Consent Notices
Regulated entity: Drafting a consent notice optimized for maximizing opt-in consent to non-essential processing, such as for marketing and cross-selling products, will be relevant. Effort and skills are needed to differentiate these notices from run-of-the-mill drafts while ensuring these meet the stringent requirements of the DPDP. These must be controlled by the regulated entity.
Customer Insights and Cohorts
Customer data is invaluable to sustaining and growing a business and inadequate attention to this can lead to handing over painstakingly gained business advantages to the competition.
An area where SPs can benefit, particularly those with customer usage visibility and serving multiple Regulated Entities, is creating customer insights. This is often done through ‘cohorts’, where transactions and usage patterns can be analyzed to create generalized but insightful analytics on particular trends. For instance, the success of a client’s new marketing program or new product based on uptick in user adoption of a service or feature; the number of customers using a premium credit card; the number of high spending/ HNI customers of a bank; spending patterns – the possibilities are endless.
The upside for the SP is that cohort based insights are anonymized and unable to identify individuals, therefore unlikely to fall foul of the DPDP. They can sell this information to competitors or other industries.
The significant downside for Regulated Entities is the deep insights into their user base that the SPs may be able to monetize and benefit competitors. Attention to such finer points often get missed due to an overt focus on compliance without understanding the myriad ways in which customer data can be exploited.
Audit and Assurance
Regulated entities are already required to ensure robust audits and governance of SPs under the Master Directions. The Regulated Entities must also ensure that their IT outsourcing policy and organizational governance program, along with Board and senior management roles are appropriately extended to include DPDP compliance. The contract with the SP must be modified to include privacy compliance and data protection audits.
Breach Notifications
The DPDP adds a personal data breach notification requirement in addition to existing notifications of security/ cyber incidents to the RBI, and Computer Emergency Response Team. The definition of ‘personal data breach’ under DPDP is expansive and includes accidental disclosure, destruction, loss of access, etc., in addition to unauthorized access. The contract with the SP must adequately define a breach along with appropriate notification requirements, and penalties and indemnities for a failure to notify (the second highest slab of financial penalties, i.e., up to INR 200 crores is for a failure to notify the Data Protection Board of a personal data breach).
Data Portability
In addition to the requirements under the Master Directions vis-à-vis the transition of the outsourced services on exit from the contract, Regulated Entities should consider incorporating into the contract with the SP a ‘data portability’ requirement for migrating customer personal data to a new SP or itself. This will be more effective if based on an industry standard that enables seamless transfer of customer personal data, preferences, and profiles to the next SP, enabling seamless and lossless transition of services. However, this is not currently a requirement under the DPDP. It is possible that the RBI’s ‘account aggregator framework’ could be leveraged to create a standard to enable data portability for the industry.
Robust Contract
Regulated Entities must expand the contract with the SP to include a detailed personal data compliance, assurance and governance framework, along with appropriate reporting mechanisms, audit provisions, financial disincentives, incident notification and remediation, and indemnities.
Overtly relying on contract remedies is not enough and does not mitigate the absence of an effective audit and assurance program, as many SPs will not have the financial ability to make good on contractual promises if they breach.
For SPs, it is important to ensure that its liability is ringfenced, commensurate with its role and earnings as a service provider. Blanket indemnities and unlimited liability should be avoided as much as possible. A poorly negotiated contract can be a death sentence for a business. Also, SPs should avoid accepting responsibility for interpreting and implementing requirements based on regulations applicable to the client. The Regulated Entity must be required to interpret regulatory requirements and agree with the SP on the technical solution to be implemented.
Source: Barandbench
