The country-wide rollout of GST is still fresh in institutional memory and arguably the key takeaway from that experience was, ‘next time, be better prepared!’.

When the Personal Data Protection Bill, 2019 becomes a cross-sector privacy law sometime next year, it will impact most, if not all, businesses in the Indian economy. Only a small fraction of those businesses are currently familiar with data governance — mainly financial services and telecommunication firms because of sectoral regulations.

This article examines how the PDP bill is likely to shape the future of digital identity verification in India, how related firms can gear up for compliance, and how employee data handling is likely to change in the workplace.

Significance for digital identity verification firms

Digital identity verification firms verify individuals i.e. customers or employees on behalf of other organisations. As online ID verification service providers, they do not share a direct relationship with the individuals they verify, and since identity is established right in the beginning, they typically do not have access to personal data through the full course of the customer or employee relationship.

Nevertheless, the Personal Data Protection Bill imposes obligations on all entities to protect any personal data they might have access to, even if it is for a specific purpose and a limited duration of time.

Basic principles: Consent, purpose limitation, data minimisation and storage limitation

In the context of the bill, the organisation that anchors the customer or employee relationship is the ‘data fiduciary’, the individuals or data owners are ‘data principal(s)’ and the digital identity verification firm that verifies said individuals on behalf of the data fiduciary is the ‘data processor’.

While the PDP bill places the bulk of the obligations on data fiduciaries, responsible data processors would want to err on the side of caution and proactively frame internal processes that hold them to the same standards as their clients.

Responsible data processors will hold themselves to the same standards as data fiduciaries

Gearing up for compliance

In the new regime, data processors cannot work in anonymity. Organisations will have to disclose who is conducting identity verification and how long the process is likely to take to their customers or employees.

On their part, digital identity verification firms can start by creating an inventory of all the data elements they collect and store, and the various data processing activities they perform.

The data elements can then be mapped to their respective (i) data category — personal data, sensitive personal data, critical personal data (specified but not defined in the bill) and non-personal data, (ii) purpose of collection, and (iii) retention period (the bill outlines different collection, storage and transfer practices for different data categories).

This is obviously not a one-time activity but it is also not meant to be a continuous drain on the firm’s time and resources. The idea is for firms to develop the habit of maintaining an on-demand record of processing activities.

1. Prepare: High-level data inventory

2. Evaluate: Data collection, storage and transfer practices

3. Create: Mechanisms for data principals to share/withdraw consent

4. Understand: New vulnerabilities and risks

5. Establish: Data breach protocols

While consent-driven data governance is no longer an alien concept to Indian firms and consumers, it assumes new meaning with the Personal Data Protection Bill — consent will be considered valid only if it is free, informed, specific, clear and capable of being withdrawn.

The ability to unilaterally withdraw consent is one of the most empowering provisions in the bill for data principals. In most cases, the withdrawal of consent must be followed by immediate erasure of personal data.

For this reason, the provision is currently an implementation quagmire for data fiduciaries and processors.

The rights conferred on individuals are largely consistent with global regulation (confirmation and access, correction and erasure, portability) and the global experience suggests that they are not entirely devoid of risk.

Impostors can create points of vulnerability by sending fraudulent requests to access data for illicit purposes.

Similarly, fake requests to correct or erase information can compromise the sanctity of an organisation’s data.

Although the bill puts the onus of reporting any serious breach of personal data on the data fiduciary, prudent data processors will establish internal protocols to handle any breach that might occur during a downstream processing activity.

In the same way, while data processors are not obliged to prepare a privacy by design policy, it can be a great way of instilling confidence and creating alignment with data fiduciaries.

According to the bill, a data fiduciary can employ a data processor only through a valid contract to process data on its behalf.

And a data processor can engage another data processor for processing data only with the authorisation of the data fiduciary or if permitted under its contract with the data fiduciary.

Data processing in the context of employment

The conversation around personal data protection gets really interesting when it reaches the workplace.

On the one hand, employees’ new-found rights as data principals stand to vitiate the traditional power imbalance in the employer-employee relationship.

On the other hand, employers enjoy certain exemptions from their obligations as data fiduciaries only in this (employment-related) particular context.

One of the maxims that emerged in the run-up to GDPR was ‘to protect employee data as if it were customer data’, which is somewhat instructive.

In the new data regime, employers will have to simultaneously uphold the rights of their employees as data principals, and navigate exemptions to maintain comprehensive HR records.

Employers will have to learn how to maintain employment-related records while protecting the data rights of their employees

Employers will also have to wade through considerable near-term ambiguity. For instance, the bill overrides the need for consent if the processing of personal data (but not ‘sensitive’ personal data, SPD) is necessary for ‘recruitment or termination of employment of a data principal by the data fiduciary’.

The bill considers financial data and health data to be SPD. Employers have the bank account number of their employees and know the number of sick days they avail — although this information is independently unlikely to cause harm to the data principal, technically, it is still SPD.

There are specific compliance requirements for SPD with respect to data localisation, transfer and processing.

Since it may practically be difficult to separate the SPD from personal data, the entire data set will need special treatment due to traces of SPD. Or take for example the right to correction and erasure.

How does an organisation respond to a request to ‘correct or erase’ disciplinary proceedings by a former employee? Or how does a former employer deal with reference check requests from another organisation? At this point, there are more questions than answers.

Conclusion

Today, individuals are becoming increasingly interested in (and concerned about) the use of their personal data. Firms must prepare to engage not just with clients and regulators but citizen and media groups as well.

Even compliant organisations will have to hedge against reputational risk.

At first, the time, effort and resources required to understand and implement PDP might seem overwhelming. However, the rules are not yet finalised and the pace of implementation is not yet known.

Implementation timelines aside, leaders who start their journey early can use this opportunity for a broader data transformation of the entire organisation, not just the compliance, legal and risk functions.