In our last blog, we touched base on the key terminologies of digital personal data protection act (DPDPA). The terms discussed count as the most important ones that need to be understood by the organization looking forward to implementing DPDP. Now, let’s dive deeper and understand how to actually implement DPDP.
One of the key aspects of managing a strong data privacy infrastructure is being aware of and having proper documentation of the processing activities. The digital personal data protection act (DPDPA) casts a spotlight on this aspect. Data processing activities are no longer the sole concern of respective department heads. The key takeaways from data processing activities and the potential risks arising out of it must be communicated to the upper management to ensure ample time and resources for mitigation. Generally, a data protection officer (DPO) is responsible for such activities.
Indian organizations are still exploring the effective ways to comply with DPDPA. A good starting point is the preparation of the inventory of processing activities. This document must be designed in such a way that it clearly communicates what personal information is being processed by the organization and how it is processed. Below are some of the key elements of the inventory of personal information:
- State the personal data collected: The process must begin with identifying what personal data is collected and processed by the organization. For example, name, address, identification documents, health information, etc. Be reminded that personal information is any piece of information that can help identify a natural person. For granularity, the organization can also segregate the data between personal information and sensitive personal information. Data such as biometric information and health records are classified as sensitive personal data.
- Determine which departments process the personal data and how is it processed: It is always a good practice to determine which departments are responsible for processing personal data and the processing methods they subject the personal data to. Departments such as marketing, KYC, HR, etc. are generally entrusted with safekeeping and processing of personal data. Apart from that, it is also necessary to determine what processing activities the organization follows. For example, the marketing department might make use of an automated tool to determine consumer spending behavior. This might inevitably require the department to subject customers’ personal data to automated processing.
- Consent management: DPDPA explicitly requires organizations to obtain consent from individuals before processing personal data. Therefore, it is implicit that if the data is being processed, consent must be obtained. However, when preparing the inventory of processing activities for the first time, inculcating consent management in the same will help the organization ensure that consent has been obtained from data subjects. It will also help uncover processing areas where consent is missing and help obtain consent on a timely basis.
- Involvement of third parties: There can be instances where the organization has outsourced the processing activities. Regardless of how the data is processed or the third party enlisted for assistance, the organization handling personal data remains ultimately accountable. Therefore, it is imperative to list down the third parties involved in processing activities.
- Retention period: DPDPA states that once the purpose for data processing has been fulfilled and the data is no longer required, it must be erased. The data can, however, be retained for the specified purpose or for compliance with any law for the time being in force. Therefore, the organization must exercise its best discretion and utilize the retention laws at a point in time to decide what piece of personal information must be retained.
The above-stated points form some of the key elements of an inventory of processing information. However, the organization must assess its data privacy infrastructure and customize the inventory accordingly. The essence of preparing an inventory of processing activities is to be able to have a centralized document through which various processing activities and the personal data mapped with them can be determined. This document will also assist the stakeholder in analyzing risks and performing assessments. For thorough analysis, the organization can also consult with a data privacy expert. Securitybulls helps its clients unravel the complexities of data privacy and move past the compliance dead ends. It makes use of effective frameworks to locate the data privacy loopholes and assist organizations with actionable points.