The exponential growth of the digital economy and the public fallouts faced by technology giants over data misuse and breaches have led to greater awareness of the risks in data processing, resulting in a global shift towards an accountability-based approach to data protection and privacy.
The consequence is an increased focus on Data Protection (or Privacy) by Design (‘DPbD’), a concept which requires the consideration of data protection issues at the design phase and throughout the lifespan of an organisation’s data management system.
Why Data Protection by Design?
The objective of DPbD is to enable an organisation to comply with data protection principles right from the beginning – from anticipating issues and identifying gaps in the developmental stages of a data management system, to building a system which is able to secure personal data, and integrating good data management practices in the organisation’s activities and business practices.
The business case for adopting a DPbD approach is a data management system which is not only robust, purpose-built and ensures cost-effective protection for personal data, but which will also provide the organisation with higher quality of data for usage in its business functions. In contrast, a less proactive or reactionary approach to compliance is likely to be more costly, slower to implement, and increase an organisation’s risk of exposure under data protection laws.
Leading by Example: The European Union
The European Union’s General Data Protection Regulation (‘GDPR’), considered the global gold standard for data protection regulation, has crystallised DPbD as an essential component to data management. Article 25(1) of the GPDR requires organisations to put in place appropriate technical and organisational measures to implement data protection principles under the GDPR, and to integrate safeguards into processing activities in order to meet the GDPR’s requirements and protect individual rights. Non-compliance attracts penalties and sanctions, which could include administrative fines based on a percentage of an organisation’s annual global turnover.
Aiming for Transparency and Accountability: India
Touted as the country’s answer to a comprehensive cross-sectoral data privacy law, the Indian government has introduced the Personal Data Protection Bill 2019 which is currently under review by a Joint Parliamentary Committee. The Bill is expected to become law some time in 2020.
In an emulation of the GDPR, Section 22 of the Bill mandates ‘Privacy by Design’ as part of transparency and accountability measures. It requires each organisation that collects data to prepare a Privacy by Design Policy which embeds the organisation’s data protection obligations.
The Bill also goes a step further than the GDPR as Section 22(2) states that an organisation “may submit its privacy by design policy to [the proposed Data Protection] Authority for certification within such period and in such manner as may be specified by regulations”, after which the policy would be “published on the website of the [organisation] and the Authority”.
While the Bill has been welcomed, stakeholders and experts are concerned that the push for potentially mandatory certification could result in increased burden and compliance costs for businesses. There are also concerns that the proposed Data Protection Authority may be inundated by policies, which could result in delays to the certification process and further hindrance for businesses in India.
Engaging Stakeholders: Singapore
In this regard, perhaps a Singapore-style approach of voluntary certification could be considered by the Indian government.
While accountability is a fundamental obligation under Singapore’s Personal Data Protection Act, DPbD is not enshrined in the Act, but rather recommended as a good practice in non-binding guidelines issued by Singapore’s Personal Data Protection Commission. The guidelines encourage businesses to cultivate a DPbD approach when designing and building information and communications technology systems, processes and workflows, but also encourage organisations to adopt practices that are reasonable and appropriate to their businesses and circumstances.
Singapore has also introduced a voluntary certification regime, the Data Protection Trustmark (‘DPTM’) certification scheme, through which organisations may apply for assessment of their data protection practices. The assessments are carried out by appointed third-party assessors. If the organisation’s practices are found to conform to the DTPM requirements, which are aligned to international benchmarks and best practices for data protection, the organisation would receive certification and may display the DPTM logo in its communications and on premises to indicate its accountable data protection practices. A list of DTPM-certified organisations is also made available on the website of Singapore’s Infocomm Media Development Authority.
Until further announcement, questions will remain as to the certification which has been proposed by the Indian government and the prescribed regulations. In the meantime, regulators may consider the appointment of third-party assessors to ease the Data Protection Authority’s burden. Such measures would not detract from the spirit of transparency and accountability, and would still serve to create a robust regime for data protection which would not undermine the competitiveness of businesses in India.