The Digital Personal Data Protection Act (DPDPA) represents a significant milestone in India’s regulatory landscape, aiming to safeguard personal data and enhance privacy protections in an increasingly digital world. As organizations across various sectors collect, process, and store vast amounts of personal data, compliance with the DPDPA becomes imperative. This act introduces stringent guidelines on data collection, consent, storage, and security, compelling organizations to adopt robust data protection measures. Understanding and navigating the implications of the DPDPA is crucial for businesses to ensure compliance, avoid hefty penalties, and build trust with consumers in a data-driven era. In the same vein, Prasenjit Mukherjee, CIO at JWIL Infra Ltd spoke to Tech Achieve Media to provide various insights into the Digital Personal Data Protection Act (DPDPA).
TAM: Could you provide an outline of the DPDPA and how it’s going to impact organisations?
Prasenjit Mukherjee: Let’s talk about the Personal Data Protection Act, which has been implemented in India. There are many discussions and training programs, and various bodies are working to educate people about this Act. Data protection acts have been prevalent in India for many years and are known for their strict compliance requirements.
Globally, the value of individual data is significant, even though India’s large population might suggest otherwise. It’s a positive initiative by the government to introduce the Data Protection Act, especially when much of the information is already out in the public domain or shared among different data agencies.
When discussing data protection, whether it’s the DPDP or PDPA, it primarily focuses on protecting personal data. The first priority is safeguarding the data of individual employees working within an organization. Every organization must ensure that the information of their employees, vendors, and subcontractors is protected and not leaked through organizational channels, even if it might already be available through other means. This is the first key point.
The second point is relevant for organizations operating in a B2C environment, where they directly interact with customers. These organizations need to obtain consent when collecting personal data, clearly stating the purpose of data collection and assuring that the data will not be leaked through organizational routes.
For example, in e-commerce or banking sectors, or utilities like power and water where companies have direct contact with consumers, data collection is mandatory. They need to collect personal information such as names, Aadhaar numbers, email IDs, and mobile numbers. It’s important to communicate to consumers why this data is being collected and ensure it is stored securely to provide the best possible service.
Consider a scenario where a consumer needs to retrieve their account information. They may not remember their consumer number but can connect with the organization by using their mobile number. The organization must ensure this data is protected and not leaked. If someone enters a mobile number in a self-help portal, the system should have checks, such as OTP verification, to prevent unauthorized access to personal information.
Organizations must ensure that data is not leaked and systems are secure against ransomware attacks. Protecting personal data is crucial, and this is what organizations are focusing on.
TAM: What are some of the challenges that organizations will face while deploying Digital Personal Data Protection Act?
Prasenjit Mukherjee: One challenge is proving where a data leak originated. For instance, if my data is leaked, it’s difficult to prove that a specific utility company is responsible because my data has been shared in many places over the years. My email, mobile number, and other details have been out there for decades. So, even if organization A has my data, it’s tough to file a complaint if that data appears in the public domain.
When I order something on an eCommerce site, I often see advertisements on platforms like Facebook or Instagram. These sites collect my details without asking for consent, and I willingly provide my personal information because I want to buy something. Typically, people are eager to fill out their name, mobile number, email, and address without questioning why this data is needed or how it will be used. Additionally, many sites ask if they can save this information for future transactions, and people often agree to avoid filling out their details again.
For organizations, it’s crucial to have proper processes for data collection, usage, and protection. They need robust internal policies to prevent data leaks. If a forensic investigation occurs, it should be clear that the data did not leak through the organization’s channels.
For example, when we collect data from consumers for water billing services, we ensure the data is fully encrypted. Our field executives use mobile apps to collect information and scan mandatory documents like electricity bills or Aadhaar cards. This data is encrypted and securely stored within the application, then pushed to our servers with strict security measures to prevent leaks.
The main point is ensuring secure data collection, proper encryption, and preventing leaks through mobile applications or servers. Proving data leaks from a specific organization typically requires finding the leak on the dark web.
Therefore, organizations must ensure total data security, including robust encryption and secure handling of data from collection to storage. This is what my organization focuses on, especially given that we manage enterprise data. Having a solid security layer to prevent external attacks is essential.
TAM: Aren’t laws like DPDPA counterproductive to the true potential that AI holds?
Prasenjit Mukherjee: Nowadays, every organization is trying to leverage AI to stay competitive and increase their market share. They are integrating AI into digital platforms to enhance agility and efficiency. When we talk about AI, especially regarding consumer data, it’s crucial to safeguard that data while using AI for various activities.
The implementation method matters a lot. Are you using a SaaS-based platform or developing it in-house? This distinction is important because it affects your control over the data. When using AI, your data is shared and processed, and you must ensure its security.
It’s essential to consider where the data is hosted and how it is protected, even if it’s not explicitly mentioned in the data protection act. Organizations must ensure that consumer and organizational data is secure. This involves having agreements such as NDAs with partners to ensure data protection. For example, if you’re using a platform like ChatGPT specifically for your organization, you need to ensure that the data isn’t shared externally. These concerns should be addressed in your data protection policies.
While safeguarding data on one hand, organizations might overlook data security when implementing new technologies like AI, which could lead to data leaks. Therefore, it’s crucial to consider security when integrating AI into your projects. So, securing data when using AI platforms is essential. Organizations should not overlook security in their eagerness to adopt new technologies. Ensuring data security is a vital part of the process.
TAM: Words of wisdom for organisations on the DPDPA.
Prasenjit Mukherjee: First, when collecting data, we need to ensure we obtain consent and inform people about the purpose of data collection. For example, in HR, when a new employee joins, we should ask for their consent to collect and use their data. Unfortunately, many HR departments do not do this.
Secondly, how do we protect that data? Many HR software systems are SaaS-based platforms. Do we have legal contracts ensuring data protection with these service providers? Often, we don’t. In our organization, we’ve used a SaaS-based HRMS platform for the past five years, but we haven’t updated our agreements to comply with the new data protection laws.
If we handle consumer data, consent is crucial. Additionally, we need robust data protection measures when collecting data through applications, ensuring security during data transfer to core servers, and safeguarding data at rest on our servers or in customer-related applications. We must establish and adhere to clear policies that comply with data protection laws, considering penalties for non-compliance. These are some practical tips for organizations on data protection.
Regarding enterprise data, many measures are in place, and it’s an ongoing process to improve them. When adopting new technologies like AI, ensure agreements with partners guarantee data security. These are my insights on personal data protection. Proving a data leak from an organization can be challenging, but these measures help mitigate risks.