How businesses can comply with, and benefit from the Personal Data Protection Bill
The government’s new IT Rules are in the eye of a huge storm after a standoff with social media giants. However, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, notified on February 25 under the IT Act, 2000, is just one part of the entire Personal Data Protection Bill.
The larger Bill tabled in Parliament has implications for not only social media companies, but also marketeers, broadcasters, research companies and any corporate that collects or deals with personal data of individuals. So how can marketers gear up to meet these new guidelines?
The three key terms in the Bill are data principal, data fiduciary and data processor. So, if a marketing company is running a promotional campaign, and an agency collects my personal data on their behalf, the marketing company is the data fiduciary, the agency is the data processor and I am the data principal.
The Bill is based on broadly seven key principles related to the privacy of an individual, as enumerated by the Justice Srikrishna committee.
Technology agnosticism: The law should have enough flexibility to take into account changing technologies and standards of compliance.
Holistic application: It must be applicable across all entities — private sector as well as the government.
Informed consent: Any consent given by the data principal to use his data must be informed and meaningful. Silence cannot be taken for consent.
Data minimisation: The data collected should be only as much as is needed.
Fiduciary accountability: The data fiduciary is accountable for any processing of data, whether by itself or others.
Structured enforcement: The law enforcement must be by a central high-powered statutory authority coexisting with decentralised enforcement mechanisms.
Deterrent penalties: Penalties for breach of the law must be adequate to ensure deterrence.
For data fiduciaries, the obligations under the proposed bill are that no data can be collected or processed except for a specific, clear and lawful purpose; inform the data principal about the purpose of the collection; and not retain any personal data beyond the term required for the purpose. The data fiduciary is also responsible for the safety and security of the personal data at every step.
So, let’s say, an OTT platform collects my viewing data for identifying my viewing preferences and thereby creates a watchlist for me; it cannot use that data to tailor advertising messages. It also cannot share my data with any other platform in a way that I can be targeted individually.
And penalties for violation of the Act and for any data breach are tough, ranging from ₹5 crore to as much as 4 per cent of the organisation’s worldwide turnover of the preceding year, and jail terms plus fines for individuals who are found responsible for re-identifying personal data.
Quite a far cry from the approximately ₹25,000 penalty under the IT Act!
The way forward
Sounds tough to implement? Not really.
Use of anonymised data is the easiest way out. Irreversibly removing all references to personal identifiers for individuals, and creating anonymous cohorts of consumers is possible.
For organisations that need to work using personal identifiable data, it would be worth checking the 12-step process recommended by ESOMAR, the global voice of data and research, in 2017, when GDPR (the European Union law on data protection) was in the process of being implemented.
1. Create a cross-functional team to lead the compliance programme: This team should advise, monitor implementation, keep records of activities, and be the interface between the organisation and the data protection authority/ public.
2. Assess impact and record: The impact assessment should identify level of risk to individual and personal data in case of misuse, accidental disclosure or breach; the likelihood and ease of a breach happening; and measures to mitigate its impact.
3. Audit of data flow: Have clear, complete, comprehensive records of audit — what data comes in, what is it used for, who is it shared with, what happens to it. These records will help in case you need to demonstrate compliance.
4. Think about future data uses: Plan for all possible uses of the personal data. Re-use of data for any other project is okay, subject to informing the data principal that you might potentially use for other things.
5. Think about unexpected uses: It is best to have a blue ocean approach towards all possible future uses of the data, and inform data principals accordingly to get their consent.
6. Making users’ rights effective: Your systems may need to be updated to exercise a wide variety of rights — data principals can ask you to ‘port’ data you have about them to another data provider, they may ask for updation or correction, object to certain uses, or ask you for complete removal or erasure of data, and so on.
7. Communicate: In plain, simple, concise form, tell the data principals about the process, names of fiduciaries and processors, how long the data will be stored (infinite is possible), their rights, and so on.
8. Keep data safe: You are accountable for any data breaches, so get all data security systems (including people) in place.
9. Disaster planning for breach: Have ‘fire safety’ drills for data breach.
10. Data chains matter: It is important to have fail-safe contracts at every level, with clear roles, responsibilities and processes of data security. It is important to ensure that all processors and sub-contractors comply with the provisions of the Act.
11. Third-country data transfers: The Bill clearly mentions the rules under which data can be transferred outside India. It is important to also ensure binding corporate rules and codes of conduct to ensure safety and security outside the borders, as well as to be compliant with any other applicable regulations (for instance, GDPR).
12. Create an in-house privacy culture: This requires the commitment of every single individual; a culture of being constantly mindful of risks and not just benefits; continuous monitoring and testing.
Finally, I believe that the Personal Data Protection Bill does not aim to limit what you can do with data. From segmentation to big data analytics, set things up correctly and everything is possible.
The writer has over three decades of experience in communication planning, media buying and selling, and media research