Data Privacy and Breach
The new Act compels corporations to evolve beyond traditional firewalls toward nuanced, purpose-driven controls that prioritize individual consent and data rights. But questions surrounding what can be considered “reasonable” data protection remain.
This article is the final part in the series capturing the Digital Personal Data Protection Act (DPDPA) workshop’s key takeaways and deliberations. You can read the first three parts here, here, and here. In this part, we look at data privacy and protection.
On November 30, 2024, experts, policymakers, and industry leaders gathered at IIT Bombay for a workshop co-hosted by the Ashank Desai Centre for Policy Studies and IITB Trust Lab, in partnership with the Ministry of Electronics and Information Technology (MeitY) and the Bureau of Indian Standards.
Structured around four key themes—Overview of the Act, Role of Standards, Consent Management, and Data Privacy & Protection—the workshop served as a forum for identifying real-world challenges, and where participants discussed various questions and ambiguities surrounding the subject matter.
Strengthening Safeguards
The new Act requires corporations to expand their traditional understanding of data protection from cybersecurity to the broader and more nuanced realm of data privacy. While cybersecurity has historically centred on architectural controls—firewalls, intrusion detection systems, and other technical measures—data privacy introduces contextual controls.
Despite their distinct focus, cybersecurity and data privacy share significant overlap. Both require robust frameworks for data classification, search and discovery, as well as mechanisms for policy enforcement and audit trails. However, data privacy demands an additional layer of granularity, ensuring compliance with laws like the DPDPA, where individual consent and rights take precedence.
For example, a cybersecurity system might prevent unauthorised access to databases, but a privacy-oriented approach requires that even authorised access complies with specific purposes for which the data was collected.
Data Breach Under the DPDPA
The DPDPA defines a personal data breach under Clause 2(u) as
Any unauthorised processing, accidental disclosure, alteration, or destruction of personal data that compromises its confidentiality, integrity, or availability of personal data
And Clause 8(5) mandates that Data Fiduciaries implement “reasonable security safeguards” to prevent such breaches, even when processing is undertaken by third-party Data Processors.
The intersection of cybersecurity and data privacy highlights the need for organisations to adopt a comprehensive data protection strategy. While technical measures like encryption form the foundation, the focus must also be on understanding data flows, enforcing policies, and ensuring compliance with emerging legal standards.
Questions
What is "Reasonable" Data Protection?
A significant challenge is defining what constitutes “reasonable” data protection under the law. While the DPDPA requires Data Fiduciaries (Data Fiduciaries) to take “reasonable” safeguards, the term itself is inherently subjective. Legal frameworks often rely on the test of reasonability, asking what actions a person of ordinary prudence would take in similar circumstances.
Proportionality is a key principle. The practices required should be proportional to the size, nature, and complexity of the entity. Smaller firms might not be able to implement the same measures as large corporations, but they still need safeguards appropriate to their context. In this regard, additional clarity is needed on what constitutes reasonable compliance from the government.
How do you identify data leaks, given similar data points are held across many providers?
One of the issues is how to pinpoint the source of a data breach when multiple providers hold similar data points. Overlapping datasets can make it difficult to identify which entity failed to protect the information.
Forensic Evidence is one possibility, which leverages logs and audit trails to trace the origin of a leak. Additionally, technologies like watermarking can be used which involves embedding unique identifiers into datasets before sharing them. If a breach occurs, the watermark can help trace the compromised dataset back to its origin.
