Accounting and Audit News

published on 30 October 2023 I reading time approx. 4 minutes

Navigating The Digital Personal Data Protection Act 2023

Best practices for Finance Departments

In the past, there have been many instances of Data breach. Finance departments of various institutions deal with huge volume of personal data in the form of KYC details of end-users to fulfil their obligations including but not limited to carrying out financial transactions on behalf of such individuals thereby making them easy targets to possible instances of data breach.

To safeguard our digital privacy, Indian government has introduced the Digital Personal Data Protection Act 2023. The act which is substantially similar to the European Union’s General Data Protection Regulation, came into force on the 11 August 2023. The act is primarily aimed to regulate the collection, storage, processing, and transfer of personal data in digital format, within India, or abroad for the purpose of providing services in India. The act intends to provide a robust framework to process personal data giving individuals more control over their data. Companies often appoint third party service providers to outsource their business functions. Act also requires firms to review such outsourcing arrangements and ensure data privacy.

Broad Steps for Data Usage

Obtain consent prior to collection of personal data.
Let them know the legitimate reason for collection.
Let them know the mode of use, storage policy and duration of storage.
Have grievance redressal mechanisms in place.
Report to authorities within timelines prescribed.

Best Practices for Finance Departments for complying with provisions of this Act

It is crucial for finance departments to familiarize themselves with the specific provisions of the DPDP Act 2023 and tailor their data protection practices accordingly to avoid legal repercussions and maintain trust with their clients. Some of the best practices are noted below.

1. Data Mapping and Consent Management

As a first step towards complying with the provisions of this Act, departments should do a thorough data mapping exercise to understand what personal data they collect, process and store. Companies should obtain a consent from Data Principal* in a clear and plain language to process their personal data which should also contain information about the personal data and purpose for which data has been obtained. Companies may appoint a designated point of contact who should be responsible to handle any grievance related to data breach. As a practical example: A manufacturing company enters contract with another company, for delivering goods to customers. SaidCompany shares customers addresses with this delivering partner. Under the new law,Company should obtain consent from its customers for sharing their personal data with the delivery partner.

2. Data Security and Data Encryption

Finance departments often handle sensitive personal data of clients such as bank account details. Ensuring compliance with the DPDP Act's stringent data security requirements can be challenging. These challenges can be overcome by implementing a safeguarding system which will prevent data breach and unauthorized access.

Unauthorized access can be achieved by multiple ways including:

forcing a strong password policy,
using Two Factor Authentication(2FA) and Multifactor Authentication,
regularly updating software,
implementing firewalls,
encrypting sensitive data,
monitoring network activity

Finance departments can ensure that all digital communication and stored data are encrypted, making it difficult for unauthorized parties to access sensitive financial information.

3. Not collecting excessive data

Companies may avoid collecting more data than necessary for the specified purpose, thereby sticking to the principle of data minimization.

For example , when a user subscribes for a specific set of services, information absolutely necessary to provide the user with such services should be requested i.e., data on a strict need basis.

4. Educating Employees

It is advised to train employees dealing with personal data, on the regulations and best practices to ensure that everyone understands their responsibilities.

For e.g., employees should be made aware of real examples of data breach and amount of penal compensation. This can act as a deterrent for any negligence in handling customers personal data on part of employees. In a similar manner, the Finance department may also take necessary steps to act in a diligent manner to avoid any negligence in handling employees’ personal data.

5. Appointing a Compliance Officer

The Compliance Officer can monitor the ‘Do’s and Don’ts’ with respect to the responsibility of the Company to handle the personal data of its employees, vendors and customers. One of the primary functions of the Compliance Officer would be to serve as the point of contact for the grievance redressal mechanism. He should be based in India and responsible to Board.

6. Data Breach Reporting

“Personal data breach” is said to have occurred when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is imperial to have a process/system which can avoid data breach at the first place and in the unlikely event of a breach, robust process for promptly reporting such data breaches to the relevant authorities and affected individuals as required by the DPDP Act.

7. Cross Border Transfer of data

The Act extends to processing of personal data within India or outside of India to provide goods or services in India. The processing can either be in India or outside of India. Presently, guidelines for cross-border data transfers including specific protocols before transferring personal data outside of India is awaited.

8.Data sharing with third parties

If companies send the data to third parties for processing, they should take explicit consent from users and they should also give option to users to opt out.

9. Continuous Monitoring

Finance departments may continuously monitor regulatory changes and update policies and practices accordingly to stay in compliance with DPDP Act 2023. This can also be achieved by seeking professional support.

Since penalties for contravention is high (up to INR 250 crore / 5 million euros approximately), businesses would need to factor in potential financial risks in case of breach of this Act and design their personal data handling practices very diligently.

Conclusion

Compliance is not just about adhering to the law; it is about safeguarding the trust and security of customers and the organization itself. Compliance requirement varies from business to business and hence the solutions should always be tailor made.