The future of data management: A closer look at the DPDP Act

– By Joyce Rodriguez

Data management can be defined as the collection, processing, usage, storage, and disposal of data with a discipline of maintaining integrity and security of such data through its lifecycle. One of the foremost considerations to achieve this is by having effective data governance. A good data governance strategy will ensure the right data is being collected for the desired usage, the right access is provided to ensure integrity of the desired usage and the right security measures are taken to protect the data from being misused. 

On August 11, 2023, India saw the enactment of its first data Privacy law titled the Digital Personal Data Protection Act, aimed to provide legal recognition to an individual’s right to data privacy and consequence management for mishandling of such data. As organisations prepare to understand the applicability of the Act and the actions required to comply with it, the bigger question that arises is how this act would impact an organisation’s overall data management strategy. 

Let’s first look at some of the key factors that will influence a change in data management strategies:

1. Privacy compliance: The need to establish transparency on the data being collected, its intended usage, seeking consent for such usage, and honoring the preferences stated by the individuals or data principals. 

2. Defining legitimate and business use: As the Act provides certain exemptions to legitimate use, it is important to identify such use cases and have specific data governance measures adopted accordingly. 

3. Data minimisation and purposeful usage: This aspect focuses on collecting only as much data required for a transaction. If data is being shared between processes, one is to ensure it is done with consent and only as much data required for the transaction is shared. 

4. Additional controls when dealing with children’s data: Apart from seeking parental consent, it is important to ensure data handling measures are taken to protect the traceability of children.  

5. Third-party data processing: Taking accountability of the data across the business’ supply chain and ensuring an equivalent responsibility in protecting personal data amongst all parties involved is considered.

In lieu of the new privacy law, organisations will need to reassess their data management practices especially for personal data management. Compliance to this act will require a different mindset, culture, processes, data management controls, and technology to fully align with the objectives of privacy and data protection. A few focus areas to assess your organisation’s data management strategy are highlighted below: 

Data policies: Existing data policies will need to be rewritten with privacy in mind and include new controls and responsibilities for data acquisition, data stewardship, data use, and date exchange. 

Data discovery and classification: Organisations will require mechanisms to discover personal data in their landscape, inventory such data and classify the type of data to apply the right controls. Where organisations deal with large volumes of personal data, enabling the right tools and technology will be integral to ensuring accuracy for discovery and classification.  

Data acquisition: Personal data acquisition techniques will need to incorporate consent and preference management: Organisations will require a consent management framework, processes, roles, and the right technology to capture and track consent.  

Data processing: This will require compliance to the consent and preferences set by data principals and therefore current ways of processing data need to be assessed. Any processing responsibility shared with a third-party will also need to be reviewed for the right contractual coverage. 

Data security: The act establishes consequences for data breaches and thus it’s important to have the right strategy to protect and secure personal data through its lifecycle. Apart from ensuring overall security of the enterprise and data sources, organisations will also need to evaluate their current data security standards around encryption, masking, de-identification etc., establish controls on data leakage prevention and data access management as reasonable safeguards to protect personal data. 

Data retention and disposal: Though the act does not specify requirements for retention, India has other regulations for specific industries that have requirements for data retention. Therefore, organisations will have to assess their data retention and secure disposal strategies, also linking it with consent withdrawal. 

While the above-mentioned points touch upon a few areas of change, the act is likely to have a broader impact on how businesses dealing with personal data are conducted today. As we await an official enforcement date for the DPDP Act, we believe the new law will influence the future of data management strategies to be more privacy cognizant. And where data drives business strategy, this could be an opportunity for businesses to reshape their brand with responsible data strategies.

(Joyce Rodriguez is the Partner at Deloitte India.)

(Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.)