Digital Personal Data Privacy Act 2023: Know how it can affect the BFSI sector

The BFSI industry is notably one of the most regulated in India. It had already subject to requirements outlined by governing bodies like the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), and Unique Identification Authority of India (UIDAI). These regulations address aspects of cybersecurity and encompass certain elements of privacy. For larger organizations operating across multiple geographical regions, there exists an obligation to adhere to global privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among others, but these organizations will also need to tailor their processes to now adhere to the DPDP Act covering the customers within the Indian region. Furthermore, this sector has played a pivotal role in propelling the extensive adoption of digital technologies, analytics, and governance methodologies. With the DPDP Act,2023 additional focus on the local requirements will be needed.

Some key considerations with reference to privacy are as below:

Strengthened Data Privacy Practices: The need for data privacy stipulations will get this sector to increase its investments in comprehensive privacy safeguards. This encompasses enhancement in encryption, identity management, the secure storage of data, and routine security audits, all aimed at protecting customer data from unauthorized access and breaches.

Customer Personal Data Protection: Improve strategies for companies to gather, retain, and handle customer data.

Customer Communication and Marketing with Consent Management: Emphasis on obtaining informed consent from individuals for the collection, use, update, disclosure and erasure of their personal data.

Data Handling Practices: The requirements of data privacy require that organizations align their approach to collecting, storing, processing, and updating/erasing customer personal data. Organizations must seek consent, provide transparent details about the purpose, and empower customers to exert their privacy rights, including the ability to access, update and erase their personal data. These actions would augment transparency and allow customers to manage their personal information.

Data Sharing and Partnerships: Data privacy requirements shall influence how banks collaborate with third parties and establish partnerships involving customer personal data. Institutions must uphold compliance when sharing data for purposes like analytics, risk evaluation, or cooperation with other financial service entities. Mandates about consent can have implications for how data sharing activities are carried out.

Data Breach Notification and Response: While Cert-In related guidance on reporting a breach within 6 hours of detecting is already in force, the DPDP Act,2023 focuses on the personal data breaches and in the event of such a breach, organizations would need to have a mechanism to promptly inform the Data Governance board as well as each affected data principal.

Cross-border Data Transfer: For organizations, data privacy requirements pose challenges when transferring customer data across borders. Adequate safeguards must be implemented to ensure compliance to the blacklist that would in the future be provided by the regulator.

Privacy-Enhancing Technologies: The adoption of technologies covering data loss prevention, anonymization techniques, Data mapping/cataloging, privacy rights automation, consent & preference management shall increase significantly for enhancing adherence to the requirements of the Act.

Employee Training and Awareness: Guaranteeing that employees within the organizations possess knowledge about data privacy prerequisites and comprehend their responsibilities aligned with relevant local and worldwide privacy regulations.

Further, below are holistic steps to be considered for an effective privacy program :

Conduct a Data Privacy Risk Assessment: A comprehensive evaluation of data privacy risks plays a vital role in uncovering vulnerabilities within compliance and protection initiatives. This evaluation is designed to pinpoint the data that the organization gathers, maintains, and processes, scrutinize the potential privacy risks linked to this data (such as confidentiality and security concerns), appraise the effectiveness of existing measures addressing these risks, and uncover any deficiencies or remaining risks. This procedural approach assists leadership in gaining insight into essential data privacy regulations, delineating compliance responsibilities, and fortifying the organization's overarching data privacy framework.

Baseline Establishment: Baselining is an immediate and proactive approach to ensuring privacy compliance within any organization. It entails thoroughly examining all of the organization's privacy pledges, clarifying precisely what commitments have been made to customers concerning data collection, processing, storage, and transfer practices, and, most critically, verifying if these commitments are being upheld. Guaranteeing the adherence to these commitments is of utmost importance. Considering the current absence of comprehensive privacy legislation in India, it is advisable for organizations to embrace a baseline methodology to establish a uniform framework. Expanding these privacy commitments to encompass contracts, third-party partnerships, and employee training can further enhance data privacy standards.

Adoption of Privacy Enhancing Technologies: To ensure data privacy, organizations should implement privacy-enhancing technologies that offer robust protective measures. These encompass encryption, DLP tools, techniques for anonymization, governance tools for privacy, data mapping and cataloging, automation for managing privacy rights, automation for Privacy Impact Assessment/Data Protection Impact Assessment, tools for managing consent and preferences, tools for managing third-party privacy risks, training solutions for privacy, identity management platforms, and secure data storage solutions. These technological advancements aid in securing sensitive information, reducing the risk of unauthorized access or data breaches, and facilitating the structured management of regulatory requirements.

Change Management: Continuous evaluation of privacy decisions, service/product changes, and third-party data sharing's effects on data privacy and compliance is vital. This is especially challenging for large organizations with rapid changes. Creating a lasting change management program is crucial. Leaders should make data privacy a strategic priority, encourage a compliance-oriented culture, and raise privacy awareness across the organization. Effective change management ensures customer privacy commitments are upheld, fostering trust. It's also essential that top leadership is clear about privacy and the board backs privacy initiatives.

Documentation and Privacy by Design: Building a successful data privacy program requires two key documentation approaches. First, organizations should comprehensively document privacy procedures, processes, risks, and controls, which can be a significant effort but is essential. Second, they must document processes that involve customer or sensitive information, as this helps assess the impact of changes on privacy risks. Keeping clear, verifiable, and easily accessible records of plans and processes is vital for effective program management. It's advisable to assign an employee responsible for document security, compliance, and record maintenance. Furthermore, adopting Privacy by Design and integrating privacy considerations into system, product, and service designs from the beginning is crucial. Employ privacy-enhancing technologies and practices to minimize personal data collection and storage while ensuring data protection measures are consistently applied throughout the data lifecycle. Incorporating data privacy and protection into organizational processes requires time, attention, and resources. By following these foundational steps, businesses can establish a comprehensive data privacy program that maintains customer trust, meets regulatory expectations, and ensures data privacy and protection in a continually evolving landscape.

In today's digital world, safeguarding personal data and prioritizing privacy protection are of utmost importance. Organizations can achieve this by adhering to privacy-by-design principles, securing informed consent, implementing strong security measures, and promoting transparency and accountability. These actions help build trust, reduce risks, and uphold individuals' privacy rights. In conclusion, the data privacy landscape in India is evolving, with a growing emphasis on safeguarding individual privacy, strengthening regulatory frameworks, and adapting to technological advancements. The introduction of the Digital Personal Data Privacy Act in 2023 is a significant milestone, aligning India with global privacy standards and creating a privacy-focused environment that supports the objectives of the Digital India initiative.

(By Sandeep Gupta, Managing Director, Protiviti Member Firm for India)