Indian organizations must thrive to be a ‘privacy enabled enterprise’ and not just a ‘privacy compliant enterprise: Manish Sehgal, Deloitte India
The Government of India has shared a new draft of the Digital Personal Data Protection Bill 2022, which has been released for public consultation. Under the bill, the Centre has said that it would impose “heavy penalties” on the parties for non-compliance. The bill proposes setting up a Data Protection Board of India to “determine non-compliance with provisions of this Act and impose a penalty under the provisions of this Act”. In case of a personal data breach, it can “direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals”. Express Computer spoke to Manish Sehgal, Partner, Risk Advisory, Deloitte India, who tells us about the implications of this bill, while highlighting the level of awareness in Indian enterprises on data privacy
Some edited excerpts:
In your view, from an overall perspective, what is the level of awareness for Indian enterprises on data privacy?
In short, the understanding and awareness of privacy amongst domestic businesses is at early stages but curiosity to learn about it is high, excluding MNC enterprises operating in India who got exposed to the privacy requirements much early because of their international affiliation, operation, etc. Advancement like historic judgement from The Honorable Supreme Court of India announcing Privacy as a fundamental right, the introduction of GDPR by EU in 2018, evolution of draft privacy bills over the past year etc., have made Indian enterprises keen to understand the expectations from them to address data privacy requirements.
What are some of the major gaps with respect to a data privacy strategy for Indian enterprises?
Appreciating the need to protect privacy is often noticed as a major gap. There is significant focus and interest to discussion ‘how’ to get compliant whereas very limited discussions happen to understand the ‘what’ and ‘why’ part of it. Thus, the spotlight remains towards becoming a ‘privacy compliant enterprise’ rather than being a ‘privacy enabled enterprise’.
Similarly, sometimes its misunderstood that privacy is all about deploying a technology solution which ignores the importance of first establishing the right foundation for privacy program based on policy, processes, and governance structure. Technology solution play an effective role to operationalize such program, but such technology solutions alone may not get desired results. Another gap that unearths is the tendency to consider set of people / professional in an enterprise responsible for the success of the privacy program. However, in order to make the program really successful its crucial to make privacy everyone’s responsibility. A set of people may be designated to establish and run privacy program, however, if larger community at the enterprise doesn’t support it and take it as their responsibility, then the chances of its success are lean.
The new draft of the Digital Personal Data Protection Bill 2022 has been released for public consultation. Under the bill, the Centre said it would impose “heavy penalties” on the parties for non-compliance. What are the implications for Indian enterprises?
Penalties do bring seriousness to the discussion. Draft Bill proposes penalty capped to Rs. 500 Crore per instance and thus demands attention from the enterprises. It’s recommended that enterprises build privacy into their operating DNA rather than just comply with the regulatory requirements to avoid such penalties. It will make enterprises vary of their data processing activities.
What are some of the recommended best practices that you advise enterprises to follow for ensuring that they are compliant with regulations?
Foremost advice would be that organizations should thrive to be a ‘privacy enabled enterprise’ and not just ‘privacy compliant enterprise’. Enterprise find it easy to adhere with changing and growing privacy regime across the globe by basing their programs on principles (such as Generally Accepted Privacy Principles) rather than creating program specific to a regulation.
Such principles help organisation to create a robust foundation which can be leveraged with some customization to adhere with specific privacy regulations that may apply. There could be many such practices, few listed here:
• Privacy by Design – To ensures that privacy is imbibed as a default in all the systems and processes.
• Data Mapping – To help build the awareness of the personal data being held within an enterprise. Data maps or data inventory bring that awareness to an enterprise.
• Privacy governance framework – A privacy governance framework sets accountability for managing and running a privacy program within an organization. A framework makes it easier for all the stakeholders to understand their part in the bigger privacy picture.
• Data Processing / Handling – As a good practice, organizations may adopt privacy controls when handling data, this includes introducing privacy controls in collection, storage, processing, and disposal stage.
• Data Integrity and Security – Having a security framework which imbibes data privacy principles is important in the long run, and supports enterprise to process personal data with integrity