India
United Kingdom
JamaicaBy Ben Rapp
As indicated in previous blogs, we are covering commonly-held misconceptions to provide clarity over what's important to those embarking upon their DPDPA compliance journey. Our particular focus here is on compliance with India’s new Digital Personal Data Protection Act, but it is worth reiterating that the lessons are globally applicable.
In this week's post, we turn our attention to the misunderstanding regarding accountability, the use of third-parties and the need to manage risk.
Misconception 10: Delegating processing delegates compliance
This is a simple one: the principle of accountability means that you – the fiduciary – are held responsible for any collection, processing and storage conducted on your instructions by any party. It is your duty to ensure that your third-party providers work in compliance with the DPDPA and only carry out the processing you have instructed. Your only defence if a processor breaks the law is to demonstrate that you had carried out all reasonable due diligence, concluded the right contractual provisions and carried out sufficient regular compliance checks.
Even where you are sharing data with another fiduciary, the responsibility is shared, not transferred. You still have to demonstrate that the transfer is necessary and appropriate; and that you have an agreement providing necessary controls and collaboration to assure data protection.
Whether you are transferring data to a processor or to another fiduciary, it becomes more challenging still if the other party – or their data storage or processing – is outside the country. While we’re still waiting for the detailed rules on international transfers, we know that elsewhere in the world this requires specific risk assessment, additional contractual provisions and brings greater exposure to regulatory scrutiny.
All of this makes third-party risk management a crucial part of an effective DPDPA programme; it’s important in this context to be cognisant of the sheer number of third parties with whom a typical organisation shares data – in our experience a typical Tier 2 financial institution will have more than 1,000 sharing partners, each of whom needs an individual risk assessment, contract review and risk treatment plan.
Why now is the time for action
So far what you’ll mostly have taken from our series of blogs is that DPDPA compliance is more complicated, more onerous and – inevitably – more expensive than you had thought. All that is true. But, and it’s a big but, an effective compliance programme is also a huge opportunity.
Why?
-
In order to become compliant you need to map every piece of personal data in your organisation and understand how it is used, by whom and for what, with whom it is shared, how long you keep it and why you think that processing is worth doing in the first place.
You could, like many before you, keep that information in a compliance silo. Or you might consider the value of that kind of mapping in identifying process inefficiencies and duplication, revealing flaws in decision-making processes and understanding supply chain risks. To say nothing of the reduction in cyber attack surface that comes from reducing both the volume of data you hold and the number of people with access to it. That transformation programme we described earlier doesn’t just result in a compliant business; it results in a leaner, more efficient and more profitable one also.
-
You will, I hope, recall our Privacy Made Positive® research. That showed the extent to which good privacy practice – if you publicise it properly and show that you genuinely care about data principals and their outcomes – can be a competitive advantage. In competitive and commoditised markets where differentiation hangs on reputation and customer perception, compliance is a surprisingly effective lever in improving trust scores and driving better retention and conversion.
- Most importantly, because it will change how you think about data and what you can get from it. The danger of compliance programmes is that they lead you to think of data as a risk – and certainly, if you don’t deliver effective data protection, a risk is what it will be. But the reality is that data should be an asset, one that you protect because it has value and delivers a worthwhile return.
If your data is current, deduplicated, accurate, properly linked to a single customer view, securely stored and processed and properly consented by data principals who trust you, it transforms into your most valuable asset and the key to data-driven growth.
Rather watch as a video? Click below.
-----------------------------------------------------
Read our 10 DPDPA misconceptions series
Interested to read the series in full? Click on the links below.
Misconception 1: data protection is all about breach prevention
Misconception 2: Compliance is just paperwork.
Misconception 3: it’s all about consent
Misconception 4: personal data is PII
Misconception 5: Consumers don’t care about privacy
Misconception 6: No consumers, no problem
Misconception 8: It’s an IT problem, and a GRC system will solve it
Misconceptions 9: The DPO will deal with it (and it's a part-time job)
------------------------
Setting off on your DPDPA compliance journey?
If you’d like us to help you achieve DPDPA compliance and transform your data from a risk into an asset, you can Contact Us.
If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.
Subscribe by email
