India is eagerly awaiting a comprehensive data protection legislation since the Supreme Court’s landmark judgment delivered on 26 August, 2017 in the case: Justice KS Puttaswamy vs Union of India, which declared privacy as a fundamental right. It has taken India four years to draft the Personal Data Protection Bill. The monumental implications of such a legislation led the Joint Parliamentary Committee to present its report on the PDP Bill in December 2021, requesting changes. A new data privacy law is imminent. Even as the wheels of change are in motion, organizations are wondering what this expected law would mean for the ease of doing business.
In an interview with CXOToday, Rajkumar Manickam, Sales Director South Asia at Exterro, India, explores why businesses need the right tech stacks to ensure they can meet the compliance requirements when it comes to maintaining privacy — be it of customers or employees. Here are more details on how revolutionary legal GRC technologies are the talisman for complying with a complicated data privacy regime.
The Personal Data Protection Bill is likely to include norms on protecting personal and non-personal data of individuals. What are the challenges organizations are likely to face?
The Ministry of Electronics and Information Technology (MEITY) recently released a report on the “Non-Personal Data Governance Framework” for India. A precursor to the Personal Data Protection Bill, restrictions on usage of sensitive Non-Personal Data are expected. Theoretically, this is expected to build trust among stakeholders, since they will be able to see what kind of data is available for use. But it also comes with challenges as different industries and sectors have pre-existing regulations and compliance requirements. For instance, the regulatory requirements for various manufacturing sectors, the IT sector, or the BFSI sector are different. Understanding these regulatory requirements and how it intersects with the protection of non-personal data is critical. Technology makes the job easier as it is programmatically designed to be customized. Technology that is automated to identify the compliance requirements will help organizations follow necessary protocols. If organizations need to gear up to the upcoming legislation, investing in the right GRC tech can help them weather the storm.
What are the challenges of data localization? How can technology make this easier for organizations?
The need for enhancing data privacy protection is a distinct motivation for data localisation as arguably, it can help protect a person’s data privacy, to a degree. Data localization enables investigation of crimes too. During investigations, law enforcement agencies in one country will need access to payments data. If the data is stored abroad, it becomes harder to access the data, resulting in delays in solving crimes. But for organizations to begin the process of localization, they need full visibility of the data they hold. Organizations need to know what data they hold, where it is located and who can access it. Only when this visibility is achieved can the process of localization begin. Technology paves the way for ease. Automated tools that provide visibility will enable organizations to begin this process seamlessly.
What can organizations in India do to gear up for the upcoming legislation?
When GDPR came into being, organizations had access to its draft two years ahead. There was ample amount of time for organizations to prepare. But for China’s PIPL, the government gave organizations one month to implement the policy. Considering the fact that the PDPB is being revised, we cannot know what grace period the government will allow for organizations to prepare. But we know that a law regarding data privacy is imminent. So, organizations must begin by maintaining data hygiene. They need to first gain visibility of the data they hold, keep up to date with all the regulatory and compliance requirements and most importantly have a holistic data recovery plan in place.
For instance, if a customer requests the company to delete their data, organizations will have to know what data exists pertaining to the customer, where the data is located and who has access to it. Secondly, when the company is aware of the regulatory framework, it can determine whether there is legality in holding the data. This can be easily resolved with the right technology. Automated tools can not only provide visibility but information pertaining to the legalities involved in such requests.
Even in cases of a data breach, if organizations have maintained data hygiene, it becomes easier to act on disaster recovery plans as the companies would know which customers to inform without delays.
How can data discovery technology help organizations comply with privacy laws?
Data discovery is a process through which businesses collect data from a variety of sources and apply it to generate real business value. Businesses can benefit from data-driven decisions and share insights across departments in an agile manner, while propelling intelligent business strategies. In a digital-first world, organizations — both public and private use numerous softwares for seamless workflow. On an average, organizations use 100-150 cloud applications. Locating the data spread across the organization becomes the pain point. Data discovery tools improve business intelligence as it uses deep learning algorithms, data alerts, and artificial intelligence capabilities to create an inventory of the data, providing complete visibility and analysis into the compliance requirements. The technology sheds light into how long a particular set of data can be held and the legalities that allow organizations to retain it. Data discovery is the first step towards data protection and technology makes the job easier.
Organizations are demanding a new approach to consent and preference as they adapt to changes in browser technology and treat consent. How do organizations go about choosing the right technology to meet these demands?
The technology requirements for consent and preference management is changing and it requires organizations to deliver a more friendly consumer privacy experience. While determining which technology to use, organizations need to focus on improving the customer experience by seamlessly integrating consent into all communication channels — be it marketing automation, email, support, chat, and other systems that drive outbound communication. This requires technology that can be designed to be more responsive to customer choice.
