August 17, 2023
India's DPDP Passed: Ease Compliance with Skyflow
With the passage of the Digital Personal Data Protection (DPDP) Act, 2023 new data protection requirements will impact companies with customers in India. So, how can these businesses protect their customers’ personal data to ease compliance with DPDP, and avoid fines of up to Rs 250 crore (approximately $30m)?
In this blog post, we’ll discuss how India’s DPDP Act, 2023 is part of a worldwide trend of data regulations, how companies that operate in India can future-proof their handling of customer data to ease compliance and reduce regulatory uncertainty, and how this law compares to previous personal data bills and the EU’s GDPR.
We’ll also show how Skyflow can help businesses to ease compliance with the DPDP Act and other data protection laws by isolating, protecting, and governing access to personal data.
Background on the DPDP Act
India’s parliament first introduced the DPDP Bill in late 2022, the latest in a series of personal data bills. More recently, the DPDP Bill was revised in 2023, passed by both houses of India’s Parliament, and finally passed into law.
Building on past proposed bills and responding to concerns raised by them, the DPDP Act sets a nationwide standard for the handling of all types of personal data – defined as ”any data about an individual who is identifiable by or in relation to such data”. This includes data like an individual’s name, phone number, and Aadhaar (national ID).
However, it remains to be seen how DPDP will affect companies that operate in India or market products and services to the residents of India. After all, many aspects of the DPDP Act are subject to interpretation by a new regulator that it creates, the Data Protection Board (DPB).
The passage of the DPDP Act is part of a worldwide trend of governments regulating the handling of personal data. Whether your business is based in India, or you have customers in India, it’s time to take a closer look at the worldwide trend and how to ease compliance with the DPDP Act and similar laws, like GDPR
A Worldwide Trend: More Data Regulations, More Uncertainty for Businesses
Over the last several years, companies the world over have struggled to adapt to a constantly shifting regulatory landscape around the collection, storage, and processing of personal data. Growing public concern over data collection practices, consent, and data protection has pushed legislators across the world to enact laws like the European Union’s influential GDPR.
With each data security breach or data collection scandal, this pressure grows, leading to the proliferation of new legislation. And even when legislation is passed, uncertainties remain as legislators and enforcement agencies seek to interpret the law and issue decisions and guidance.
But while the uncertainties introduced by legislation like the latest DPDP Act are immense, it has a lot in common with other data protection laws that contain similar requirements, such as:
- Protection of personal data to prevent data breaches (using techniques like data isolation, encryption, and access control)
- Restricting the use of customer data to its stated purpose
- Forbidding the retention of personal data when it’s no longer needed for its stated purpose
- Requiring notification of impacted individuals in the event of a data breach
- Granting certain rights to individuals over their personal data
These similarities mean that solutions developed to help companies comply with laws like GDPR can also help them to prepare for the DPDP Act.
And, this means that businesses that operate in India can avoid being reactive, and can instead future-proof their handling of customer data to protect themselves from regulatory uncertainty.
India’s DPDP Act Creates Uncertainty for Businesses (Again)
The DPDP Act is relatively simple, adding just a few updates to the version first considered in 2022.
Like the 2022 bill, the DPDP Act streamlines the guidance around what’s required when handling personal data, and what constitutes a violation. But, this simplification also means that even now that the DPDP Act has passed into law, many issues remain open to interpretation by India’s Parliament and a new agency, the Data Protection Board (DPB).
The proposed creation of the new DPB is just one of the changes introduced in the DPDP Act compared to previous data protection bills. So, what else has changed in the DPDP Act?
Comparing the DPDP Act to Previous Personal Data Bills
Like India’s previous personal data bills, the DPDP Act focuses primarily on three types of stakeholders:
- Data Fiduciaries: These are companies that collect personal data from individuals (data principals) that might work with one or more data processors. Their duties include protecting that data from misuse, processing requests from data principals, and informing them in the event of a data breach (and also informing the DPB). Data fiduciaries must also protect personal data that’s stored with data processors.
- Data Processors: These are companies that process data on behalf of data fiduciaries. They're also obligated to protect that data from misuse and inform data principals and the DPB in the event of a data breach.
- Data Principals: These are the individuals who provide their personal data to data fiduciaries. They have a range of rights, including the right to correct or update their personal data as recorded by data fiduciaries or request its erasure if it is no longer needed for its intended purpose.
There are several key differences between the DPDP Act and earlier personal data bills such as DPDP Bill, 2022 – most notably:
- Data Regulation Scope: The DPDP Act applies to the processing of “digital personal data”, so it doesn’t impact non-personal data or data stored in non-digital formats. It applies to the processing of this data within the territory of India, or outside of India when related to business activities involving data principals within India. The DPDP Act also clarifies that its scope includes data that is collected digitally or data that is collected offline and later stored in a digital format. And, it requires data minimization, that only the personal data required for an authorized purpose is collected.
- Increased Fines: Under the DPDP Act, fines for non-compliance range as high as Rs 250 crore for data fiduciaries and data processors.
- Data Principal Duties: Under the DPDP Act, data principals have not only rights but also several duties, such as: not making false or frivolous complaints or impersonating other data principals. And, data principals can be fined Rs 10,000 if they don’t uphold these duties.
- Updated Provisions on International Data Transfers: The DPDP Bill, 2022 would have required that personal data be stored locally in India, or be transferred only to a list of approved countries. On the other hand, DPDP Act gives the government the power to forbid the transfer of personal data to specific countries or territories in the future. It remains to be seen how much of a focus the DPB will place on issues like cross-border data transfers and data residency.
- Updated Exemptions: Under the DPDP Act processing personal data for public interest purposes is no longer exempt as it was in the 2022 version. But, data made public by a data principal or under a legal obligation is now exempt.
- Updated Consent Guidelines: The DPDP Bill, 2022 included the concept of “deemed consent” for data processing. In contrast, the DPDP Act focuses on “legitimate uses” for personal data and requires explicit consent from data principals (or parents/guardians for data principals under 18) outside of such specified legitimate uses.
As stated above, the DPDP Act is a streamlined framework designed to clarify the obligations of companies that collect, store, and process personal data in India. Like preceding bills, it defines a set of rules and consequences – including large fines – for companies that don’t honor the rights of data principals or protect their personal data.
Next, let's look at how the DPDP Act compares to the GDPR.
What Does the DPDP Act Have in Common with GDPR?
Both the DPDP Act and the EU’s GDPR are examples of a global shift towards protecting sensitive data.
A few areas that they have in common include the following:
- Data Requests: Both the DPDP Act and GDPR grant various rights to individuals (i.e., data principals), like the right to request a copy of their data on file, correct that data, and erase data that’s no longer needed through a process called data requests (sometimes abbreviated as DSR or DSAR). And, they both define significant fines for violations of these rights.
- Personal Data Protection: Both the DPDP Act and GDPR require that personal data is protected, although they define the types of data they protect somewhat differently.
- Breach Notification: Both the DPDP Act and GDPR require notification of individuals and authorities in the event of a data breach impacting personal data.
- Non-technical Requirements: Both the DPDP Act and GDPR have certain non-technical requirements. For example, both require that certain companies that process a large volume of their residents’ personal data appoint a data protection officer that resides within their jurisdictions. In the case of the DPDP Act, this requirement applies only to companies who are notified of their status as “significant data fiduciaries”.
And of course, there are several key differences between the DPDP Act and the EU’s GDPR, such as how they define the personal data that they regulate, and how they handle restrictions on cross-border data transfers.
But, the core ideas underlying both the DPDP Act and GDPR are the same. And although the DPDP Act is less comprehensive than GDPR, global companies can use the same techniques to ease compliance with GDPR and the DPDP Act.
Whether you’re looking to comply with the DPDP Act, GDPR, or another data protection law, the only certainty is that data protection legislation will continue to evolve, causing potential disruptions or restricting market opportunities for companies that use personal data but aren’t fully compliant.
This is why we believe that the best way to prepare for this uncertainty is to develop a strong sensitive data posture, going beyond what’s required by current laws to protect your customers’ personal data from misuse.
By taking this approach, you’ll be ready when the DPB begins enforcing the DPDP Act so you can avoid disruptions to your business operations.
How Skyflow Protects Personal Data and Eases Compliance
Skyflow Data Privacy Vault isolates, secures, and tightly controls access to manage, monitor, and use personal data.
Skyflow is certified SOC2 Type 2, ISO 27001, and PCI Level 1 compliant and eases compliance with any data protection law, including DPDP and GDPR. It uses a set of advanced data protection techniques, including advanced encryption, redaction, and access control to isolate, protect, and govern personal data.
To learn more about these capabilities and how Skyflow can help you protect the personal data without sacrificing data utility, please see our blog post on data privacy vaults.
Skyflow offers a wide range of capabilities to protect customer data and ease compliance, including our data governance engine, polymorphic encryption, and flexible tokenization.
Data Governance Engine
With Skyflow’s unique data governance engine, you can control who sees what, when, where, and how.
You can also add column- and row-level data access controls, based on any combination of policy, role, or attribute; so you can keep your customers’ most personal data beyond the reach of employees who don’t need it.
With context-aware authorization, you can go beyond the limits of traditional access control. And, Skyflow’s support for transient data helps you make sure data is deleted as soon as you no longer need it – as required by the storage and purpose limitations detailed in the DPDP Act.
Next, let's look at other capabilities that your business can use to protect sensitive data: polymorphic encryption, Skyflow Connections, and secure workflows.
Polymorphic Encryption, Connections, and Secure Workflows
Encryption-at-rest is required by several industry standards, and it's far better than storing unencrypted data. But in many cases, encryption-at-rest isn’t sufficient.
Skyflow’s polymorphic encryption lets you treat each type of personal data differently, so when you only need one part of a user’s address, that’s all you decrypt. It also lets you run matching and comparison operations on encrypted data without the need to decrypt it, so you can run credit and KYC checks while keeping personal data fully encrypted.
Keeping personal data fully encrypted in a data privacy vault helps you protect it. But what if if you’re sharing personal data for processing or storage with a trusted third party service, such as a credit check or KYC check service – a data processor? To protect personal data in these workflows, you can use Skyflow Connections and secure workflows.
All of this sounds great, but what if your customers’ personal data is already scattered across your systems and services?
Avoiding Data Sprawl: Tokenize and Isolate Personal Data
How can you isolate personal data if you need to use it and it’s present everywhere: databases, logs, data warehouses, etc?
This is such a common problem that it has a name: data sprawl. And it makes compliance with data requests, such as data erasure requests, exceedingly difficult.
A typical example of an architecture with data sprawl looks like this:
Skyflow’s flexible approach to tokenization lets you prevent data sprawl while putting all of your access controls – and personal data – in one place, where they can be centrally managed (and quickly located in the event of requests from data principals).
And those databases, logs, and data warehouses? Tokenizing personal data gives you “stand-ins” to help with those.
Tokenization is a non-algorithmic data obfuscation technique that swaps personal data for tokens. For example, if you tokenize a customer’s name, like “Manish”, it gets replaced by an obfuscated (or tokenized) string like “A12KTX”.
Because there’s no mathematical relationship between “Manish” and “A12KTX”, even if someone has the tokenized data, they can’t get the original data from tokenized data without access to the tokenization process. So, even if an environment populated with tokenized data is breached, this doesn’t compromise the original data.
By using Skyflow’s APIs to collect personal data and tokenize it, you can manage this data without having your backend systems ever touch it. Instead, your backend manages tokens that point to personal data that are isolated in your Skyflow Vault.
The result looks like this:
To detokenize your customers’ personal data, your backend systems provide those tokens to Skyflow, which confirms that your request meets strict zero trust access controls before detokenizing and returning the requested data.
Tokenization is an effective way to protect sensitive data, whether it’s used to tokenize credit card data as required by Reserve Bank of India payment regulations, or used to protect personal data as required by the DPDP Act. You can learn more about Skyflow’s flexible approach to tokenization in our tokenization blog post.
Meet DPDP Act Requirements with Skyflow
Here’s a high-level summary of key technical requirements from the DPDP Act, and how Skyflow eases compliance:
At this point, you might be thinking: this looks like a good solution, but how much support does Skyflow provide to businesses located in India?
Skyflow Is In India, Ready to Help
Many members of the Skyflow team are located in India, based in our Bangalore office. We're excited to work with you to help you to protect personal data with sales, solutions architecture, and customer implementation teams – all based in India.
And with much of our engineering team also located in Bangalore, you won’t have to worry that you’re not getting the same level of service and support that a business in North America would.
Skyflow is built in India, staffed up, and ready to help businesses prepare for the passage of the DPDP bill into law by protecting their customers’ personal data.
Data protection regulations can be a source of uncertainty for businesses, but they don’t have to be a stumbling block for businesses that take a proactive approach to protecting personal data.
By using Skyflow, you can:
- Isolate personal data in a data privacy vault, where it’s stored and managed separately from the other data your business handles. Having all personal data isolated in a vault, separate from other data, makes it much easier to process DSARs like personal data deletion requests.
- Govern access to personal data, so critical workflows get the exact level of data access that’s required.
- Protect personal data by encrypting and storing it in your Skyflow Vault as it’s being collected, freeing your infrastructure from compliance concerns.
If you’d like to learn more about how Skyflow can help you protect your customers’ personal data while easing compliance, contact us to learn more.