As you step into the digital labyrinth of data protection, imagine for a moment that you, as an in-house counsel, are the guardian of secrets in a high-tech fortress, entrusted with the task of defending the treasure trove of personal information from the relentless onslaught of data marauders!
So, what will be your various lines of defence, and how will you prepare your organisation to ensure compliance with the newly passed Digital Personal Data Protection Act 2023?
The answer may not be so simple, but in-house counsels will fare well if they have a carefully considered strategy to map out their responsibilities and are thorough while engineering an effort towards organisational compliance with the DPDP Act. The ultimate aim should be to develop a privacy by design discipline for the organisation. Privacy by design is a concept which emphasises that privacy practices are proactive not reactive, privacy is the default setting in the technology and the data principals benefit from end-to-end security of their data while being able to enjoy full transparency on how, by default, the technology monitors and protects their data.
The following are some of the key tasks for an in-house counsel that can help streamline the efforts towards a robust privacy compliance mechanism:
The first task is to identify and put in place policies and procedures that are thoroughly vetted by privacy experts on how the data will be managed and governed at an organisational level. This will set out the roadmap for a data mapping exercise, how data will be classified, taking inventory of the current processes through which data is collected, and putting in place a data lifecycle management process for the data that is retained. This will call for collaboration with other departments in the organisation, including gathering information from the product team and IT and Security teams and using this information to formulate a code of conduct for handling data by the various actors in the organisation.
DATA INVENTORY, DATA CLASSIFICATION AND DATA FLOW MAPPING
A heat map which maps out the highest risk sensitive personal data to low-risk non-personal information will be a good place to start when data inventory exercises are put in place. The main job of a data inventory exercise is to categorise data as personally identifiable information, financial information, geo-location, biometrics, etc., as well what can be considered as non-personal data. The next step is to classify the data in a manner which enlists the level of authorisations needed to access that data, i.e., confidential, top secret, secret data and restricting access controls basis such classification. This classification will also form the baseline for adopting cybersecurity practices around personal data, i.e., what will require the highest level of security and restrictive access controls as opposed to which data will have a lesser degree of confidentiality requirements. Finally, a data flow mapping exercise needs to be undertaken to understand the treatment of data in use, the treatment of data at rest and how the data is disposed once the “purpose” for which data had been collected is exhausted.
CYBERSECURITY MEASURES/CERTIFICATIONS, INCIDENT RESPONSE PREPAREDNESS AND CERTIFICATIONS
The final step will be to utilise the heat map outlined above to identify and guard against vulnerabilities and build strong defence capability that protects against any compromise of data. The best way forward, is to carefully study the various standardised certifications (ISO27001, Trust Arc Privacy certification, to name a few) that are available that help diligence and evaluate the existing technology and reveal system-wide vulnerabilities while providing risk mitigation strategies against organised attacks against critical infrastructure.
In conclusion, an in-house counsel has a paramount role towards data stewardship while developing ethical practices and principles for data governance at an organisational level. By staying proactive, informed, and committed, an in-house counsel can help build technologies that ultimately safeguard the very essence of trust in the digital world.
ABOUT THE AUTHOR
Ishita Shome is the Head of Legal at Indihood, and heads the legal efforts for the company to contribute in its mission to empower communities and combat poverty through technology. She has years of global expertise in corporate and technology laws, specialising in data protection and technology matters, venture capital, corporate governance, and tech M&A. She is dual-qualified to practice law in both New York and in India.
ALB is soliciting articles from in-house counsel based in India for its bi-monthly e-magazine. For submission guidelines, email firstname.lastname@example.org.