S3E10 | DPDPA Compliance for MNC Offices in India | #DPDPA #privacycast #mnc
Summary
TLDRIn this Privacy Class podcast, Arya Tripathi, a partner at PSA and a data protection expert, discusses India's Data Protection and Digital Personal Data Protection Act (Dpdpa). She clarifies misconceptions, emphasizing that while the act is new, its principles are well-established. Tripathi advises businesses to understand the law and evaluate technology options for compliance. She also addresses the act's extraterritorial application, the role of the Data Protection Board of India, and the importance of consent management. Tripathi stresses the need for a cultural shift towards privacy as a fundamental right and the collective effort required for effective implementation.
Takeaways
- 📚 Arya Tripathi, a partner at PSA and a thought leader in data protection, emphasizes the importance of understanding the DPDP Act, even though it has not yet been fully implemented.
- 🌐 The DPDP Act applies to both Indian and foreign companies, focusing on data processing within India, regardless of whether the data subjects are Indian or not.
- 🏢 Arya advises businesses to use the current time to understand the law and evaluate technology options for compliance, rather than rushing into implementation.
- 🔑 The establishment of the Data Protection Board of India is a key aspect of the DPDP Act, which will oversee the implementation and regulation of data protection.
- 🔄 Arya highlights the need for a staggered approach to implementation, allowing businesses to prepare and adapt to the new regulations.
- 🚫 The DPDP Act includes exemptions for certain types of data processing, such as when an Indian processor handles data on behalf of a foreign entity, which may not fall under the Act's purview.
- 💡 Arya stresses the importance of consent management, suggesting that the current methods of obtaining consent may need to change to meet the Act's requirements.
- 💼 The role of the Data Protection Officer (DPO) is discussed, with Arya suggesting that while the Act does not mandate independence, it is advisable for the DPO to have a clear focus on privacy governance.
- 💰 The potential for steep fines under the DPDP Act is mentioned as a deterrent for non-compliance, indicating the seriousness with which the law should be approached.
- 👥 Arya calls for a collective effort in understanding and implementing the DPDP Act, involving various stakeholders within an organization, from tech personnel to legal advisors.
Q & A
What is the primary focus of the DPDP Act?
-The primary focus of the DPDP Act is to regulate the processing of personal data within India, ensuring data protection and privacy rights for individuals.
Who is Arya Tripathi and what is her role in the privacy domain?
-Arya Tripathi is a partner at PSA, a mondac thought leader awardee for India, and a CIPP certified professional with extensive experience in data protection. She has been working in the privacy space, particularly in a cross-border context.
What is the current status of the DPDP Act in India?
-At the time of the podcast, the DPDP Act has been legislated but not yet implemented. There is anticipation for a separate commencement notification which might take some time.
What is the role of the Data Protection Board of India according to the DPDP Act?
-The Data Protection Board of India is an independent regulator contemplated by the DPDP Act, responsible for the implementation of the law, including setting regulations and guidelines for data protection.
How does the DPDP Act apply to foreign companies processing data in India?
-The DPDP Act applies to both Indian and foreign companies, irrespective of whether they are registered or incorporated in India, as long as the data processing is happening within India.
What are the implications of the DPDP Act for global data analytics companies operating in India?
-Global data analytics companies operating in India must comply with the DPDP Act if they are processing data within India, even if they are not physically present in the country with a permanent establishment or branch office.
How does the DPDP Act handle data processing involving U.S. citizens' data processed in India?
-The DPDP Act will apply to any data processing happening in India, regardless of whether the data belongs to a U.S. citizen or company, ensuring that such data is covered under the Act's provisions.
What changes are expected for e-commerce platforms in India due to the DPDP Act?
-E-commerce platforms will need to overhaul their consent mechanisms, making them more specific, freely given, and revocable. They will also need to ensure that consent is obtained through affirmative actions and not default settings.
What is the significance of the fines mentioned in the DPDP Act?
-The fines under the DPDP Act are steep and intended to act as a deterrent, compelling organizations to comply with the law. The imposition of fines is expected to be a significant motivator for compliance.
What is the role of a Data Protection Officer (DPO) under the DPDP Act?
-A DPO under the DPDP Act is responsible for ensuring compliance with data protection regulations within an organization. While the Act does not mandate independence for the DPO, it is advisable for the role to be distinct from other executive functions to maintain objectivity.
How can individuals become privacy professionals in the era of the DPDP Act?
-Individuals can become privacy professionals by developing a deep understanding of data protection laws, starting with reading and understanding terms of use and privacy policies of various platforms and services.
Outlines
📚 Introduction to Privacy Class Season 3
The script introduces Privacy Class Season 3, a podcast series featuring leading privacy experts from India. The guest for this episode is Arya Tripathi, a partner at PSA and a thought leader in data protection. She is also a certified professional with extensive experience in privacy matters. The host, Akash, and Arya discuss the recent developments in India's data protection landscape, particularly the DPDP Act. Arya emphasizes the importance of understanding the law and its implications rather than panicking, and mentions her role as the co-chair of IEPP Delhi and her collaboration with Akash on various events.
🌐 Global Impact of the DPDP Act
Arya explains that the DPDP Act applies to both Indian and foreign companies, regardless of whether they are registered in India. She outlines the territorial scope of the Act, which includes data processing within India and extraterritorially when targeting Indian residents. Arya discusses the potential challenges for global companies, especially those based in the US, in complying with both Indian and US data protection laws when their data processing activities involve India. She stresses that the law aims to regulate the processing of personal data and that companies need to be aware of the Act's broad application.
🛒 E-commerce and Consent under the DPDP Act
The conversation shifts to the impact of the DPDP Act on e-commerce platforms in India, which have seen significant growth, especially with the普及 of free Wi-Fi services like Jio. Arya discusses the changes in consent requirements, emphasizing that consent must be freely given, specific, and obtainable through affirmative actions. She criticizes the current practices of obtaining consent, such as 'creeping functionalities,' and suggests that e-commerce platforms will need to overhaul their consent mechanisms to comply with the new law.
💼 The Role of the DPO and the Implications of Fines
Arya and Akash discuss the role of the Data Protection Officer (DPO) under the DPDP Act, with Arya noting that there is no requirement for the DPO to be independent, unlike in GDPR. She suggests that a general counsel or CEO could serve as a DPO. The discussion then turns to the issue of fines, which Arya sees as a deterrent to ensure compliance with the Act. She explains that fines are meant to create awareness and change behavior, and that the first significant penalty will likely be a wake-up call for organizations.
🎓 Advice for Aspiring Privacy Professionals
In the final part of the script, Arya offers advice to those interested in becoming privacy professionals, suggesting that they start by reading terms of service and privacy policies critically. She emphasizes the importance of understanding that nothing is free on the internet, and that personal data is the currency for accessing online services. Akash thanks Arya for her insights and discusses the potential for future episodes to delve deeper into privacy topics. Arya expresses optimism about the future of privacy in India and encourages listeners to be informed and proactive about their data rights.
Mindmap
Keywords
💡Dpdpa
💡Data Protection Board of India
💡Cross-border context
💡Data fiduciary
💡Consent
💡Data processing
💡Data subject
💡Privacy policy
💡Data protection officer (DPO)
💡Fines
💡Data breach
Highlights
Introduction to the podcast series on privacy with a focus on the DPDP Act in India.
Arya Tripathi, a partner at PSA and a thought leader in data protection, joins the podcast.
Discussion on the DPDP Act's implications for businesses operating in India, including global data analytics companies.
The DPDP Act is new but builds upon long-standing principles of data protection.
The Act has not been fully implemented yet, providing a window for businesses to prepare.
The establishment of a new regulator, the Data Protection Board of India, is a key aspect of the DPDP Act.
The DPDP Act applies to both Indian and foreign companies processing data in India.
Extraterritorial application of the DPDP Act affects companies processing data outside India intended for Indian users.
The Act's broad scope is crucial for regulating data processing and potentially benefiting India's adequacy decisions.
E-commerce platforms in India will need to overhaul their consent mechanisms due to the DPDP Act.
Consent under the DPDP Act must be freely given, specific, and obtained through affirmative actions.
The cultural implications of consent in the Indian context and the challenges of implementing a Western model.
The role of the Data Protection Officer (DPO) under the DPDP Act and the debate over their independence.
The potential for steep fines under the DPDP Act as a deterrent for non-compliance.
The importance of system design and desktop implementation in preparing for the DPDP Act.
The collective effort required for businesses to adapt to the new law, involving various stakeholders.
Advice for aspiring privacy professionals to start by critically reading terms of use and privacy policies.
Closing thoughts on the importance of viewing the DPDP Act as a governance-centric law focused on human rights.
Transcripts
[Music]
laughs
[Music]
welcome to privacy class season 3. in
today's podcast series we bring the best
privacy Minds to you from India right
nowadays we're talking about dpdpa and
that's why we brought none other than
Arya tripathi with us right she's a
partner at PSA and she also has is a
mondac thought leader awardee for India
she's a cipp a certified professional
comes with a lot of data protection
experience truly honored to have you
here Arya would like to quickly give an
introduction about yourself hi everyone
thank you Akash uh I think it's a
pleasure to actually talk about this
seminal law uh that India has witnessed
and even before the law came uh just
quick fun facts that there did exist a
set of rules which were quite
far-reaching often sideline and I think
I have been working in the Privacy space
for so long uh mostly in a cross-border
context so I'm happy to answer your very
very interesting questions which should
benefit the listeners around thank you
by the way guys Arya is also iepp Delhi
co-chair and I am a Bangalore coacher so
we keep catching up discussing thought
leadership right and we're doing events
so by the way we did a lot of events
together as well and that's where we
actually met online uh okay so
are listeners you know are now in
anxiety right because there is so much
of chaos outside in the market right
honestly every other article that I read
right I am not getting anything out of
it you know every other article somehow
I don't know right every other every day
there is a document that comes online
and I read some but I've stopped reading
now because there's a lot of right
so I kind of call thought leaders who
are actually more stuff to kind of tell
actually that to the point what are the
actual things that are going to happen
that are going to change so like a globe
data analytics company right now they
are doing business here in India right
and they are doing Global business right
so for them they have direct
interactions also with indirect
interactions also because they are just
they have back offices in India right
like if you look at uh any big company
in the world then major work is getting
done in India so what these DP DPA you
know compliances or regulation
Frameworks what do they have to do today
yeah
I wish I hear your question uh loud and
clear and I will divide it into two
parts uh let me just uh put you and
everybody who is listening at ease to
the fact that uh dpdp Act is new as a
law uh but a very old aged principle uh
that has been expanded upon okay uh
believe me when I say this
um today many of my existing clients
have just woken up and come to me and
said please tell me what I have to do
that's not the approach I will sincerely
request everyone to use this very
valuable time to understand what the law
is
implementation is a very different
aspect and dpdp act has not been
implemented yet it has become made to
the legislation book the official widget
but there would be a separate
commencement notification and it is
quite possible that this itself is going
to take in time I was having this
conversation with a younger lawyer who
wants to work with us uh and my question
to the person was which section in the
ACT do you think should be notified as
implemented in the very first instance
and the answer to that is the data
protection Board of India even before
businesses start getting worried what is
important to understand that this law
contemplates setting up a new regulator
an independent regulator called the data
protection Board of India what is the
role of the regulator the regulator is
responsible for implementation of them
so there are going to be staggered
approach towards implementation and
there is time I will not say there is a
lot of time but it is not a fire
emergency this is the right time to
invest in two processes one is advocacy
and sensitization and second is
evaluating the available
technology options that can be quickly
selected so what I have typically seen
Whenever there are discussions around
engaging a PE rule or a dsar software
tool so my only two cents here uh this
is the years of experience is that uh
having a law and its implementation are
two different things uh and what is this
time meant for is a good breath time to
see where we stand and understand the
law and evaluate some of the aspects key
being the cost that is required to
actually comply with the act as it
stands today now coming to your
illustrative case uh I think we'll take
a step back the dpdp ACT actually
applies to Indian foreign companies
alike
uh it is not dependent whether you are
registered or Incorporated in India so
there are two aspects if the processing
is happening within India you're very
much
doesn't matter if you are a global
analytics company who has a GIC here or
a data center out here if you're
processing in India as simple as even
having just a data server or a storage
you are covered now the extra
territorial application is where
somebody is processing outside India but
with the intent of providing goods or
services okay to somebody who is in
India now a global data analytics
company that is present in India and is
processing India is covered uh if even
if you were not present in India like
having a permanent establishment or a
branch office in India or a project
office in India and you want to actually
make sure that your data is getting
processed so if you're a controller or a
fiduciary outside India but say availing
SAS services in India it is possible
that you are covered interestingly
the first Wing is irrespective whether
you're Indian or not Indian whether you
are in India or not in India if you're
processing in India you are covered
there is one interesting exemptionary
section
of a U.S company comes back to India
gets processed in India right so then
what is the case do you think then our
law will apply or a U.S state law will
apply because the citizen data that is
here is for the U.S yeah uh first and
foremost whether U.S law will apply or
not will depend on the U.S law okay so
we will not comment on that but whether
Indian law will apply the answer is a
straightforward yes if you are
processing data that has come to India
and is being processed in India rest
assured whether it is the data of a U.S
citizen data of a U.S company doesn't
matter you are processing digital
personal data in India and you are
covered within the first direct
territorial agnostic
method of application this is a huge
difference from a gdpr yes right because
this is because if somebody is in Europe
and usually this doesn't happen right
usually most of the companies are in U.S
so a lot of times this question never
got erased but a lot of companies are in
India so if this is going to be a
problem right in terms of applicability
I think you know it's a this is
something I feel you know can create uh
Canada
while doing processing because this is
this is serious trouble for all the
companies because if some data is coming
back to see I get the point that if
somebody is in U.S right their data is
coming back to India and there is a
let's say California
so I I I'm with you right it makes a lot
of sense that CCP applies right when we
are processing in India but then again
I think that is a double application for
all of us and we should be really
careful about it I think what we did at
the time of formulation of the law what
happened were there there were different
permutation combinations uh say for
example gdpr has a concept of main
establishment uh what is the main
establishment and whether that is in EU
okay uh but even there the first leg
doesn't say that only a European company
has to comply with gdpr there also it
states that if you are processing data
within EU you need to comply
right that leaves the Ambit open and in
a very simplified way to determine who
all are covered uh what I think has
happened and which is a very right thing
to do is that what is the law trying to
regulate the law is actually trying to
regulate processing of personal data now
if the processing is happening in India
and this law went not applicable because
you are a foreign company or because you
are actually processing uh data of
somebody who's outside of India then
what are you you are letting go of a lot
of data that is being processed
completely unregulated uh look at it
from a perspective of also whether this
is going to benefit adequacy decisions
for India in favor of India I think
having a larger scope of application of
law uh itself takes us closer to the
adequacy Matrix of course there are gray
areas which we will not talk about right
now there's an important exception that
is there section 17 which has a list of
exemptions which says that if pursuant
to a contract an Indian processor is
actually processing data of a foreign
data fiduciary of people who are outside
of India this act may not apply right
but that is an exception so the income
rule as it stands today is that if you
are processing within the territory of
India irrespective whether you are a
fiduciary or processor in India or
whether the data belongs to a data
principle within India you are supposed
to uh expect that the dpdp ACT is going
to apply to you so what is also people
right now is you know most of the data I
won't say most of them along with a lot
of data in India is being processed by
the e-commerce platform right the boom
of internet in India I think the free
Wi-Fi that you know jio gave thank you
Ambani by the way so the free Wi-Fi that
we all got right it changed our world
right even in villages people are using
uh amazing applications like Flipkart
you know jio and and whatnot right
Amazon so what is going to change for
them because of dpdpa from consent
requirement perspective right because
now and also as you mentioned right a
consent requirement is not new because
it Act was already there and right to
privacy was already there right these
things are not new but governance was
not them and the problem was we did not
have a data protection authority so over
to you like how do you see consent
mechanism how do you relate it in terms
of governance which may happen down the
lines how do you relate to governance
and consent management that is going to
change for e-commerce
until you think you fit into the certain
legitimate use criteria of processing
which I believe is an exception Matrix
of processing and not the norm the norm
is consent so unlike a gdpr or a CCPA or
for that matter uh pdpa uh dpdp act
actually establishes that as of date for
India
consent of a certain kind is going to be
the sole and primary basis of processing
a lot needs to change in how this
consent is obtained uh how this consent
is managed how this consent is allowed
to be withdrawn and what are the rights
that flow out of a consent Matrix uh and
if I have to segregate into these four
buckets okay how consent is obtained how
it is managed how it is allowed to be
withdrawn and what are the rights I
think a lot of organizations and most
likely all the e-commerce platforms
would have to do a 360 degree overhaul
uh why I say this
I have seen in my uh professional
experience uh to have like some very
disturbing manners of obtaining consent
uh which uh I know I would be very
unpopular when this gets released but I
call them creeping functionalities okay
which actually means that the consent is
not free so the first requirement is
that it has to be free and for free
consent what is needed please we will
have to go back to understanding how a
contract is ever entered into everything
is established in a crystal clear
fashion you cannot have verbosity you
can't have all catch all languages uh
you cannot have non-data mapped uh
consent requirements you need to call
out that I am taking X data for y
purpose it is as specific as it gets and
gone are the days when a default setting
and opt-out consent mechanism was in
fashion or still is impassion this needs
to change it needs to move into an
opt-in fashion because now it has to be
through an affirmative action how do you
take an affirmative action a swipe uh
making sure that you take specific
consents on different different aspects
with different tick boxes that is how
you will obtain consent so I think we
need to understand that implementation
in India will be slightly or massively
different from implementation and other
jurisdictions a closer analysis would be
in Asian countries versus doing a
European country analysis and that I'm
saying this is the cultural underpinning
at the end of the day what is privacy
privacy is a part of a person's right
right it's a fundamental right it has to
be exercised by a person so if you ask
me Will consent be actually implemented
that's the intent but the implementation
will bring in a lot of cultural issues
basic question to a lot of people who
will be be attending this session uh do
you suffer consent fatigue have you ever
felt that you have not read what is
there in the consent form and still take
now if that is the conditioning that has
happened over years even if I give you a
specific consent the chances are you
will still suffer from consent uh also
you know moving on right moving on from
consent Right Moving On towards breach
fines right because find that something
that everybody's talking about right and
this is something that is also a great
motivator so if you look at gdpr
ordinance also happens you know by the
fines the governance happens by people
complaining and then the third
governance that happens by the DPO
himself right who's inside the
organization so now in India the
requirement for DPO is SDF for SDF
significant data protections and also
Independence is not mentioned so a lot
of people are also asking me whether a
CSO or general counsel can become DPO I
feel its answers yes should not be done
I feel the answer is yes what's your
take on that and how do you see the
fines in coming after this law finds
incoming a two things right two
questions yeah I'll take the first
question the second question first which
is on details okay this is a very
age-old debate and perhaps uh needs a
consorted approach whether a general
counsel or a director or a CEO can act
as BPO as per the construct of the dpdp
ACT Nothing Stops it if you're resident
in India and if you're accountable to
the board so clearly you are right that
there is no mandate for an independence
of the dto because they treat DPO as the
representative of the organization
rather than the gatekeeper for privacy
governance within the organization okay
so it's a diluted standard for DPO so uh
really I mean a general counselor or a
director or a CEO can pretty much act as
a leader okay and coming to fines uh I
go back to where we started and it
almost feels like this is a full circle
okay uh fine it there is no mincing of
words the Steep fines are only done with
an objective of deterrence okay the fact
that you will not comply with it till a
fine has been imposed is kind of not
just true for India it is seen
everywhere across the globe if you want
to bring in a new system of law you will
come up with these sort of fines because
the first big penalty that will get
levied uh will be the actual Awakening
moment for other organizations so the
idea is to create veterans uh the
process Still Remains a little evasive
but what I can tell is that
adding on to your point I think when I
started my career
I started in as an auditor yeah so we
had this you know two terminologies I'm
just adding on to your point and getting
some you know Masala to this so there
are two it's right it's called Tod and
toe right so Tod means system design and
toe means desktop implementation right
so now interestingly the Tod which is
the fix of policy so every other section
that I am having right now whenever I go
on a call the clinic always says okay
boss my privacy policy I have done
something fine so I am okay I'm good
okay there is nothing that I have to do
now so so I find it see again they need
to do this today there's no doubt about
it I'm not laughing on that approach but
end of day The implementation has to
come and that automation of responding
to a DSR right is something that is
going to make it Havoc for companies
which have customer data right b2c
that's that that's the beauty I'm
waiting for yeah yeah no I mean like you
said research or for that matter pets
these are Concepts that uh perhaps
Indian businesses will still find the
novelty okay let's just call it that way
uh what is this what is a these are even
questions can get asked I'm not saying
that we are not sophisticated people I
hope they won't written it like an RTI
right like DSR no no no but the point is
very simple that what is being proposed
cannot be done only through human
resources
on the same page I'm assuming uh if you
think that there will be one dpu is
going to be able to let you uh navigate
through this no you will have to speak
to tech people you will have to speak to
designers you will have to speak to a
cyber security officials you will have
to speak to a code of people like you
and also to me but the point is that
this is a collective exercise I think I
would like to end on this note uh there
is Need For Change of how you look at
this law if you look at this law as
compliance your approach will always be
that the tick box approach if you look
at this as a governance Centric law you
would realize that this law is actually
a very principal focused law susceptible
to sets of facts so your systems and
processes have to be adaptable cost
efficient and at the same time resilient
so quite a concerted effort is needed
and I think bpbi set up the first task
for the data protection Board of India
would be to spread the right kind of
awareness but privacy is a human right
and the human right has to be given so
please don't think that if you have a
framework you know that if you have a
framework or you know some some company
gave a framework to you that's not
that's not what it is about it's about a
human being whose data you're processing
and he will ask for his right so read it
differently this time right so just just
an advice to all the Cyber Security
Professionals and everybody who's
jumping on who's looking for a framework
on WhatsApp group right so I I wish you
all the luck I will also give you a
framework from Saro by the way right so
but don't you use it right right and
Arya also thanked you for educating all
of us I have one quick bonus question
for my listeners right so a lot of times
you know these college students are also
listening to us and people who want to
jump into privacy they are listening to
us how can they become privacy
professionals and how can become good
privacy professionals right do you have
anything for them right if you can
please my first and only tip is that
next time when you are signing up onto
an app going and visiting a website
please start reading the terms of use
and privacy policy and if you feel that
there is a surge of blood uh then you
are a natural at this you will be a
perfect fit uh don't start ticking
everywhere without reading what you're
signing up for free this reminds me of
quote nothing is free on internet your
data is the price that you pay to be
accessing internet and use it wisely
that's also a problem
and thank you for joining in and it's a
pleasure speaking to you and I feel like
you actually know a lot and I think we
should do a series of this right where
you can actually you know tell people on
how to do this we are we are
implementers right so and we are
implementing but you know coming these
things from you as to you know building
our Frameworks always helps all of us
down the line in our Even in our
consulting services in our training
services so thank you for joining in and
I wish you all the luck and all the best
do you want to say anything to our
listeners before we close this I think
this is interesting time uh not just for
businesses but everyone I think we
should be celebrating the fact that now
we have a law and the with caution we
should start actually looking forward to
a more informed Society uh I guess
you're doing fantastic work uh thank you
for giving me an opportunity to voice my
thoughts uh I'm sure that we will have
some blocks but we will always surpass
them yeah so we've already passed them
and here we are and I wish you all the
luck and all the best and guys if you
want to follow uh Arya or reach out to
her uh her LinkedIn would be in the
comments or in in the description and
even mine so and I will see you in the
next podcast I'll get something more
interesting for you next time so you
know subscribe to us right and have a
nice day guys
bye-bye
Voir Plus de Vidéos Connexes
หลักการสำคัญพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 EP.1
Latest news on Australian privacy and information security laws
Data Protection Officer Philippines
GUIA completo sobre aplicação da LGPD nos estabelecimentos de saúde!
Datenschutz einfach erklärt (explainity® Erklärvideo)
How to Implement GDPR Part 2 :Roadmap for Implementation
5.0 / 5 (0 votes)