S3E10 | DPDPA Compliance for MNC Offices in India | #DPDPA #privacycast #mnc

00:00

[Music]

00:01

laughs

00:02

[Music]

00:21

welcome to privacy class season 3. in

00:24

today's podcast series we bring the best

00:27

privacy Minds to you from India right

00:30

nowadays we're talking about dpdpa and

00:32

that's why we brought none other than

00:34

Arya tripathi with us right she's a

00:36

partner at PSA and she also has is a

00:39

mondac thought leader awardee for India

00:41

she's a cipp a certified professional

00:45

comes with a lot of data protection

00:46

experience truly honored to have you

00:48

here Arya would like to quickly give an

00:50

introduction about yourself hi everyone

00:52

thank you Akash uh I think it's a

00:54

pleasure to actually talk about this

00:57

seminal law uh that India has witnessed

01:00

and even before the law came uh just

01:04

quick fun facts that there did exist a

01:07

set of rules which were quite

01:09

far-reaching often sideline and I think

01:12

I have been working in the Privacy space

01:15

for so long uh mostly in a cross-border

01:17

context so I'm happy to answer your very

01:21

very interesting questions which should

01:24

benefit the listeners around thank you

01:26

by the way guys Arya is also iepp Delhi

01:30

co-chair and I am a Bangalore coacher so

01:33

we keep catching up discussing thought

01:35

leadership right and we're doing events

01:36

so by the way we did a lot of events

01:38

together as well and that's where we

01:39

actually met online uh okay so

01:43

are listeners you know are now in

01:45

anxiety right because there is so much

01:47

of chaos outside in the market right

01:49

honestly every other article that I read

01:52

right I am not getting anything out of

01:54

it you know every other article somehow

01:56

I don't know right every other every day

01:58

there is a document that comes online

02:00

and I read some but I've stopped reading

02:02

now because there's a lot of right

02:04

so I kind of call thought leaders who

02:07

are actually more stuff to kind of tell

02:08

actually that to the point what are the

02:11

actual things that are going to happen

02:13

that are going to change so like a globe

02:15

data analytics company right now they

02:18

are doing business here in India right

02:20

and they are doing Global business right

02:22

so for them they have direct

02:24

interactions also with indirect

02:26

interactions also because they are just

02:28

they have back offices in India right

02:29

like if you look at uh any big company

02:32

in the world then major work is getting

02:34

done in India so what these DP DPA you

02:38

know compliances or regulation

02:41

Frameworks what do they have to do today

02:43

yeah

02:44

I wish I hear your question uh loud and

02:47

clear and I will divide it into two

02:49

parts uh let me just uh put you and

02:53

everybody who is listening at ease to

02:55

the fact that uh dpdp Act is new as a

03:01

law uh but a very old aged principle uh

03:05

that has been expanded upon okay uh

03:09

believe me when I say this

03:12

um today many of my existing clients

03:14

have just woken up and come to me and

03:17

said please tell me what I have to do

03:19

that's not the approach I will sincerely

03:22

request everyone to use this very

03:25

valuable time to understand what the law

03:28

is

03:29

implementation is a very different

03:30

aspect and dpdp act has not been

03:34

implemented yet it has become made to

03:38

the legislation book the official widget

03:40

but there would be a separate

03:42

commencement notification and it is

03:44

quite possible that this itself is going

03:46

to take in time I was having this

03:48

conversation with a younger lawyer who

03:50

wants to work with us uh and my question

03:53

to the person was which section in the

03:57

ACT do you think should be notified as

03:59

implemented in the very first instance

04:02

and the answer to that is the data

04:05

protection Board of India even before

04:08

businesses start getting worried what is

04:11

important to understand that this law

04:12

contemplates setting up a new regulator

04:14

an independent regulator called the data

04:17

protection Board of India what is the

04:18

role of the regulator the regulator is

04:20

responsible for implementation of them

04:22

so there are going to be staggered

04:24

approach towards implementation and

04:26

there is time I will not say there is a

04:28

lot of time but it is not a fire

04:31

emergency this is the right time to

04:33

invest in two processes one is advocacy

04:36

and sensitization and second is

04:40

evaluating the available

04:42

technology options that can be quickly

04:45

selected so what I have typically seen

04:48

Whenever there are discussions around

04:49

engaging a PE rule or a dsar software

04:53

tool so my only two cents here uh this

04:57

is the years of experience is that uh

04:59

having a law and its implementation are

05:02

two different things uh and what is this

05:05

time meant for is a good breath time to

05:08

see where we stand and understand the

05:11

law and evaluate some of the aspects key

05:14

being the cost that is required to

05:15

actually comply with the act as it

05:18

stands today now coming to your

05:20

illustrative case uh I think we'll take

05:22

a step back the dpdp ACT actually

05:25

applies to Indian foreign companies

05:28

alike

05:29

uh it is not dependent whether you are

05:32

registered or Incorporated in India so

05:34

there are two aspects if the processing

05:38

is happening within India you're very

05:41

much

05:42

doesn't matter if you are a global

05:43

analytics company who has a GIC here or

05:46

a data center out here if you're

05:49

processing in India as simple as even

05:51

having just a data server or a storage

05:52

you are covered now the extra

05:55

territorial application is where

05:57

somebody is processing outside India but

06:01

with the intent of providing goods or

06:04

services okay to somebody who is in

06:06

India now a global data analytics

06:09

company that is present in India and is

06:12

processing India is covered uh if even

06:15

if you were not present in India like

06:17

having a permanent establishment or a

06:19

branch office in India or a project

06:21

office in India and you want to actually

06:24

make sure that your data is getting

06:26

processed so if you're a controller or a

06:28

fiduciary outside India but say availing

06:31

SAS services in India it is possible

06:33

that you are covered interestingly

06:40

the first Wing is irrespective whether

06:42

you're Indian or not Indian whether you

06:44

are in India or not in India if you're

06:46

processing in India you are covered

06:48

there is one interesting exemptionary

06:51

section

06:52

of a U.S company comes back to India

06:56

gets processed in India right so then

06:58

what is the case do you think then our

07:00

law will apply or a U.S state law will

07:02

apply because the citizen data that is

07:04

here is for the U.S yeah uh first and

07:07

foremost whether U.S law will apply or

07:09

not will depend on the U.S law okay so

07:11

we will not comment on that but whether

07:13

Indian law will apply the answer is a

07:15

straightforward yes if you are

07:17

processing data that has come to India

07:19

and is being processed in India rest

07:22

assured whether it is the data of a U.S

07:24

citizen data of a U.S company doesn't

07:27

matter you are processing digital

07:29

personal data in India and you are

07:31

covered within the first direct

07:32

territorial agnostic

07:35

method of application this is a huge

07:38

difference from a gdpr yes right because

07:41

this is because if somebody is in Europe

07:43

and usually this doesn't happen right

07:45

usually most of the companies are in U.S

07:47

so a lot of times this question never

07:48

got erased but a lot of companies are in

07:51

India so if this is going to be a

07:53

problem right in terms of applicability

07:55

I think you know it's a this is

07:57

something I feel you know can create uh

08:00

Canada

08:01

while doing processing because this is

08:03

this is serious trouble for all the

08:05

companies because if some data is coming

08:06

back to see I get the point that if

08:09

somebody is in U.S right their data is

08:12

coming back to India and there is a

08:13

let's say California

08:15

so I I I'm with you right it makes a lot

08:18

of sense that CCP applies right when we

08:20

are processing in India but then again

08:23

I think that is a double application for

08:25

all of us and we should be really

08:26

careful about it I think what we did at

08:30

the time of formulation of the law what

08:31

happened were there there were different

08:33

permutation combinations uh say for

08:35

example gdpr has a concept of main

08:37

establishment uh what is the main

08:39

establishment and whether that is in EU

08:41

okay uh but even there the first leg

08:44

doesn't say that only a European company

08:46

has to comply with gdpr there also it

08:49

states that if you are processing data

08:51

within EU you need to comply

08:54

right that leaves the Ambit open and in

08:57

a very simplified way to determine who

09:00

all are covered uh what I think has

09:03

happened and which is a very right thing

09:05

to do is that what is the law trying to

09:08

regulate the law is actually trying to

09:10

regulate processing of personal data now

09:13

if the processing is happening in India

09:15

and this law went not applicable because

09:17

you are a foreign company or because you

09:19

are actually processing uh data of

09:21

somebody who's outside of India then

09:24

what are you you are letting go of a lot

09:26

of data that is being processed

09:28

completely unregulated uh look at it

09:31

from a perspective of also whether this

09:33

is going to benefit adequacy decisions

09:35

for India in favor of India I think

09:37

having a larger scope of application of

09:40

law uh itself takes us closer to the

09:43

adequacy Matrix of course there are gray

09:44

areas which we will not talk about right

09:46

now there's an important exception that

09:48

is there section 17 which has a list of

09:51

exemptions which says that if pursuant

09:53

to a contract an Indian processor is

09:56

actually processing data of a foreign

09:58

data fiduciary of people who are outside

10:01

of India this act may not apply right

10:04

but that is an exception so the income

10:07

rule as it stands today is that if you

10:10

are processing within the territory of

10:12

India irrespective whether you are a

10:14

fiduciary or processor in India or

10:17

whether the data belongs to a data

10:19

principle within India you are supposed

10:20

to uh expect that the dpdp ACT is going

10:23

to apply to you so what is also people

10:26

right now is you know most of the data I

10:28

won't say most of them along with a lot

10:30

of data in India is being processed by

10:33

the e-commerce platform right the boom

10:35

of internet in India I think the free

10:37

Wi-Fi that you know jio gave thank you

10:39

Ambani by the way so the free Wi-Fi that

10:41

we all got right it changed our world

10:43

right even in villages people are using

10:45

uh amazing applications like Flipkart

10:48

you know jio and and whatnot right

10:50

Amazon so what is going to change for

10:53

them because of dpdpa from consent

10:57

requirement perspective right because

10:59

now and also as you mentioned right a

11:01

consent requirement is not new because

11:03

it Act was already there and right to

11:05

privacy was already there right these

11:07

things are not new but governance was

11:09

not them and the problem was we did not

11:11

have a data protection authority so over

11:13

to you like how do you see consent

11:14

mechanism how do you relate it in terms

11:17

of governance which may happen down the

11:19

lines how do you relate to governance

11:21

and consent management that is going to

11:23

change for e-commerce

11:29

until you think you fit into the certain

11:31

legitimate use criteria of processing

11:33

which I believe is an exception Matrix

11:36

of processing and not the norm the norm

11:38

is consent so unlike a gdpr or a CCPA or

11:43

for that matter uh pdpa uh dpdp act

11:48

actually establishes that as of date for

11:51

India

11:52

consent of a certain kind is going to be

11:55

the sole and primary basis of processing

11:58

a lot needs to change in how this

12:01

consent is obtained uh how this consent

12:04

is managed how this consent is allowed

12:07

to be withdrawn and what are the rights

12:09

that flow out of a consent Matrix uh and

12:13

if I have to segregate into these four

12:15

buckets okay how consent is obtained how

12:18

it is managed how it is allowed to be

12:20

withdrawn and what are the rights I

12:22

think a lot of organizations and most

12:24

likely all the e-commerce platforms

12:26

would have to do a 360 degree overhaul

12:29

uh why I say this

12:31

I have seen in my uh professional

12:33

experience uh to have like some very

12:37

disturbing manners of obtaining consent

12:40

uh which uh I know I would be very

12:42

unpopular when this gets released but I

12:45

call them creeping functionalities okay

12:47

which actually means that the consent is

12:49

not free so the first requirement is

12:51

that it has to be free and for free

12:53

consent what is needed please we will

12:55

have to go back to understanding how a

12:57

contract is ever entered into everything

12:59

is established in a crystal clear

13:01

fashion you cannot have verbosity you

13:05

can't have all catch all languages uh

13:08

you cannot have non-data mapped uh

13:11

consent requirements you need to call

13:13

out that I am taking X data for y

13:16

purpose it is as specific as it gets and

13:19

gone are the days when a default setting

13:22

and opt-out consent mechanism was in

13:26

fashion or still is impassion this needs

13:28

to change it needs to move into an

13:30

opt-in fashion because now it has to be

13:32

through an affirmative action how do you

13:34

take an affirmative action a swipe uh

13:37

making sure that you take specific

13:39

consents on different different aspects

13:41

with different tick boxes that is how

13:44

you will obtain consent so I think we

13:47

need to understand that implementation

13:48

in India will be slightly or massively

13:51

different from implementation and other

13:53

jurisdictions a closer analysis would be

13:56

in Asian countries versus doing a

13:57

European country analysis and that I'm

13:59

saying this is the cultural underpinning

14:02

at the end of the day what is privacy

14:04

privacy is a part of a person's right

14:06

right it's a fundamental right it has to

14:09

be exercised by a person so if you ask

14:12

me Will consent be actually implemented

14:15

that's the intent but the implementation

14:17

will bring in a lot of cultural issues

14:19

basic question to a lot of people who

14:22

will be be attending this session uh do

14:25

you suffer consent fatigue have you ever

14:27

felt that you have not read what is

14:28

there in the consent form and still take

14:30

now if that is the conditioning that has

14:32

happened over years even if I give you a

14:35

specific consent the chances are you

14:37

will still suffer from consent uh also

14:39

you know moving on right moving on from

14:41

consent Right Moving On towards breach

14:44

fines right because find that something

14:46

that everybody's talking about right and

14:49

this is something that is also a great

14:50

motivator so if you look at gdpr

14:53

ordinance also happens you know by the

14:55

fines the governance happens by people

14:57

complaining and then the third

14:58

governance that happens by the DPO

15:00

himself right who's inside the

15:02

organization so now in India the

15:04

requirement for DPO is SDF for SDF

15:06

significant data protections and also

15:07

Independence is not mentioned so a lot

15:09

of people are also asking me whether a

15:11

CSO or general counsel can become DPO I

15:14

feel its answers yes should not be done

15:16

I feel the answer is yes what's your

15:18

take on that and how do you see the

15:20

fines in coming after this law finds

15:23

incoming a two things right two

15:25

questions yeah I'll take the first

15:27

question the second question first which

15:29

is on details okay this is a very

15:31

age-old debate and perhaps uh needs a

15:34

consorted approach whether a general

15:36

counsel or a director or a CEO can act

15:38

as BPO as per the construct of the dpdp

15:41

ACT Nothing Stops it if you're resident

15:43

in India and if you're accountable to

15:45

the board so clearly you are right that

15:47

there is no mandate for an independence

15:48

of the dto because they treat DPO as the

15:51

representative of the organization

15:53

rather than the gatekeeper for privacy

15:56

governance within the organization okay

15:57

so it's a diluted standard for DPO so uh

16:00

really I mean a general counselor or a

16:03

director or a CEO can pretty much act as

16:05

a leader okay and coming to fines uh I

16:09

go back to where we started and it

16:10

almost feels like this is a full circle

16:12

okay uh fine it there is no mincing of

16:15

words the Steep fines are only done with

16:18

an objective of deterrence okay the fact

16:22

that you will not comply with it till a

16:25

fine has been imposed is kind of not

16:27

just true for India it is seen

16:29

everywhere across the globe if you want

16:31

to bring in a new system of law you will

16:34

come up with these sort of fines because

16:35

the first big penalty that will get

16:38

levied uh will be the actual Awakening

16:41

moment for other organizations so the

16:43

idea is to create veterans uh the

16:46

process Still Remains a little evasive

16:48

but what I can tell is that

16:51

adding on to your point I think when I

16:54

started my career

16:55

I started in as an auditor yeah so we

16:58

had this you know two terminologies I'm

17:00

just adding on to your point and getting

17:01

some you know Masala to this so there

17:03

are two it's right it's called Tod and

17:06

toe right so Tod means system design and

17:10

toe means desktop implementation right

17:12

so now interestingly the Tod which is

17:14

the fix of policy so every other section

17:16

that I am having right now whenever I go

17:18

on a call the clinic always says okay

17:21

boss my privacy policy I have done

17:22

something fine so I am okay I'm good

17:25

okay there is nothing that I have to do

17:26

now so so I find it see again they need

17:30

to do this today there's no doubt about

17:31

it I'm not laughing on that approach but

17:33

end of day The implementation has to

17:35

come and that automation of responding

17:37

to a DSR right is something that is

17:40

going to make it Havoc for companies

17:42

which have customer data right b2c

17:44

that's that that's the beauty I'm

17:46

waiting for yeah yeah no I mean like you

17:49

said research or for that matter pets

17:52

these are Concepts that uh perhaps

17:54

Indian businesses will still find the

17:57

novelty okay let's just call it that way

18:00

uh what is this what is a these are even

18:02

questions can get asked I'm not saying

18:05

that we are not sophisticated people I

18:07

hope they won't written it like an RTI

18:09

right like DSR no no no but the point is

18:13

very simple that what is being proposed

18:16

cannot be done only through human

18:17

resources

18:19

on the same page I'm assuming uh if you

18:22

think that there will be one dpu is

18:23

going to be able to let you uh navigate

18:26

through this no you will have to speak

18:28

to tech people you will have to speak to

18:30

designers you will have to speak to a

18:33

cyber security officials you will have

18:35

to speak to a code of people like you

18:37

and also to me but the point is that

18:40

this is a collective exercise I think I

18:43

would like to end on this note uh there

18:45

is Need For Change of how you look at

18:47

this law if you look at this law as

18:49

compliance your approach will always be

18:51

that the tick box approach if you look

18:54

at this as a governance Centric law you

18:57

would realize that this law is actually

18:58

a very principal focused law susceptible

19:01

to sets of facts so your systems and

19:04

processes have to be adaptable cost

19:07

efficient and at the same time resilient

19:10

so quite a concerted effort is needed

19:13

and I think bpbi set up the first task

19:16

for the data protection Board of India

19:17

would be to spread the right kind of

19:19

awareness but privacy is a human right

19:24

and the human right has to be given so

19:27

please don't think that if you have a

19:29

framework you know that if you have a

19:32

framework or you know some some company

19:34

gave a framework to you that's not

19:35

that's not what it is about it's about a

19:37

human being whose data you're processing

19:40

and he will ask for his right so read it

19:42

differently this time right so just just

19:44

an advice to all the Cyber Security

19:46

Professionals and everybody who's

19:47

jumping on who's looking for a framework

19:49

on WhatsApp group right so I I wish you

19:52

all the luck I will also give you a

19:53

framework from Saro by the way right so

19:55

but don't you use it right right and

19:58

Arya also thanked you for educating all

20:01

of us I have one quick bonus question

20:03

for my listeners right so a lot of times

20:05

you know these college students are also

20:06

listening to us and people who want to

20:08

jump into privacy they are listening to

20:09

us how can they become privacy

20:12

professionals and how can become good

20:14

privacy professionals right do you have

20:16

anything for them right if you can

20:18

please my first and only tip is that

20:21

next time when you are signing up onto

20:23

an app going and visiting a website

20:25

please start reading the terms of use

20:27

and privacy policy and if you feel that

20:29

there is a surge of blood uh then you

20:33

are a natural at this you will be a

20:36

perfect fit uh don't start ticking

20:39

everywhere without reading what you're

20:40

signing up for free this reminds me of

20:42

quote nothing is free on internet your

20:44

data is the price that you pay to be

20:46

accessing internet and use it wisely

20:48

that's also a problem

20:50

and thank you for joining in and it's a

20:53

pleasure speaking to you and I feel like

20:55

you actually know a lot and I think we

20:57

should do a series of this right where

20:59

you can actually you know tell people on

21:01

how to do this we are we are

21:03

implementers right so and we are

21:05

implementing but you know coming these

21:07

things from you as to you know building

21:08

our Frameworks always helps all of us

21:11

down the line in our Even in our

21:13

consulting services in our training

21:14

services so thank you for joining in and

21:17

I wish you all the luck and all the best

21:18

do you want to say anything to our

21:20

listeners before we close this I think

21:22

this is interesting time uh not just for

21:24

businesses but everyone I think we

21:27

should be celebrating the fact that now

21:29

we have a law and the with caution we

21:32

should start actually looking forward to

21:34

a more informed Society uh I guess

21:37

you're doing fantastic work uh thank you

21:39

for giving me an opportunity to voice my

21:41

thoughts uh I'm sure that we will have

21:44

some blocks but we will always surpass

21:46

them yeah so we've already passed them

21:49

and here we are and I wish you all the

21:52

luck and all the best and guys if you

21:53

want to follow uh Arya or reach out to

21:55

her uh her LinkedIn would be in the

21:58

comments or in in the description and

22:01

even mine so and I will see you in the

22:03

next podcast I'll get something more

22:05

interesting for you next time so you

22:07

know subscribe to us right and have a

22:09

nice day guys

22:10

bye-bye