10 Important Data Protection Practices To Keep In Mind For A Startup In India
Recent years have seen a digital boom worldwide resulting in the explosion of digital data collection and distribution. This issue has raised the important question of how to deal with this huge amount of data being collected by the companies all over the world. Various countries have formulated laws in order to deal with the issues of data privacy and data protection. India has come...
Recent years have seen a digital boom worldwide resulting in the explosion of digital data collection and distribution. This issue has raised the important question of how to deal with this huge amount of data being collected by the companies all over the world. Various countries have formulated laws in order to deal with the issues of data privacy and data protection.
India has come a long way in dealing with the data privacy and protection starting with the enactment of the Information Technology Act (ITA) of 2000 and its ancillary IT Rules of 2021 and 2022. On August 23rd 2017, in the case titled Justice K.S Puttaswamy (Retd.) Versus Union of India (“Aadhar Judgment”), the Hon’ble Supreme Court held that the fundamental right to privacy is guaranteed under the Constitution of India. However, these measures are not enough and needs the formulation of laws which categorically deal with the data privacy and protection issues. In this regard, the Digital Personal Data Protection (PDP) Bill 2022 has been proposed which will ensure fair use and disposal of digital personal data collected online and offline in India and also outside India by companies offering goods and services to individuals in India.
According to a January 2023 report by the United Nations Conference on Trade and Development (UNCTAD), in 2022, 137 out of 194 countries (71%) have passed legislation to secure data and privacy protection. Of them, 15% still do not have legislation and only 9% have a drafted legislation.
Any business operating in India should be familiar with all the relevant data protection laws and how they affect day-to-day activities of the businesses. 10 important practices a startup entity must follow to deal with the data privacy and data protection issues in India are given as follows:
Maintain transparency in collecting and processing data: This issue involves providing the customers with a transparent data protection policy which clearly explains to the customers how their data will be used and how they can control the processing of their data. Companies which collect online or offline data must publish a data privacy policy. It should comply with privacy laws of India and also any other country in which the company does business with. Presently companies do not offer any kind of transparency in the collection of data.
Let’s look at this issue from the point of view of a customer. As a customer, how many times have you given out your phone number and address to a store (physical or online) without even thinking about it. If you do ask about it, you are told that it is easier to pull out your information when you visit the store next time and you are assured that store will never sell your data to a third party and that you will not get any telemarketing calls from the store. But have you ever wondered what happens when you give out your phone number to the cashier in a departmental store or when you check out in an online store? Have you ever wondered what happens to the data that you unintentionally provide a company when you are using your fitness devices or other tech gadgets? Have you ever wondered how your personal data is handled and stored; whether the data is stored physically on-site or off-site or stored in the cloud servers? Cloud servers are generally operated, secured and maintained by a third party provider which may be located outside the country. In order to build customer trust, it is important for the companies operating in India to have a transparent data privacy and protection policy.
Though some companies are transparent regarding their data collection and protection policies, many companies still prefer to keep their customers in the dark. Ideally companies should provide all the information to the customers regarding why they are collecting the data and how they will use it and how they will protect it.
Incorporate reasonable security practices and procedures: In accordance with the guidance provided in Section 43A of the Information Technology Act (ITA) regarding the handling of sensitive personal data, all corporate entities that deal with such sensitive personal data or information, should incorporate reasonable security practices and procedures relating to such data otherwise they will be liable to pay compensation to the affected persons if there is any breach or negligence. Moreover Section 72A of the ITA provides for the punishment of any person who unlawfully discloses personal data without the consent of the information provider. Companies are encouraged to adopt reasonable security practices and procedures including publishing of a privacy policy that gives details of the type of data collected, the purpose and use of the collected data, the storage procedures followed, the disclosure policy and transfer mechanism for the data and the security practices and procedures being followed by the corporate entity.
Compliance obligation of the Intermediary: According to the amendment of the Information Technology Rules 2021 (IT Rules), now it is imperative for the Intermediaries to not only prominently publish the rules, regulations, privacy policy, etc., but also to ensure that the rules are complied with. As a result, social media platforms are at a risk of losing their intermediary protection under the IT Act if there is violation of the compliance obligation as enshrined in the amendment. Therefore, it is incumbent upon the Intermediaries not only to prominently publish the rules, regulations, privacy policy, etc., but also to ensure “compliance of the same”. Lack of clarity regarding how they collect and process personal data can lead to ambiguity and plummeting trust among their users.
Clarity regarding collection of information: This is an important phase in the data privacy process. Undeniably, collection of personal data is a very sensitive process specially in the case of medical, biometric and financial data. It is important that before collecting data from the consumers, the company (information collector) gives the consumer (information provider) an option to give consent or opt out of providing such information and at any time while availing the services of the company also have an option to withdraw his/her consent given earlier. Moreover the IT Rules also state that consent has to be obtained in writing or through email from the information provider regarding the purpose for which the data is being collected prior to the collection of such information. Currently not many companies notify their customers that their personal data is being collected. In fact, when we go to the stores or do online shopping, we provide all our personal data without thinking twice about how it is being used, stored, disclosed or protected. In this Information Age, access to customer data, indisputably, gives a strategic advantage to a company by giving greater insight into customer needs and preferences. Undeniably, one way to build trust is to provide clarity to the consumer with respect to the company policies in collecting and handling of personal data.
Age verification while collecting data: The proposed PDP Bill defines anyone under 18 as a child, and companies will be required to implement a vigorous age verification process and obtain parental consent before processing any child data. The companies are also prohibited from processing child data which may cause harm to children or potentially monitor behavior of children.
Requirements for cross border data transfer: The proposed PDP Bill imposes special conditions regarding cross-border transfer of data specially if it is sensitive personal data including medical, finance, biometrics etc. Under the European Data Protection Law called the General Data Protection Regulation (GDPR), there is restriction for transfer of personal data to countries outside of European Economic Area (EEA) in order to make sure that the privacy rights of the individuals are protected even outside EU. This is specially necessary for areas that do not have adequate legislation to secure data and privacy protection. By the same token, companies operating in India should strictly follow cross-border restriction rules specially in cases where the company is transferring data to its parent company or a subsidiary located outside India or storing personal data outside India or transferring personal data to a third party located outside India.
Setting up of effective Grievance Redressal Mechanism: An effective Grievance Redressal Mechanism is one of important tools for data privacy and protection. Without an effective Grievance Redressal Mechanism none of the goals of data privacy and protection can be achieved. As part of the Grievance Redressal Mechanism, the corporate entity has to designate a Grievance Officer and publish his name and contact details on its website.
Requirements for disclosure of sensitive personal data or personal information: Sensitive personal data like medical, biometric or financial records need to be handled with great care and companies need to abide by certain guidelines relating to the disclosure and transfer of sensitive personal data. Firstly the corporate entity needs to get prior permission in writing from the information provider before they can disclose the data to a third party. Secondly, the actual process of transfer of data has to be undertaken with greatest confidentiality using technologies that reduce data leak or data breach.
Secure storage: In recent years, technology for storage of data has developed so much that companies nowadays have lot more options to store data than previously envisaged. How data is stored has grown to include options well beyond a local storage and includes cloud storage wherein digital data is stored in an online space that has multiple servers and locations. The PDP does not directly include provisions on data localisation. It only requires the company to use appropriate data protection measures to make sure that the data is not breached.
Training employees on data privacy: Employees of a company need to be rigorously trained on how to handle and process private data specially personal information that is specifically targeted by hackers. An effective data protection training program for the employees forms an important part of the overall data privacy and protection strategy of the company.
With the exponential growth of digital companies and consumers increasingly adopting digital technology, it has become imperative that we turn our focus to data privacy and protection. In recent times there have been a lot of instances of data breach/hacking, data misuse, and date manipulation.
As Indian consumers become careful about sharing their personal data, and regulators strengthen laws on data privacy and protection, companies specially startups, need to focus more on this aspect of doing business. In the present scenario, the way companies collect, handle and distribute their consumers’ data becomes an important factor in gaining their consumers’ trust and ultimately gives them a competitive advantage.
The authors are Advocates , views are personal.