By Aditya Malik, Founder & CEO, ValueMatrix and Mentor – DeepTech Club at Nasscom
With the recent enforcement of the Digital Personal Data Protection Act 2023, companies know how to ethically procure and use user information and promise the right to data privacy in both physical and virtual worlds. After half a decade now, we have it in the flesh, highlighting various guidelines for companies on how user information must be handled ethically. The whole idea is to have a balanced approach to cater to both the user’s rights to personal data protection and the governmental and organisational need to process data for lawful purposes.
One can safely say that the Digital Personal Data Protection Act 2023’s main focus is to bring transparency. Many aspects of the law assure the users, especially those who naturally would develop concerns over their data being handled by private organisations and governmental bodies. Data should be used only for the particular purpose to which the user had given consent, and it can only be kept for the required period. Therefore, there is now a huge pressure on data acquirers to be wholly accountable for data breaches or mishandling. This accountability is spread across almost all sectors since the use of technology is widespread and pervasive. But there is one which might attract the most attention and concerns: The HR Technology space!
With respect to HR Tech Platforms:
Looking at it from an HRTech platform POV, there is a huge pile of personal information at their disposal as heaps of resumes and CVs are collected on an hourly basis. With the DPDP law passed, data privacy is now a bigger concern than before.
According to a Glassdoor survey, companies receive an average of 250 resumes for a job opening, and only one gets selected. What happens to the data of the remaining 249? And since the numbers have reached somewhere around a few thousand, in today’s scenario as we speak, one can only imagine the gargantuan size of redundant digital personal data that rests in the hands of these companies.
Neutralising Concerns:
Amidst the dunes of worries, lets throw some light on the oasis of comfort to prove that the data is safer than expected. First off, HR Tech companies principally act as data processors and, therefore, must comply with data security and safeguarding requirements. All the processes must also provide solutions for the deletion of personal data after completion of the purpose. No personal data can be retained after the objective is completed or where deletion is specifically requested on withdrawal of consent.
Also, data collection will have to be limited to data needed for the specific purpose, and data that is not related cannot be collected. When it comes to overseas transfer, data cannot be moved to countries where the Government restricts storage. Additionally, any specific guidelines of sectoral regulators will have to be complied with.
To clear the air of any apprehension, an officer will have to be appointed to answer any queries or grievances arising from personal data; this would act as a human-touch element and provide even more comfort to people. Looking from other angles, the exemptions for startups can be notified by the Government; and we will have to wait and see the kind of exemptions that are announced, if any.
Conclusion
It is quite natural to have doubts and feel anxious about our personal data being circulated without us being able to track each and every step of it. Still, as responsible entities, data acquirers can always take initiatives to spread awareness of the privacy and security measures they bring to keep their processes transparent and devoid of unethical breaches, external or internal.