Managing Data Privacy in Compliance with Law

The landscape of personal data protection in developing countries

Historically, personal data has often been one of the most overlooked and undervalued assets in many developing regions. Many uninformed customers often share their personal data without a second thought when using mobile apps or websites to access services.

Some organizations have been interpreting consumers' brief, vague consent as a lifelong permission to use personal data in ways beyond what was originally implied. Datasets are being shared among organizations and individuals without any control or governance mechanisms in place.

Fortunately, governments are taking action to protect the rights of legitimate data owners.

To harness data for research, economic growth, and societal benefits, it is crucial to establish robust data governance policies and laws across countries before the challenges become unmanageable.

The Digital Personal Data Protection (DPDP) Act, 2023

In mid-2017, similar to EU-GDPR initiative, the Government of India appointed Justice B.N. Srikrishna, a former Supreme Court judge, to lead a committee of experts tasked with developing a legal framework for data protection and privacy in India.

The committee was tasked with providing specific recommendations to the Central Government on the principles for data protection in India and drafting a data protection bill for consideration.

Until now, data protection in India was governed by the Information Technology Act, 2000, which proved insufficient. In response, the committee submitted its report in 2018, leading to the introduction of the Personal Data Protection Bill, 2019 in the Lok Sabha. However, following the Joint Parliamentary Committee's report in 2021, the bill was withdrawn. Subsequently, after releasing a draft bill, the Digital Personal Data Protection Bill, 2023 was introduced on August 3, 2023.

The bill was passed by both Houses of Parliament, and the President of India gave assent on August 11, 2023. It has now become law, officially titled the Digital Personal Data Protection Act, 2023 (No. 22 of 2023, dated August 11, 2023).

What does the Digital Personal Data Protection Act entail, and what does it mean for you?

A person/entity may process the personal data of an individual only for a lawful purpose for which such individual has given or is deemed to have given his/her consent in accordance with the provisions of this Act.?

The Personal Data Protection Bill is a commendable and timely step towards data protection, particularly given India's significant contribution to global internet traffic.

While protecting the rights of individuals over their personal data is crucial, it's also important to create an environment where data can be used with proper consent to benefit industries, governments, and society as a whole.

The key features of the bill are as follows:

• To protect digital personal data;
• To outline conditions for processing personal data;
• To impose general and, in some cases, specific obligations on entities that process personal data;
• To define the responsibilities of individuals when exercising their rights and sharing their personal data for specific purposes;
• To establish a framework to facilitate the swift and efficient implementation of the legislation;
• To impose penalties for violations and non-compliance as per legislation

What role can technology play?

The positive news from a technological standpoint is that there are numerous "commercial off-the-shelf" AI and machine learning tools available to help swiftly meet the proposed guidelines.

However, effective AI relies on making data simple and accessible, and an enterprise-wide data dictionary could serve as a valuable starting point.

This approach allows everyone in an organization to refer to a single, consistent definition of data. When data is accessible and straightforward, strategy and operations can align more effectively, fostering a more transparent and trustworthy organization.

One outcome could be developing a detailed yet clear definition of how citizen data can be used for multichannel campaigns, which would help organizations comply with the DPDP Act.

AI and ML tools can now automate the mapping of new laws to an enterprise’s business glossary. What once took months to achieve manually, with the risk of human error, can now be accomplished in just a few days.

These tools also enable tasks that were previously not possible, such as automatically alerting enterprises to areas where they might be continuously violating parts of the law, rules, or by-laws. This is particularly useful given that legal amendments are frequently made by government bodies.

A strategic "Data Governance" platform can be deployed to both accelerate readiness and compliance with data privacy laws and to sustain it over time.

Conclusion

Smart organizations will quickly recognize this as an opportunity to leverage the DPDP Act to establish an enterprise-wide data governance platform, using it as a differentiator to assure customers of their commitment to ethical business practices.

In the future, this platform could become a key factor in distinguishing between winners and losers, serving as a source of sustainable competitive advantage.

We need to prioritize work streams and adopt a standard privacy methodology, using a "Privacy by Design" approach both internally and in all client engagements.

Disclaimer: The information provided is sourced from the internet and reflects personal opinions.

?