The impact of globalization, social networking, outsourcing, adoption of cloud and technologies, cross border data flows are some of the prominent reasons why data collection and sharing is ubiquitous in this digital age. Many countries have realized the importance of protecting and preserving the sensitive and personal data of their citizens and have enforced privacy regulations, to name a few, EU’s GDPR, California’s CPRA, Canada’s PIPEDA, Brazil’s LGPD, Australia’s Privacy Act, China’s PIPL and more. There are several data protection laws around the world that factor in personal and sensitive data such as HIPAA, GLBA, SOX, FISMA, and COPPA. These regulations, laws, and acts help organizations achieve compliance with data privacy legislation.
On 11th August 2023, the President of India gave assent to the Digital Personal Data Protection (DPDP) bill and henceforth it is known as the Digital Personal Data Protection (DPDP) Act, 2023. The Act shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act.
But this doesn’t stop organizations from gearing up and beginning preparation to demonstrate compliance with this law. DPDPA 2023 applies to
- Entities who collect (Data Fiduciaries) and process (Data processors) personal data (in digitized form) of persons (Data Principal) in India
- Foreign entities that collect and/or process personal data of data principals in India
- Foreign entities that collect and/or process personal data of data principals outside India
Organizations must create a privacy program for their organizations and ensure their third parties comply with this standard.
Third-Party Risk Management (TPRM) is a program that provides a systematic and methodical way to manage the risk arising from third parties. Along with security, privacy implications need to be factored in when engaging and availing services from third parties. Most of the privacy frameworks including DPDPA of India have been created on the privacy principles that govern the privacy requirements.
- Principles supporting data principal (data subject in GDPR) – Notice, consent, access, and correction.
- Principles supporting data fiduciaries – Collection limitation, usage limitation, and quality of data (accurate, complete, and up to date).
- Principles supporting security and enforcement – Security controls (technical and organizational) measures, enforcement, and liability.
When deriving the Inherent Risk exposure of third parties, organizations need to classify data, consider applicable regulations, geographies (and notified countries), security architectures, data flows and supporting technology, and integrations. Create a minimum security and privacy baseline to evaluate the Inherent risk which will determine the level of security and privacy due diligence required. Some of the key data points on Privacy to consider are:
- Individual privacy data elements that constitute Personal data
- Existing privacy programs that align with the principles of DPDPA and demonstrated by policies and procedures
- Tracking usage and access to personal data
- Privacy architecture and Data Flow Diagrams (DFD)
- Cross-border data flows
- Third Party’s compliance with applicable privacy regulations
- Scope of Privacy Impact Assessments
- Frequency of Privacy Impact Assessments
- Privacy awareness and training for all Business Units and corporate functions
- Privacy incident and breach management (notifications, incident management and monitoring)
- Notification and reporting to regulatory bodies and tracking past regulatory fines for breaches
- Inclusion of necessary privacy clauses in contracts
- Inventory type of personal data, volume, individual data elements, business units, process, and functions who have access to data, how and where is the data stored, data access map, systems that hold personal data, process, and process to identify and declare personal data and who is accountable for the personal data that is collected or processed
- Privacy function in the third party must follow and meet compliance requirements, draft policy covering defined scope, processes for deployment and operations, establish a hierarchy of reporting to take privacy initiatives and drive operations, define roles and responsibilities (indicating RACI)
- A well-defined and comprehensive privacy policy that gives clear definitions of privacy terminologies, privacy principles the organization aligns to, indicating if the organization is a Data Fiduciary or Data process or both, current baseline that it adheres to, a Privacy Impact Assessment exercise that is conducted periodically, approach to address the gaps, awareness & training, management commitment to support privacy function, accountability, enforcement, annual review of policy, consequences of non-compliance roadmap of privacy initiatives
- Assure stakeholders (external) on practicing all the applicable laws, and regulations (Functional & Geographic). Demonstrate tracking, adopting, and implementing the changes to regulations. Compliance with privacy breach notifications enforced by the regulators and obligation towards legal authorities. Liability and indemnity need to be determined by working with the legal team. Use or subscribe to regulatory notice and analysis services
- Demonstrate the existence of technical and organizational measures in the contracts under the privacy and security exhibit. Showcase compliance with regulatory provisions addressing cross-border data transfer. Definitions of contract and privacy terms referencing privacy laws and regulations. Review of contract management best practices such as annual review of contracts, enforcing updated language into existing contracts, and conducting periodic audits. Inclusion of authorized communication channels, POCs, and RACI matrix to manage communication during incidents and breaches. Maintenance of centralized inventory of contracts
- Mutually agreed SLAs on incident notification, response, resolution, and information sharing on the root cause and lessons learned. Technologies used to detect privacy compromises such as logs of systems, networks, security devices, applications, and messaging infra. Mechanism to detect, identify, analyze, and declare privacy incidents followed by treatment, documentation, and effective communication via a functional incident management plan. An established relationship exists with law enforcement agencies. Data processors should be able to support the data controller by following the breach notification requirements. Current use of technology to identify, track, and pre-empt the attacks
- Data collection needs to happen in line with the purpose with clearly defined use limitations. Mapping of users having access to data to ensure valid access requirements. Rules that are outlined to restrict data collection and data usage. Record, track, and monitor the means of data sharing (cloud storage, removable media, endpoints, mobile devices, CCTVs, etc.) and efficient practice of access management best practices to allow logging and tracking
- Showcase periodic privacy awareness and training to target audiences (business, functions, projects, support) considering the criticality of data, legal, compliance, and liability requirements. Incorporating privacy training in the Learning Management Systems (LMS) and measuring the efficacy of the privacy training conducted
- Demonstrate security safeguards and controls implemented to secure personal data, security of the environment where the data resides, and what operations are performed on personal data. Incorporation of principles such as Privacy by design and Privacy-enabled technology by integrating with IT and security initiatives. Use of technology for data minimization, data scrambling, data encryption, data obfuscation, etc. Use of security frameworks such as DSCI Privacy Framework (DPF), GDPR, CCPA, PIPEDA, LGPD, etc.