Securys has been delivering modern data protection compliance for more than a decade. In that time, we’ve built programmes for organisations of all sizes, in every sector and across 70 countries. Every customer is different but common themes emerge. In the forthcoming weeks, we set out to highlight 10 of the most persistent misconceptions about data protection. Each week we will cover a different misconception to provide clarity over what's important to those embarking upon their DPDPA compliance journey. Our particular focus here is on compliance with India’s new Digital Personal Data Protection Act, but many of the lessons are globally applicable.

Misconception 1: data protection is all about breach prevention

Breaches matter – they carry risks of regulatory penalty, litigation and loss of customer trust. Effective cyber security is indeed one of the key requirements in data protection, but neither the only requirement nor necessarily the most important. The easiest way to explain the difference is that cyber security asks the question “can I do this processing safely?” while data protection asks the question “should I be doing this processing at all?”. It’s entirely possible to be fined (or sued) for failure to comply despite perfect success in keeping personal data confidential.

Data protection has seven key principles:

1. Transparency: data principals must know what you are doing with their data, in what fashion, why you are doing it, with whom you are sharing it and what rights they have with respect to it.
2. Lawfulness: all processing must have a justifying legal basis; in India this is mostly consent, but very much not only consent. More on this later.
3. Accuracy: personal data must be accurate – that is, must properly reflect reality – and should be sufficient properly to inform your decision-making.
4. Limitation of purpose: you should only collect and process personal data for the specific purposes for which you have identified a justification and which you have declared to the data principal.
5. Minimisation: the personal data that you collect should be strictly limited to what is necessary for your identified purposes and should be retained no longer than is necessary to fulfil them.
6. Security: personal data should be collected, processed and stored with continuous attention to the maintenance of confidentiality, integrity and availability and the limitation of access to those persons with a clear need in support of the identified purposes of processing.
7. Accountability: you, as the data fiduciary, are accountable to the regulator and to the data principal for all collection, processing and storage of personal data that is undertaken on your instruction, whether by you or other parties. You must have demonstrable internal reporting and verification mechanisms to manage this accountability, including a clear line of reporting to the top of your organisation.

Your data protection programme needs to ensure that every act of collection, processing and storage of personal data is scrutinised through the lens of all seven of these principles, and that you can evidence that scrutiny and the actions you have taken as a consequence. You must demonstrate that you appropriately assess the risks to the data principal of your processing and take necessary steps to treat those risks, that you monitor and control processing of personal data that you share with third parties and that you consider and manage the risks of transfer of personal data to other countries.

Rather watch as a video? Click below.

-----------------------------------------------------

Setting off on your DPDPA compliance journey?

If you’d like us to help you achieve DPDPA compliance and transform your data from a risk into an asset, you can Contact Us.

If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.