Consent” & “Consented Data”
The emphasis on “Consent” and the concept of “Consented Data” under the Digital Personal Data Protection Act (DPDPA) is paramount in ensuring the responsible and ethical handling of personal information. The Act places stringent requirements on obtaining consent, emphasizing that it must meet specific criteria i.e., Consent must be free, specific, informed, unconditional, and unambiguous with limitations of legitimate uses such as for the security of the state, responding to a medical emergency, or for employment-related needs.
The act is applicable to both online and digitized offline data, including previously collected data and its extension to data processed outside India related to offering goods or services in India.
The flow of Consent and Consented BFSI Data through the “Account Aggregator” (AA) system is a notable development in data sharing. The AA system facilitates the secure and authorized sharing of financial data between various entities with the individual’s consent. While systems like AA have improved data consent and sharing mechanisms, there is still more to achieve which requires transparency & better control across all user data systems let alone the BFSI data.
Picking Right Approach for Sustainable Compliance Structure for DPDPA
A comprehensive & structured approach for organizations to navigate the intricacies of data protection compliance, specifically in the context of the Digital Personal Data Protection Act (DPDPA) of 2023 are:
Let’s delve deeper into the points for more clarity –
PHASE I – DATA DISCOVERY & PROFILING
- Identification of Journeys/Products & Data Needs:
- Assess your current state and conduct internal team workshops to map customer journeys, products, or services concerning data touch points.
- Create comprehensive flows to illustrate each data collection or processing point.
- Construct a data inventory specifying personal data categories, their sources, and purposes for each journey or product.
- Assess the legality of processing each data category in accordance with the Act’s stipulations.
- Identification of Data Processors:
- Review contracts and documents to identify third-party data processors.
- Document each processor’s data protection roles and responsibilities.
- Evaluate each processor’s security measures for compliance with the Act.
- Develop a risk framework to rank processors on their potential privacy impact.
- Identification of Data Storage & Processing:
- Conduct a detailed data flow analysis to trace the movement of personal data across various systems.
- Create a data map illustrating the locations and databases where personal data is stored, including data centers, cloud providers, and on-premises servers.
- Assess data retention practices and policies, ensuring compliance with the Act’s data retrieval, and erasure requirements
- Mapping of Consent Mechanism with Data Collaterals:
- Verify whether these mechanisms align with the principles of informed, explicit, and freely given consent mandated by the Act.
- Develop a comprehensive matrix that links each consent mechanism to the specific data processing activities it pertains to.
- Ensure that privacy policies and terms of service clearly communicate how personal data will be used and processed, making it easily understandable to data subjects
PHASE II – DATA IMPACT ASSESSMENT
After data discovery and recognising the data touchpoints in the first phase, entities shall start mapping data which requires utmost attention, which can be covered by following the below process:
- Threat Mapping:
- Recognize potential external and internal threats to each data asset
- Associate each threat with the data assets it could potentially compromise
- For each threat, construct a profile mapping for its possible impact, the probability of occurrence, and the associated data assets.
- Risk Assessment
- Recognize potential risks linked with data processing tasks.
- Investigate each risk to understand its potential repercussions and the probability of it happening.
- Organize the risks based on their potential impact and likelihood, helping to decide which risks need immediate attention.
- Data Impact Assessment
- Document the details of data processing, access, usage, and protection strategies.
- Determine whether the processing aligns with the project’s objectives and whether it’s proportionate.
- Spot potential risks to individuals’ rights and estimate their severity.
- Document the strategies to be employed to alleviate identified risks
- Data Protection Measures
- Determine what data and associated risks require protection.
- Choose appropriate data protection strategies based on data type and sensitivity.
- Deploy the chosen measures. This could involve technical and procedural implementation.
PHASE III – BUILD DATA PROTECTION CONTROL FRAMEWORK
- Build Consent Architecture & Mechanism
- Establish a robust consent management system to collect, record, and manage user consents.
- Incorporate consent mechanisms across touchpoints, such as websites and apps, to meet the Act’s requirements for informed, explicit consent.
- Formulate clear procedures for obtaining, storing, and updating consent preferences.
- Develop a data governance framework for managing, accessing, and protecting data.
- Create data privacy policies that adhere to data protection principles.
- Setup procedures for handling data access requests, breach reports, and privacy impact assessments.
- Build a Governance Framework
- Establish clear roles & responsibilities within the organization for data protection and privacy compliance.
- Appoint a Data Protection Officer (DPO) as per the Act, detailing their responsibilities.
- Ensure the DPO has adequate training to oversee data protection activities.
- Define Security Controls
- Institute technical and procedural security controls to safeguard personal data from unauthorized access or breaches.
- Align data protection technologies like encryption, access controls, and data loss prevention systems with the Act’s requirements
- Incorporate data security controls into agreements with data processors through contractual obligations and security standards
- Build oversight management for data processors
- Set up a framework for continual oversight of data processors’ activities, ensuring compliance with the Act’s data protection standards
- Carry out regular audits of data processors to verify adherence to contractual obligations.
- Develop incident response and breach notification procedures for data processors for prompt action during data breaches.
PHASE IV – IMPLEMENTATION
- Roll out of Consent Framework
- Incorporate the consent management framework into existing services.
- Embed the consent mechanism into user interfaces like websites and apps.
- Implement systems for obtaining and recording explicit consent at each relevant touchpoint
- Regularly update the consent framework to reflect changes in data processing activities and user preferences.
- Distribute the data governance framework, privacy policies, and procedures throughout the organization.
- Conduct training to ensure employees understand their responsibilities under these policies
- Develop a communication plan to update employees regularly on policy changes and emerging data privacy risks.
- Implementation of Security Controls
- Implement technical security controls as per the Act.
- Configure security tools for data protection across IT infrastructure and applications.
- Conduct testing to identify and fix security weaknesses.
- Develop an incident response plan and train employees on their roles.
- Perform regular Data Audit
- Set a regular schedule for data audits for ongoing compliance.
- Monitor data processing activities and data flows continuously to identify deviations.
- Regularly assess data processors’ compliance with contracts and security standards.
- Use audit findings to improve data protection practices continuously.
- Promote a culture of data privacy and security awareness through regular communication.
- Ensure employee knowledge about data subject rights, DSAR procedures, and Act obligations.
Key Considerations for DPDPA Compliance Preparation
Navigating the crucial nuances of the Act demands a thorough understanding of the fundamental restructuring of protocols for Data Fiduciaries and the implications of robust consent management. As timelines for implementation yet to be released for the compliance but Entities shall start their preparation brick by brick for their compliance journey, & have to put some thought process into the following aspects that could be required:
- Data Minimization requires organizations to collect only the essential personal data needed for a specific purpose, aligning with the Act’s goal of restricting data processing to legitimate and necessary activities.
- Purpose Limitation mandates that personal data should only be used for the precise purpose it was initially gathered. Organizations must document these purposes and avoid repurposing data in ways that do not align with the original intent. Adherence to these principles is vital for compliance and safeguarding individuals’ privacy rights.
- International Compliance: Compliance with multiple data protection regulations is a complex challenge for global organizations. Aligning the DPDPA with international regulations such as GDPR or CCPA is crucial. This requires a deep understanding of each regulation’s requirements and nuances and the implementation of measures that meet all applicable standards.
- Data Portability: DPDPA introduces data portability, empowering individuals to request their personal data from one service provider and transfer it to another. This enhances competition and gives individuals greater control over their information. Organizations must establish mechanisms for seamless data portability upon individual request.
- Training and Awareness: A culture of data privacy and security awareness is vital for DPDPA compliance. Organizations should invest in comprehensive training to educate employees about data protection regulations, their compliance roles, and the consequences of non-compliance. Regular communication and updates on evolving data privacy risks and best practices are essential for an informed workforce.
In conclusion, navigating the complexities of the DPDPA demands a multi-faceted approach that spans beyond legal compliance, encompassing ethical data management practices. Organizations must remain well-informed, adapt their data processes, and prioritize the safeguarding of personal data. By doing so, they not only fulfill their legal obligations but also build trust with their customers, a priceless asset in today’s evolving landscape of data privacy and security.