In today’s digitally driven world, privacy for the board underscores the critical importance of data privacy, focusing on the Digital Personal Data Protection (DPDP) Act’s impact on enterprises in India, said a report by Deloitte- CII. It outlines the growing significance of data privacy for safeguarding individual rights and building consumer trust, India’s increasing data dependence amidst digital transformation, and the need for attention to global and Indian data protection regulations.
In an era where data is both an asset and a liability, it is important for boards to consider integrating comprehensive risk management and resilient oversight to navigate the complexities of data privacy, said Tarun Kaura, Partner and Leader – Cyber, Deloitte India. “This involves not just adherence to regulations but fostering a culture where privacy is ingrained in the fabric of operations. Strategic investments in privacy-enhancing technologies and a commitment to continuous monitoring and education will be pivotal. As we stride into a future where data privacy shapes consumer trust and enterprise success, the Board’s role transcends regulatory compliance, championing a privacy-first approach that secures data while unlocking its value sustainably and ethically,” he added.
According to the Deloitte-CII report, titled ‘The DPDP act and enterprises in India, the top imperatives for the board are:
• Self-Awareness: Boards must understand regulatory data privacy obligations and stay informed on industry trends to recognize risks and standards.
• Governance (enterprise, culture, and people): Drive a culture that values data protection through training and awareness.
• Enterprise transformation: Boards should address data privacy in enterprise processes to derive value from data responsibly. Privacy is to be seen beyond compliance.
• Risk management: Integrate data protection and privacy within the risk management framework, implementing controls to bolster enterprise resilience.
• Third-party risk management: Monitor third-party data processors with administrative and technical measures.
• Proactive compliance: The boards can guide the privacy office and stakeholders across enterprise lines to take the following proactive steps to meet compliance objectives:
o Commit to informed consent and not retaining personal data longer than the period required per lawful basis
o Maintaining a records of processing activities and having visibility over the types of personal data processed across its lifecycle
o Transferring personal data securely outside of India per provisions of the DPDP Act
o Asking for personal information is reasonably necessary for intended purposes, emphasizing on data transparency and trust while collecting data
o Adopting privacy by design approach and deploying strong security controls at all points of data collection, transfer, use, and storage
o Educating employees on how to handle personal data securely, reporting data breaches timely, and addressing data subject rights per the DPDP Act