Introduction
In the digital age, customer data protection has become extremely important, especially for companies handling sensitive information. For a company based in India, integrating software built by a US company necessitates a thorough understanding of data protection regulations. The Digital Personal Data Protection (DPDP) Act, recently enacted in India in the year 2023, provides a framework for ensuring the privacy and protection of personal data. This article outlines key steps to protect customer data in compliance with DPDP when installing foreign software.
Territorial reach of the DPDP Act
The DPDP Act not only applies within the geographical boundaries of India but also possesses extra-territorial reach. It encompasses the processing of digital personal data beyond Indian borders, particularly when such processing is linked to the provision of goods and services to individuals within India, referred to as data principals. Consequently, entities situated in foreign jurisdictions fall under the purview of the DPDP Act if their data processing activities are associated with services rendered within India.
Understanding the DPDP Act
The DPDP Act aims to protect personal data, ensuring that entities collecting, storing, and processing such data adhere to strict guidelines. Key aspects of the DPDP Act include:
- Consent (Section 6): Personal data must be collected with explicit consent from individuals. Consent provided must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. It should indicate agreement to the processing of personal data for a specified purpose and be limited to the necessary data for that purpose.
- Specific to Purpose (Section 7): Data should only be used for the specific purpose for which the Data Principal has voluntarily provided personal data to the Data Fiduciary and has not withdrawn consent for its use.
- Necessary Data (Section 8): Only necessary data should be collected.
- Security Safeguards: Adequate security measures must be in place to protect data.
- Accountability: Entities must be accountable for data handling practices and demonstrate compliance.
Steps to Protect Customer Data
- Conduct a Data Protection Impact Assessment (DPIA)
Before integrating the Foreign-built software, perform a DPIA to identify and mitigate potential risks to customer data. This assessment should cover:
The DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- Ensure Data Localization
Sectoral regulators such as the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) can implement data localization measures, which require regulated entities to store sector-specific data within the country to comply with regulations.
The DPDP Act mandates that critical personal data must be stored and processed within India. To comply:
Local Servers: Use local servers to store sensitive data.
Hybrid Cloud Solutions: A hybrid cloud is a mixed computing environment where applications are run using a combination of computing, storage, and services in different environments. Implementing a hybrid cloud strategy can help with keeping critical data within Indian borders while leveraging foreign software capabilities.
- Secure Data Transfers
When transferring data between India and the Foreign Company, ensure compliance with DPDP’s cross-border data transfer regulations.
Under Section 16(1) of the Act, the Central Government has the authority to specify countries to which the transfer of personal data is prohibited. To prevent conflicts with existing laws, Section 16(2) of the DPDP Act gives precedence to any existing laws with stricter data protection measures during international data transfers. This means that if another law provides stronger protections, it will take precedence, ensuring a robust overall data security framework.
The regulations include:
- Standard Contractual Clauses (SCCs): Standard Contractual Clauses are a model data transfer mechanism primarily designed to assist controllers and processors in legally facilitating data transfers to third countries. Incorporating such SCCs in agreements with the Foreign software provider would help show that they are legal compliant, data protection, accountability, risk mitigation, and facilitation of business operations. SCCs offer a reliable and standardized approach to managing international data transfers, ensuring compliance and protection across different legal jurisdictions.
- Adequate Protection Measures: Ensure the Foreign company provides adequate data protection measures comparable to DPDP requirements.
- Obtain Explicit Consent
Ensure that explicit consent is obtained from customers for data collection and processing:
- Clear Consent Forms: Use clear and concise consent forms detailing data usage.
- Opt-In Mechanism: It is a consent model where individuals actively choose to allow the collection, use, or sharing of their personal information.
- Implement Robust Security Measures
To safeguard data, implement robust security measures, including:
- Data Encryption: Organisations should encrypt personal data both when it is at rest and when it is in motion. This will keep unauthorised people from getting to the data, even if it is stolen or lost. Organisations should also protect Data in Use by adopting Privacy Enhancing Technologies (PET).
- Access Controls: Organizations should implement access control tools to restrict who can view personal data. This could involve the use of passwords, multi-factor authentication, and role-based access control.
- Data breach prevention: Organizations should utilize security tools such as firewalls, intrusion detection systems, and vulnerability scanners to prevent data breaches.
- Incident Response: Organisations should have a plan in place to react to data breaches quickly and effectively. This plan should include steps to stop the breach, tell people who are harmed, and find out why the breach happened.
- Train their employees: Companies should educate their employees about the DPDP and the importance of data protection. This training should include how the organization collects and uses data, individuals’ rights, and the security measures in place to safeguard personal information.
- Conduct Regular Audits: Conduct regular security audits and vulnerability assessments.
- Ensure Data Minimization and Purpose Limitation
Adopt practices that adhere to data minimization and purpose limitation principles:
- Data Minimization: Collecting only as much personal data as is necessary to serve the specified purpose Collect only necessary data required.
- Purpose Limitation: Use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal and clearly define the purpose of data collection and ensure it is used solely for that purpose.
- and ensure it is used solely for that purpose.
- Train Employees on Data Protection
Educate and train employees on DPDP compliance and data protection best practices:
- Regular Training Sessions:
- i) Conduct regular training sessions on data protection principles.
- ii) Provide regular refresher training to employees and keep them updated on changes to data protection laws.
- Awareness Programs: Implement awareness programs to keep employees updated on the latest regulations and threats.
- Establish a Data Breach Response Plan
Develop a comprehensive data breach response plan to address potential data breaches promptly:
- Incident Response Team: Form a dedicated incident response team.
- Notification Procedures: Establish clear procedures for notifying affected individuals and authorities in case of a breach.
- Mitigation Strategies: Develop strategies to contain and mitigate the impact of a data breach.
Exceptions to the DPDP Act
The exemptions provided in the DPDP Act are as follows:
- For notified agencies, in the interest of security, sovereignty, public order, etc.
- For research, archiving, or statistical purposes.
- For start-ups or other notified categories of data fiduciaries.
- To enforce legal rights and claims.
- To perform judicial or regulatory functions.
- To prevent, detect, investigate, or prosecute offences.
- To process in India personal data of non-residents under foreign contract.
- For approved merger, demerger, etc.
- To locate defaulters and their financial assets etc.
Additional Responsibilities for Organizations
In addition to the aforementioned obligations, organizations processing data can enhance their compliance preparedness by taking the following steps:
- Assess Data Processing Activities: Organizations should evaluate their data processing activities to identify areas needing changes to comply with the DPDP Act.
- Develop a Data Protection Policy: Organizations should create a data protection policy that outlines their commitment to safeguarding personal data and details their data processing practices.
- Appoint a Data Protection Officer (DPO): Organizations processing personal data on a large scale are required to appoint a DPO. The DPO will oversee the organization’s compliance with the DPDP Act.
- Conduct Periodic Audits: Organizations should appoint an independent auditor to perform regular audits, ensuring ongoing compliance with the DPDP Act.
Authority of the DPDP Board
Chapter V of the DPDP Act outlines the establishment and functions of the Data Protection Board of India (DPBI). The DPBI is tasked with ensuring compliance with the Act and protecting the rights of Data Principals. It addresses grievances, investigates violations, and imposes penalties on violators.
Under Section 33 of the DPDP Act, the DPBI has the authority to impose penalties on Data Controllers or Significant Data Fiduciaries (SDFs) for significant breaches of the Act or its rules (Clause 33 (1), DPDP Act). However, before any penalty is imposed, the involved party is given an opportunity to present their case. This ensures a fair and just process, allowing all sides to be heard before a final decision is made.
Upon receiving reports of breaches or non-compliance, the DPBI conducts a thorough assessment to determine if there are substantial grounds for investigation. If a legitimate complaint is identified, a formal inquiry is initiated. The DPBI has the authority to summon and question witnesses, examine data and documents, and take necessary actions to ensure a comprehensive investigation.
For significant breaches, the DPBI can impose fines as specified in the Act’s Schedule, with penalties varying according to the nature of the violation.
Evaluating Penalties for Non-Compliance by the DPDPB
- Severity, Magnitude, and Duration of the Violation: The severity and duration of the violation are critical. A prolonged violation exposing sensitive data is more serious than a minor, quickly rectified incident.
- Category and Sensitivity of the Compromised Data: The type of personal data involved plays a significant role. Breaches involving sensitive data, such as financial or health records, typically attract higher penalties.
- Recurrent Nature of the Violation: Recurring violations indicate systemic issues within the data fiduciary’s systems. Such patterns can lead to higher penalties.
- Financial Gain or Loss Prevention from the Violation: If the data controller has profited from the violation or avoided a loss, it influences the penalty. This ensures violations do not result in any benefit for the responsible party.
- Efforts to Mitigate the Violation: The Board considers the timeliness and effectiveness of the data fiduciary’s mitigation efforts. Swift and effective actions could potentially lower the penalty.
- Proportionality and Deterrent Effect of the Penalty: Penalties are assessed to be proportionate and effective in deterring future violations, ensuring compliance with the Act’s provisions.
- Potential Impact of the Penalty on the Data Fiduciary: The potential impact on the data fiduciary, including financial consequences, reputational damage, and other relevant factors, is also taken into account.
Penalties
As per the Schedule in the DPDP Act, here are the maximum penalties for different types of breaches:
- Personal Data Breach: Up to INR 250 Crores
- Failure to Notify Data Breach: Up to INR 200 Crores
- Breach in Observance of Additional Obligations in Relation to Children: Up to INR 200 Crores
- Breach of Additional Obligations of Significant Data Fiduciary: Up to INR 150 Crores
- Breach of Duties under Section 15: Up to INR 10 thousand
- Breach of Voluntary Undertakings: Penalties corresponding to the relevant breach
- Other Breaches: Up to INR 50 Crores
Conclusion
In conclusion, the integration of foreign software into Indian companies necessitates thorough meticulous adherence to the Digital Personal Data Protection (DPDP) Act of 2023. This legislation not only safeguards the personal data of Indian citizens within the nation’s borders but also extends its jurisdiction to cover data processing activities conducted by entities abroad, if they cater to Indian citizens or residents. By comprehensively understanding and implementing the key provisions of the DPDP Act, including obtaining explicit consent, ensuring data localization, and maintaining robust security measures, organizations can uphold the privacy rights of their customers and demonstrate accountability in their data handling practices. Furthermore, the establishment of the Data Protection Board of India (DPBI) underscores the seriousness of regulatory oversight, ensuring compliance through investigations and penalties for non-compliance. Through proactive measures and a commitment to data protection, businesses can navigate the complexities of the digital landscape while fostering trust and confidence among consumers.