Friday, August 11, 2023

How CIOs & CISOs can prepare to comply with the Indian Digital Personal Data Protection Bill 2023

Table Of Contents

    India's Digital Personal Data Protection Bill, 2023, (DPDP) is going to force IT decision makers like you to completely rethink how your organisation collects, processes, stores and secures customer, vendor, employee and partner data. 

    While there are many aspects of the Bill that are yet to be finalised, what we do know is that companies who leave it until the last minute to begin their compliance journey will invariably fail in their efforts. 

    This is a classic scenario of "the early bird gets the worm."

    Here the "worm" is being well prepared to ensure your company stays compliant with this far-reaching legislation and avoids penalties, the goliath among which is the fine of 4% of your company's global revenues!

    My team has helped clients around the world become compliant with similar legislation like GDPR and CCPA and this article will be updated with practical steps you can take to do the same. 

    We will update this article with new information as it becomes available. 

    Let's start with the fundamentals. 

    What are the fundamental components of the Digital Personal Data Protection Bill, 2023 that concern information security teams? 

    Given the limited information available to date, this is a summary of some key implications of this privacy legislation for CIOs, CISOs and their information security teams:

    • The bill expands the scope of personal data protection beyond sensitive personal data to all personal data. This means you have to comply with stricter consent, purpose limitation, and data minimisation requirements for collection and processing of all types of personal data.

      What this means for security teams: you will need to review data capture mechanisms, data flows and storage and transmission security, among other tasks, to ensure compliance.
    • The bill Requires reporting of data breaches to the Data Protection Authority within 72 hours of awareness.

      What this means for security teams: you will need protocols and procedures in place for rapid breach detection, investigation, and reporting. 
    • The laws give individuals more control over their personal data through consent requirements and data portability rights (although portability is still a gray area with the information currently available).

      What this means for security teams: you will need to implement tools and processes to support user access, correction, and data portability requests.
    • The legislation Mandates appointment of Data Protection Officers (DPO) for significant data fiduciaries. Security teams may need to coordinate with the DPO on privacy reviews, assessments, audits, and training.

      What this means for security teams: your company may need to appoint a DPO who will have to work with your team to ensure your organisation achieves and remains compliant. 
    • The bill allows for significant penalties up to 4% of worldwide turnover for contravention. Strengthening security and privacy posture will be crucial to avoid financial and reputational damages from penalties.

      What this means for security teams: you will have big swords numbers hanging over your heads. But you should also be able to use these penalties to make a strong business case for reasonable and necessary investment in cyber security within your organisation.
    • Overall the bill expands compliance requirements for information security teams around personal data protection. Staying up-to-date on the bill as it evolves and preparing with updated data governance, security controls, and response plans will be key.

      What this means for security teams: you should be supported with greater senior executive sponsorship and leadership as non-technical executives realise and accept the scope of change that must be undertaken. This was one of the key takeaways of the International Association of Privacy Professionals (IAPP) when reviewing their members' responses to GDPR and CCPA implementation.

    7 guiding principles to adopt to help your organisation adapt to the DPDP quickly and cost-effectively

    If your mind is boggling from reading the short list above, you're not alone!

    It's a lot to take in and you certainly can't do it alone. 

    But while you assemble your team and prime your leadership for the challenges ahead, it helps to have a framework of guiding principles that will help you assess whether each decision that is being made is being made for the right reasons. 

    Use these 8 guiding principles as your north start while you help your team traverse these foggy lands.

    Principle 1: Prioritise communication and collaboration

    Information security teams have traditionally struggled to get buy-in from their organisations. You know this, but this legislation means you can no longer tolerate the status quo.

    If you want to get on the front foot with your DPDP bill compliance efforts then you must encourage your team to communicate early and often. You will also need to work with other business heads to make inter-disciplinary collaboration a top-down affair.

    This also applies to the newly created privacy functions this bill mandates within your company.

    Principle 2: Automate as often as possible

    Spoiler alert: you will not get through this by hiring more people. 

    Why? Because there's not enough smart people in this space and you simply cannot hire enough of them fast enough. 

    You need smart tools that automate essential tasks and then you need your smart people to action and communicate insights from these tools. 

    Principle 3: Budget conservatively

    Your typical rosy business case budgeting will only hurt you with this transition. 

    This is your opportunity to get a reasonable budget for your tools and people and so don't miss this opportunity to do good work by deliberately underestimating the amount of investment required.

    Communicating budgets properly will also help you gain greater executive buy-in, which naturally affords you greater influence and control of the implementation of your plans. 

    Principle 4: Review third party risk hawkishly

    Irrespective of whether your company builds all your technology in-house or outsources development, you can no longer get away with annual questionnaires or black-box penetration tests that you leave to your vendors to action.

    If you are capturing data then the law now needs you to take responsibility for protecting it at all times and in all situations - irrespective of who builds your software. 

    Third party risk has been topical in application security for some time now and if you weren't focusing on it until now, it's time to understand what you can do about this. 

    Principle 5: Make privacy training dynamic and regular

    Privacy and security training until now is largely a tick-box exercise. Most employees will do it at the start of their working life with your company.

    Only the truly privacy-conscious companies in sensitive industries require more regular retraining. 

    You have to ensure that your people are regularly trained and assessed on their privacy-related responsibilities. 

    Right from front-of-house customer service teams, to senior executives to your most technical developers and engineers. 

    Principle 6: Review and optimise regularly

    There is no "set and forget" in cybersecurity - again this is not news to you. But you must set up mechanisms to understand your security posture on a real-time basis and then act on the insights. 

    Your company's newly minted DPO and data protection team/consultants will need to collaborate with you to guide you on new laws that are enforced through the Digital Personal Data Protection Bill. 

    You see how nothing is possible without top notch collaboration?

    Principle 7: Foster a culture of privacy

    All of this communication, automation, training, optimisation is designed to do one thing: help you build a culture of privacy in your organisation. 

    This is important because there's no silver bullet or single automated tool that gives you all the capabilities you will need. In fact, if you're thinking "bolt-on privacy" then you're going to be in a world of hurt. 

    With the DPDP bill, privacy and security needs to be built-in to everything your organisation touches. 

    Don't get me wrong - this is not a trivial exercise. So much so that there is a high chance that your company may not achieve any such culture in your tenure there. 

    But even if you take baby steps in that direction, you've done your job well and you've got a great story to tell for your next job interview. 

    What steps can my company take to become compliant with the Indian Data Protection Bill?

    The first and most obvious step is to conduct a gap analysis to understand your current cybersecurity, application security and data protection posture. 

    The outcome of the gap analysis will tell you which of these activities you should start with:

    1. Review data collection, processing, and storage practices - Minimize data collection to what is adequate, necessary and relevant for specified purposes. Restrict access and establish retention timelines.
    2. Strengthen consent management - Review and update consent flows to meet requirements like explicit, informed, revocable consent. Allow easy consent withdrawal and review.
    3. Develop transparent privacy policies - Clearly explain data handling practices, purpose limitations, and user rights. Keep policies updated per the bill's requirements.
    4. Automate and conduct regular application security audits - This will help your development team find and fix critical issues without having to wait for external consultants to be free to tell you what to do.
    5. Enable user rights - Build capabilities to support user access, correction, data portability and deletion requests in timely manner.
    6. Appoint a Data Protection Officer - Designate a DPO to oversee data security, monitoring, audits and compliance. Provide adequate resources and training.
    7. Review contracts with processors - Ensure contracts meet data protection obligations specified in the bill to maintain compliance.
    8. Implement data security controls - Use reasonable security safeguards like encryption, access controls and audits based on data sensitivity.
    9. Plan incident response - Define an IR plan meeting breach notification timelines. Conduct periodic incident response drills.
    10. Undertake impact assessments - Perform periodic DPIAs for high-risk data processing like large-scale profiling and use of new technologies.
    11. Track record maintenance - Maintain auditable records of personal data processing activities as prescribed by the bill.
    12. Provide staff training - Educate employees on requirements of the bill and their obligations in managing personal data.
    13. Monitor updates - Stay updated on changes in the bill as it progresses and evolve practices accordingly. Consider legal guidance.

    Which automated tools will help my company comply with the data protection bill? 

    Leveraging the right privacy enhancing technologies and automation tools can significantly ease the compliance burden for your already stretched security teams under this new data protection regime.

    I'm not suggesting that you buy all of these tools at once - because that will result in a disaster of a whole new proportions. 

    But the list below should help you understand which types of automation you will eventually need to invest in. The first set of tools you invest in will be governed by the outcome of a thorough gap analysis of your current cybersecurity, application security and data protection posture. 

    These are the categories of tools that will help you become increasingly compliant with this legislation:

    1. Consent management platforms - To streamline consent capture, manage consent receipts and withdrawal. 
    2. Data discovery and classification - Discover personal data spread across systems, classify it and monitor access to ensure compliance. Examples include: Veronis, Azure Purview, AWS Macie.
    3. Data masking - Anonymize personal data for non-production uses like testing to reduce compliance requirements. Examples include: Delphix and Informatica.
    4. DPIA automation - Platforms to manage data protection impact assessments in a systematic manner. 
    5. Application security automation - dynamic and static analysis of your applications and APIs at runtime, codebase during development because no matter how big a fence you put around your data, if your applications are your Achilles heel then that's where your privacy will be compromised. Example is Cyber Chief's dynamic web app scanning and API security modules
    6. Cloud security posture management - your migration to the cloud opens up infinite possibilities for growth and propels your feature rollouts to breakneck speeds. But this adoption of the cloud also presents risks that need to be assessed and managed in real time. Example is Cyber Chief's Raider CSPM module.
    Want to see how you can solve 3 of these problems with just one tool - Cyber Chief?
    1. Data subject request management - Tools to log, track and fulfill user data access, correction and deletion requests efficiently. Example: DataGrail, Siru, Prifender.
    2. Security analytics and monitoring - Solutions to detect threats, anomalies, unauthorized access and SIEM tools to enable rapid incident response. 
    3. Audit trail management - To capture detailed audit trails for personal data processing activities and enable compliance audits.
    4. Privacy management software - Consolidated solutions to automate record-keeping, reporting, risk management related to data protection. Example: RSA Archer, BigID.
    5. Staff training platforms - Scalable solutions to provide data protection awareness training to employees. 

    Which elements of the Digital Personal Data Protection Bill are still unclear?

    Obviously much of the bill is still to be drafted and it seems that this will be a dynamic exercise over time undertaken by lawmakers. But as far as your organisation's information security practice is concerned these are the questions that we are to find answers to:

    • What types of personal data will be exempt from the bill? Are there any sector-specific exemptions? The bill is expected to provide exemptions for certain types of processing like prevention of crime, legal proceedings, journalistic purposes etc. but the exact exemptions are still to be defined.
    • How should compliance practices differ for sensitive personal data like financial information, health data, etc.? The bill categorises certain types of personal data as sensitive and provides higher protections. We can reasonably expect compliance practices like consent, security controls, onward transfer restrictions, audits etc. are expected to be more stringent for sensitive data.
    • What are the specific requirements and timelines for breach notification and reporting to the Data Protection Authority?
    • What are the criteria that determine whether an organization is a significant data fiduciary? While criteria are not defined yet, I expect factors like volume of data processed, sensitivity of data, risk of harm from processing, purpose of processing etc. are expected to determine which entities are deemed significant data fiduciaries.
    • What are the qualifications and responsibilities of the Data Protection Officer role? Specific qualifications and duties of DPO are still to be prescribed and may never be completely black and white. But I would expect them to oversee compliance, advise on risk assessments, conduct audits, coordinate with authority etc.
    • What mechanisms need to be put in place to evaluate and audit compliance on a periodic basis? The bill provides for regular data audits and reviews by both data fiduciaries and the authority. Specific audit mechanisms are still to be clarified and this is why you should aim to build in best practice security structure that (at least somewhat) future-proofs your organisation from the changing winds of lawmaking.
    • How can data transfers or disclosures to third parties, including parent companies or overseas entities, be handled under the bill?
    • What consent mechanisms would meet the standards of being informed, specific, clear and should account for different ages?
    • How can organizations train employees and raise awareness on requirements of the bill and their obligations regarding personal data?
    • What are the best practices regarding record maintenance and retention for activities concerning personal data?
    • How will the penalties and remedies be applied under the bill for non-compliance?
    • How will the rollout of the bill be phased for different sizes or types of organizations? What transition timelines can be expected?

    Should information security professionals wait to act until more detail is available on the DPDP Bill?

    Without trying to sound alarmist, waiting to act is like saying you will only apply the brakes on your car after you've hit another car. 

    The general outline of your responsibilities is already clear from the information we have. 

    So by waiting to take your first step you are robbing yourself of headroom to make mistakes, review things that don't work and generally to give yourself a second chance. 

    If you are a proactive professional and you want to make a name for yourself as someone who was part of a successful implementation of DPDP compliance regime, start with a gap analysis. 

    Gap analysis frameworks to assess your organisation's cybersecurity, application security and data protection readiness already exist and will give you a deep understanding of whether you need to prepare to climb a mountain or go for picnic on lush green hills. 

    Reach out to my team if you need help in conducting this gap analysis to get you started. 

    SaaS Brief