Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Arriving soon: India’s data protection law. The first step towards compliance is a data inventory

    Home Data Governance Arriving soon: India’s data protection law. The first step towards compliance is a data inventory
    NextPrevious

    Arriving soon: India’s data protection law. The first step towards compliance is a data inventory

    By Ikigai Law | Data Governance | 0 comment | 30 December, 2019 | 9

    There is an ancient proverb that says “a journey of a thousand miles begins with a single step”. In today’s context, if the journey is an organisation’s efforts to comply with its data protection obligations, then the single step is the process of taking stock of all the personal data it holds.

    This process of stock taking is known by many terms including ‘data mapping’ or creating a ‘data inventory’.[1] The Personal Data Protection Bill, 2019 (“PDP Bill”) does not define either of these terms and it places no explicit obligation on organisations to carry out such a task. That being said, such an exercise is a critical starting point to comply with other obligations under the law. For instance, implementing ‘privacy by design’ would require an organisation to adopt practices to anticipate, identify and avoid harm to individuals from data processing. To do this effectively, one would need to understand different categories of data processed, assign different risk levels to each category and build systems to secure the data to manage those risks. An inventory would be necessary for demonstrating compliance with several other obligations, such as consent, storage limitation, responding to requests from data principals and data protection impact assessments.

    How should one go about it? Ask questions.

    The mapping and inventory exercise seeks answers to certain questions regarding the data that an organisation collects and uses. The mapping answers the ‘where’ of the data: where does it come from, where all does it go, which departments use it, where is it stored (physically), is it sent across borders? An organisation may not have instant visibility over all the data it processes, since data may reside on staff devices, email systems, with service providers, on the cloud, among other latent systems/ processes. The inventory answers the ‘why’, ‘how’, and ‘who’: why is it collected, how securely is it stored, how long do you retain it, whose data is it, and who is responsible for creating, updating and deleting it? Therefore, a starting point is creating a questionnaire which captures all the questions which need answering.

    Who should answer?

    In any organisation, there are several different departments which interact with different types of data. For instance, Sales and Marketing will have customer data, Human Resources will have data about employees and job applicants, Finance will have data about customer invoices and employee payroll and the IT Department will have knowledge of software such as ERP and CRM tools being used in the organisation. Senior personnel from each different department should be tasked with providing accurate and detailed responses to the questionnaire. A person familiar with data protection obligations, either within the organisation or an external consultant, should be tasked with supervising this process. They can provide guidance to the respondents so that they fully understand the import of the questions and the objectives of the exercise. This person can also be tasked with collating the responses received from the various departments.

    Once responses to the questionnaire have been collated, it should be further refined. The data should be categorised into different categories such a ‘personal data’, ‘sensitive personal data’ and ‘critical personal data’ and appropriate risk levels should be mapped against different processing activities. The legal basis for each data processing activity should be identified. If personal data is being shared outside the organisation, the reasons and any underlying contractual arrangement should be mapped. A person with expertise in data protection compliances should be responsible for this process. The gaps in an organisation’s data-handling practices, identified through this process, are what need to be addressed in the next stages of compliance.

    Technology can help with this process

    Depending on the size of your organisation and the complexity of your data processing activities, it is possible that manual method described above will be extremely challenging to implement. Fear not, there are several automated tools which have specifically been designed to aid in the process of creating data maps, inventories and also the entire compliance cycle. Companies like OneTrust, TrustArc and several others have created software tools which can aid in data mapping, visualising data flows and preparing reports.

    Recommendations

    Start early: The process of creating a data inventory and mapping data flows can be tricky and involve some trial and error. Compliance with data protection obligations, especially if being done for the first time, can be tricky. You may need sufficient time to redesign existing data flows and enter into appropriate contractual arrangements with your data processors. If the first step is taken early, and done right, it will go a long way in your journey towards PDP compliance.

    Allocate responsibility: The importance of the exercise needs to be conveyed to senior stakeholders in the organisation across business functions/departments. All departments must dedicate sufficient resources to spend the time to properly understand the ask and the context, and then provide responses to the questionnaires. A person familiar with data protection compliance obligations must be given the responsibility of supervising the exercise and should be ultimately accountable to senior management.

    Seek help: Be willing to hire external consultants or purchase technology tools which will aid your organisation in being compliant with its data protection obligations. Given the large fines associated with non-compliance, it is important not be penny wise pound foolish.

     

    (Authored by Aman Taneja, Senior Associate with inputs from Sreenidhi Srinivasan, Senior Associate and Anirudh Rastogi, Managing Partner at Ikigai Law.)

    [1] Rita Heimes, Top 10 operational responses to the GDPR: Data inventory and mapping, available at https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/

    Compliance, Consent, data, data mapping, governance, Privacy, Technology

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • Decoding the Personal Data Protection Bill, 2019: A new data governance framework for India

      By Ikigai Law | 1 comment

      The Personal Data Protection Bill, 2019 (“Bill”) was introduced in the Lok Sabha (lower house of the Indian Parliament) on 10 December 2019. Once enacted, this Bill will require a large number of companies (bothRead more

    • Complying with India’s forthcoming data protection law

      By Ikigai Law | 0 comment

      The Personal Data Protection Bill, 2019 was introduced in the Parliament of India on 10 December 2019, and referred to a Joint Committee. This legislation will require businesses to revamp their data-handling practices and embed privacy intoRead more

    • Clause by Clause Redline: 2018 and 2019 Personal Data Protection Bills

      By Ikigai Law | 0 comment

      The Indian government’s endeavour to regulate the collection and use of personal data dates back to 2012 when the A.P. Shah led committee released its report on privacy[1]. Seven years hence, the much awaited PersonalRead more

    • Vantage point: Our views on policy developments in the world of technology & entrepreneurship

      By Ikigai Law | 0 comment

      Vantage Point This is a compilation of selected posts on our LinkedIn page from October and November 2019. Alco-tech In a major setback for the alco-tech industry, the Karnataka High Court recently delivered a judgmentRead more

    • Draft Personal Data Protection Bill, 2018: what are the practical concerns?

      By Ikigai Law | 0 comment

      The draft Personal Data Protection Bill, 2018 (“Bill”) raises many concerns for businesses – start-ups and established companies alike. Companies will be required to revamp several of their operational practices once the Bill becomes anRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Drones E-Commerce Facebook Fintech Government Government of India healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    T-7/402, Commonwealth Games Village Apartment,
    New Delhi, Delhi 110092 India.

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law