Digital Personal Data Protection Act 2023
Recently passed Digital Personal Data Protection Bill 2023 focused on legitimate concerns about how our data is managed and utilized.
In recent years, the financial ecosystem has also undergone significant transformations, revolutionizing the way we access and use financial services. While the potential benefits of personal data are substantial, concerns about privacy and security have grown in tandem with the collection, storage, and utilization of such data. Unauthorized access, data breaches, and misuse of personal information have raised privacy issues and eroded trust in businesses’ data practices.
This ground-breaking legislation establishes a robust framework for the responsible handling of data, fostering a secure environment for data sharing in India. The Act provides detailed guidelines that are applicable across various sectors and industries, ensuring the effective management of personal data.
Its core objectives include empowering individuals with data ownership rights, establishing stringent data processing and handling standards, and implementing penalties to promote a culture of strong compliance. This act represents a significant step toward ensuring data security and privacy in increasingly digital world.
Brief Highlights of the Act
The Act applies to various forms of personal data, including data collected directly in digital format, where customers input their information on an application, as well as data retrieved through APIs from relevant data sources. Additionally, it encompasses data initially collected in physical form and subsequently digitized, such as information extracted from images and stored electronically. Personal Data means any data about an individual who is identifiable by or in relation to such data
Some key personal Data constitutes of:
- Identity Data – Name/Address/Aadhaar/PAN Card etc.
- Financial Data – Bank A/c Details/Insurance Details/PF Data
- Mobile App Permission – Contacts, Location, Camera etc.
- Cookies, Trackers on websites – Frequent Visits
Factors to be considered for processing personal data:
- Have a clear purpose for processing
- Get Data Principal’s consent for each purpose
- Provide Notice for the data being processed
- Collect & Limit Usage of data only to specified purposes
- Delete/Allow Withdrawal of consent once the purpose is served
The Key Participants of the DPDPA 2023 are around:
- Data Principals – Individuals to whom Data Belongs to
- Data Fiduciary – Banks/NBFCs/FIs who generate and determine the purpose of data to be processed
- Data Processor – FinTech’s/Third Party Entities who process personal data on behalf of data fiduciary
Talk to Us:
For instance, consider a partnership between a bank and an ATM switch provider. The bank opens an account and shares the data with the outsourced company or switch partner, which then generates the card number and facilitates ATM transactions. In this scenario, the bank assumes the role of a data fiduciary, while the switch provider operates as a data processor.
Significant Data Fiduciary : Government designates organizations handling extensive sensitive data as “Significant Data Fiduciaries.”
It’s worth noting that there are additional responsibilities for significant data fiduciaries, and based on the provisions of the act, banks that handle data have a higher likelihood of being classified as significant data fiduciaries. However, the determination of who qualifies as a significant data fiduciary ultimately rests with the central government, and we can expect notifications on this matter in due course.
Obligations of Significant Data Fiduciary:
- Shall appoint a Data Protection Officer & must be based in India
- Appoint a Data Auditor to assess Data Fiduciary compliance through a data audit.
- Implement measures for Periodic Data Privacy Impact Assessments, adhering to the Act.
Consent Management: Central to DPDPA
Consent can be defined as an individual’s voluntary, informed, and clear agreement to allow a data fiduciary (an entity that collects and manages personal data) to process their personal information for specific purposes.
Consent management involves the establishment of clear and effective mechanisms by data fiduciaries to obtain, record, and manage this consent. It ensures that data principals are fully informed about the data processing activities and have the ability to exercise their rights related to their personal data. Effective consent management is a fundamental element of data privacy regulations, and plays a crucial role in building trust between data fiduciaries and data principals.
Actions for Data Fiduciary to build mechanism for Consent Management:
- Ensure the accuracy and completeness of data
- To provide notice to data principals regarding data being processed and purpose for the same
- Notice should be easily understandable and must be in multiple languages
- Discover efficient ways to notify users about data processed before via email/app alerts.
- Make users aware regarding their rights and duties and to make complaints
- Build agreements to have Free, Explicit, Specific, Informed, Unambiguous & Unconditional consent with Clear Affirmative Action
- For Children below 18 years of age, or Individual with Disability consent will be provided by the parent or the legal guardian.
- Erase personal data as soon as the purpose has been met
- In case of breach have mechanism to timely inform Data Protection Board and Affected Individual
Serves as a centralized platform for Data Principals to control and review consent transparently and interactively. Data Fiduciary may appoint Consent Manager themselves or get Third-party Consent Manager.
Role of Consent Manager:
- The Data Principal may Give, Manage, Review or Withdraw her consent to the Data Fiduciary through a Consent Manager
- Consent Manager is responsible for acting on behalf of and being accountable to the Data Principal as prescribed.
- Consent Manager shall be registered with the Board with subject to such Technical, Operational, Financial adhering to prescribed conditions.
- Data Fiduciary is responsible to prove Notice & Consent.
Rights & Duties of Data Principals:
- Right to Grievance Redressal: The data fiduciary & consent manager must respond to grievance of Data Principal within a prescribed time frame.
- Right to Nominate: Nominate any other individual, who shall, in the event of death or incapacity of data principal, exercise the rights of the data principal
- Right to Access Information: Seek information about processed data and information in case shared with other data fiduciaries or processors.
- Right to Seek Correction: Data Principal can reach out to Data Fiduciary in order to exercise their right to correct, complete, update and erasure of their personal data
- Right to Withdraw consent: Data principals have the right to crease processing by withdrawing their consent. The process will be facilitated by consent manager.
The advent of the Digital Personal Data Protection Act (DPDPA) marks a pivotal moment for the Banking, Financial Services, and Insurance (BFSI) sector, underscoring the imperative of safeguarding personal data in an increasingly digitized landscape. This legislation imposes rigorous measures and obligations on BFSI organizations, emphasizing the secure management of the personal data they collect, store, and process.
Given the BFSI industry’s substantial volume of customer data, proactive compliance with the DPDPA becomes paramount. To this end, a set of concise directives takes center stage, guiding BFSI entities in aligning their practices with the DPDPA’s principles. These directives span critical areas, including consent management and cybersecurity, facilitating the sector’s adept navigation of data protection complexities and the maintenance of trust among its esteemed customers.
Let’s delve deeper into the structural impact that entities will undergo:
- Data Identification: It is imperative to identify all the data collected to date, including historical data, and the purposes for which it was collected. Determine the current location of this data, whether it resides with the banks or third-party vendors, and the system in which it is stored. Identify which processor is responsible for maintaining the data or if it is held by any technical partner. Additionally, ascertain the availability of consent records for the collected data.
- Consent Management: Develop a transparent mechanism for obtaining consent, create the necessary technology for consent acquisition, and establish procedures for notifying data principals. Challenges may arise when seeking consent for previously collected data, which can impact the organization at various levels.
- Data Impact Assessment: Understand the risks, breaches, and threats associated with potential data misuse. Identify the level of impact that different scenarios could have.
- Data Audit: Organizations must define technical and people-related controls to enhance data protection. Ensure that data minimization processes are consistently followed, and each unit monitors and maintains records of data processing activities.
- Organizational Impact: If banks are designated as significant data fiduciaries, they will need to appoint a Data Protection Officer (DPO). This poses a challenge as banks already have Compliance Officers, Risk Officers, and Chief Information Security Officers (CISOs). Product managers may face difficulties in obtaining approvals from these heads, and the same will be required from the DPO. The DPO will play a pivotal role in driving technological and product changes, holding an influential position within the organization.
- Technology Impact: Organizations will face significant technological challenges, particularly in developing a robust consent framework and security controls. The impact will extend to interconnected internal technologies, such as API interfaces. Entities must also establish a control mechanism for strict oversight of data processors.
- Product Design-Level Impact: Customer digital journeys will undergo changes as organizations must now provide clear notifications for each data point collected. For instance, when an individual downloads a new app and it requests access to location, camera, microphone, etc., entities must clearly define the purposes for which these accesses are requested in plain and specific terms. Entities will need to review the personal data collected and eliminate unnecessary data collection. This will affect the entity’s cross-selling strategy, as collected data cannot be used for promotional messages or product offers without explicit consent notification. This necessitates changes across multiple layers.
- Risk Management Impact: While entities already have operational risk management in place, they must begin factoring in challenges stemming from previously collected data. Entities must ensure that self-control assessments are conducted for each unit, product team, and technology team. They should actively manage data-related risks, continue monitoring, and report on risk-related activities.
Overall, the DPDPA will require banking and financial institutions to invest in data protection infrastructure, processes, and training to ensure they comply with the Act’s provisions and protect the privacy and security of their customers’ personal data. Failure to do so can result in significant financial penalties and damage to their reputation.