We have seen considerable growth in digitisation efforts by organisations over the past few years. Many have reinvented their business models and re-engineered their existing business processes and systems to reach out effectively and efficiently to their customers. Today, organisations fully appreciate the value of personal data and understand that monetising it can yield benefits that give them an advantage over their competition. However, at the same time, there are concerns and challenges around unethical practices related to the collection and usage of data. Consequently, the current landscape of digital transformation and potential for misuse of personal data have created an urgent need for a regulatory and governance framework around data privacy.
With this intent, on August 3, the Ministry of Electronics and Information Technology (MeitY), Government of India (GoI), introduced the Digital Personal Data Protection (DPDP) Act, 2023. The new act aims to regulate personal digital data, setting out the responsibilities of both the data fiduciary and the data principal. While the act focuses on protecting the rights and interests of data principals, it provides a liberalised framework for organisations to transform, innovate and grow digitally. The DPDP Act represents a crucial step towards ensuring data protection and digital privacy in India. By empowering individuals with greater control over their personal information and holding organisations accountable for data management, the act strives to create a safer and more secure digital environment.
Organisations that have traditionally been collecting and processing large volumes of personal data, such as financial services, telecommunications, health and the retail sector, would be impacted the most. However, for organisations in the e-commerce and services sector, the act will require changes in the processes, systems and technologies where personal information is collected, stored and processed. E-commerce organisations collect large volumes of personal data from their customers, this includes but is not limited to transaction data, session details and personal data while making digital transactions. Further, the personal data is often profiled in the downstream processes to generate insights for creating revenue growth opportunities. The act aims to provide guardrails that foster trust and transparency within these processes by ensuring that personal information is collected for legitimate use or that consent is sought from data principals if used otherwise.
How to embrace the change
The act will impact organisations in the e-commerce and services sectors across the data lifecycle stages. Some key changes that an e-commerce organisation will have to adapt to are discussed below:
Assess the current state and start building a data privacy organisation
- Establish a robust data protection strategy and outline goals for data collection, processing and storage. E-commerce organisations would need to chalk out a privacy governance structure consisting of a data protection officer (DPO) and representatives of various functions along with their roles and responsibilities.
- Prepare an inventory of applications or data stores that house personal data and identify key applications and databases which are used to collect, store and process personal data. Organisations must maintain records of the personal data accurately throughout the entire data lifecycle.
- Identify the ecosystem of data processors which are currently being leveraged. Identify all third parties, including service providers, who are storing or processing personal data on behalf of the organisation (the data fiduciary will need to amend third-party agreements and contracts with respect to their obligations and connect with and communicate to data processors their upcoming responsibilities and obligations with respect to the personal data they are handling on the data fiduciary’s behalf.
Implement measures to establish data protection mechanisms and design a data privacy compliance framework
- Design a data privacy framework which includes policies, processes, notices, consents and contractual clauses based on the requirements of the DPDP. To wholly comply with the act, organisations need to restructure their existing processes and technological solutions to ensure that data processing is limited to the purpose for which the data is being collected and that access to personal data is restricted to only those who need it.
- Design consent mechanisms based on application inventory gathered from earlier phases. Organisations will have to redesign their architecture to ascertain the data collection and processing touchpoints, and design and implement consent collection mechanisms during the personal data collection. One of the major impacts will be the processing of the personal data of children by e-commerce organisations, as the act has restricted profiling and use of targeted advertising in the case of children. Given that most children today use e-commerce applications, organisations will be required to identify children’s data and either exclude it from profiling or capture parental consent.
- Design data principal rights mechanisms to uphold the rights provided as per the provisions of the act. Prepare procedures to determine how a request from a data principal shall be accepted, validated and responded to and determine tools that can be leveraged to facilitate data principal rights management.
- Establish data breach notification and management mechanisms. Establish processes for data privacy breach management, including notifications to stakeholders (data principals, data protection board), in line with CERT-In requirements.
- Build privacy by design into e-commerce platforms and services and integrate it into the software development lifecycle. Organisations must ensure that they are establishing privacy controls at the design stage to mitigate risks to personal data.
Take next-level measures to ensure data protection and compliance with the DPDP Act
- Evaluate, agree upon and implement data privacy technologies that can be leveraged for data protection. Determine the privacy technology solutions that can be leveraged to address specific privacy needs, e.g. automating data principal rights, conducting data protection impact assessments and managing data breaches.
- Assess business, operational and legal requirements for personal data and define the data retention period for various categories of personal data.
- Implement appropriate technical and enterprise-level safeguards to ensure that personal data is protected from any kind of threat, both from outside and inside.
- Reassess contracts and data-sharing processes to introduce changes related to management of data principal rights, including the right to erasure and data breach reporting.
In conclusion, data privacy is a significant issue today for consumers as well as organisations. Every high-profile data breach adds to the trust deficit and increases consumers’ concerns about the security and proper use of their personal information. Consumer data is the most valuable asset today. If used effectively and ethically within the bounds of regulations, it can help organisations in the e-commerce and services sector establish trust and transparency with their consumers, which in turn will help them achieve more sustainable and desirable growth.
