As indicated in previous blogs, we are covering commonly-held misconceptions to provide clarity over what's important to those embarking upon their DPDPA compliance journey. Our particular focus here is on compliance with India’s new Digital Personal Data Protection Act, but it is worth reiterating that the lessons are globally applicable.

In this week's post, we turn our attention to the misconception regarding DPDPA compliance and the role of software solutions. 

Misconception 8: It's an IT problem, and a GRC system will solve it.

Because it’s seen as a problem, not an opportunity, and because it’s perceived to be an IT problem since it revolves around data processing, privacy compliance is often handed to the IT team to handle. In turn, the IT team often looks for a software solution. There is no shortage of software in the data protection space – from discovery tools, encryption systems and redaction products through cookie and consent management platforms to so-called “Governance, Risk and Compliance Systems”. All of these do indeed have their role to play in achieving DPDPA compliance, but none of them will do it for you.

Data discovery tools help you find personal data, but they don’t decide whether you should be processing it or – in most cases – even give you an understanding of why you have it in the first place. Encryption systems can, when properly deployed, protect confidentiality but they don’t make your processing lawful and can’t decide for you what to encrypt in the first place. Redaction tools are essential in complying with data principal access requests, but you still need to decide what information to withhold on a case by case basis. Cookie managers let you collect consent for cookies – once you tell them what cookies you’re using – but they don’t choose for you, and they don’t manage your accountability for processing by all of the partners with whom that cookie data is shared. And consent management platforms will be a vital part of DPDPA compliance, but all they can do is permit the granting and withdrawal of consent; they won’t by themselves make your processing respond appropriately to those actions by data principals, or develop the right consent wording, or decide whether consent is the right basis for processing in the first place.

In particular, GRC systems are just structured databases in which to store and manage the compliance paperwork we discussed earlier. They need careful implementation to match your business, they need to be populated with your data assets, processes, systems and third parties, and while they’ll help you record your risk assessments and controls, they won’t actually perform those assessments, identify those controls or implement them for you. A good GRC system is an essential component of an effective compliance programme, but it doesn’t substitute for whole-organisation effort in process transformation, and it won’t remove the need for specialists to assess and achieve compliance with the eight principles.

.

Rather watch as a video? Click below.

-----------------------------------------------------

Read our 10 DPDPA misconceptions series

Interested to read the series in full? Click on the links below.

Misconception 1: data protection is all about breach prevention

Misconception 2: Compliance is just paperwork.

Misconception 3: it’s all about consent

Misconception 4: personal data is PII

Misconception 5: Consumers don’t care about privacy

Misconception 6: No consumers, no problem

Misconception 7: Big tech

Setting off on your DPDPA compliance journey?

If you’d like us to help you achieve DPDPA compliance and transform your data from a risk into an asset, you can Contact Us.

If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.