As indicated last week, we are covering commonly-held misconceptions to provide clarity over what's important to those embarking upon their DPDPA compliance journey. Our particular focus here is on compliance with India’s new Digital Personal Data Protection Act, but it is worth reiterating that the lessons are globally applicable.
Misconception 2: data protection compliance is all about paperwork
Being able to demonstrate compliance by producing documentation is a significant part of data protection compliance. This documentation includes public and employee-facing privacy notices for transparency; internal policies and procedures to ensure proper controls; records of processing to identify each purpose and its justification; evidence of consent, including histories of grant and withdrawal; detailed risk assessments and the treatments they engender; contracts and agreements for the sharing of data with third parties and for processing of data under your instruction; records of those transfers of data; logs of breaches and near misses; and internal and external reports on compliance, including in some cases formal data protection audits. All in all, there is indeed a lot of paperwork.
However, the substance of data protection is not that paperwork, it’s the organisational transformation that is required to ensure that you actually do what your records say you are doing. Every internal process needs to be reviewed to ensure that personal data is being processed in accordance with your policies, and the process needs to change if it is not compliant. All of the risk treatments you identify in your assessments need to be implemented and verified. All of your third-party data sharing partners need to be managed and their performance closely monitored. All of your systems need to be reviewed and where necessary changed in order that you can properly comply with the law and with requests from data principals for correction, completion or erasure of, or access to, their data; challenges to decision-making; and withdrawals of consent. Everyone in organization who has access to personal data must receive privacy awareness training that is sufficient for their degree of involvement in processing and decision-making about processing.
This is a whole-organisation transformation programme that requires both top-down policymaking and bottom-up process review and change; it needs the whole-hearted sponsorship of senior management and the resolute involvement of process owners at every level.
Rather watch as a video? Click below.
-----------------------------------------------------
Setting off on your DPDPA compliance journey?
If you’d like us to help you achieve DPDPA compliance and transform your data from a risk into an asset, you can Contact Us.
If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.