India’s DPDP Bill: How Skyflow Eases Compliance

All businesses handle some degree of regulatory uncertainty, but uncertainty around the regulation of your customers’ personal data can be particularly worrisome – after all, such data is essential to many businesses. So, how can companies in India future-proof their handling of their customers’ personal data to better protect it, while easing compliance with pending laws like the draft Digital Personal Data Protection (DPDP) Bill, 2022?

In this blog post, we’ll discuss how India’s new DPDP Bill is part of a worldwide trend of data regulations, how companies in India can future-proof their handling of customer data to reduce legal uncertainty, and how the DPDP Bill compares to previous personal data bills and the EU’s GDPR. 

We’ll also show how Skyflow can help businesses to reduce regulatory uncertainty by isolating, protecting, and governing access to personal data, so businesses can be ready when the DPDP Bill, or a similar law, goes into effect.

Background on the DPDP Bill

The DPDP Bill is the fourth in a line of proposed bills, each of which has attempted to create a regulatory framework to support a 2017 Supreme Court ruling that affirmed privacy as a constitutional right.  

India’s parliament recently introduced this bill, the latest in a series of personal data bills that include the previous Joint Parliamentary Committee’s Data Protection (JPCDP) Bill, 2021 and the Personal Data Protection (PDP) Bill, 2019.

Building on past proposed bills and responding to concerns raised by them, the DPDP Bill aims to set a nationwide standard for the handling of personal data like names and dates of birth. 

However, it remains to be seen how this bill (if passed) will affect companies that operate in India or market products and services to the residents of India. After all, many aspects of the DPDP Bill are subject to interpretation by parliament and at the discretion of a new regulator that the bill would create, the Data Protection Board (DPB).

While this bill and some of these outstanding questions create uncertainty for businesses that operate in India, there are two things that we can say with certainty regarding the DPDP Bill:

• In India, A Data Protection Law is Coming Soon: Momentum is building in India toward nationwide regulation of Indian residents’ digital personal data, part of a worldwide trend of governments regulating the handling of this data. 
• The Time to Be Proactive is Now: After considering the potential impact of the previous draft personal data bills, and now the DPDP Bill, many businesses in India are looking to be proactive and adopt future-proof solutions for handling customer data.

A Worldwide Trend: More Data Regulations, More Uncertainty for Businesses

Over the last six years, companies the world over have struggled to adapt to a constantly shifting regulatory landscape around the collection, storage, and processing of personal data. Growing public concern over data collection practices, consent, and data protection has pushed legislators across the world to enact laws like the European Union’s GDPR. 

With each data security breach or data collection scandal, this pressure grows, leading to the proliferation of new legislation. And even when legislation is passed, uncertainties remain as legislators and enforcement agencies seek to interpret the law and issue decisions and guidance.

But while the uncertainties introduced by legislation like the DPDP Bill are immense, it’s similar to other data protection laws that contain similar requirements, such as:

• Protection of personal data to prevent data breaches (using techniques like data isolation, encryption, and access control)
• Restricting the use of customer data to its stated purpose
• Forbidding the retention of personal data when it’s no longer needed for its stated purpose
• Requiring notification of impacted individuals in the event of a data breach
• Granting certain rights to individuals over their personal data 

These similarities mean that solutions developed to help companies comply with laws like GDPR can help them to prepare for a potential future law like the DPDP Bill.

And, this means that businesses that operate in India can avoid being reactive, and instead future-proof their handling of customer data to protect themselves from regulatory uncertainty.

India’s Draft DPDP Bill Creates Uncertainty for Businesses (Again)

Unlike its predecessors, which struggled with creating a concise definition of privacy and created compliance concerns for many companies (and especially startups), the DPDP Bill is relatively simple. In fact, DPDP contains only 30 clauses, a 70% reduction from the previous JCPDP Bill. 

This simplification signals an effort to streamline the guidance around what’s required when handling personal data, and what constitutes a violation. But, this simplification also means that even after the DPDP Bill is potentially passed into law, many uncertainties will remain open for interpretation by the parliament, and at the discretion of a new agency, the Data Protection Board (DPB).

The proposed creation of the new DPB is just one of the changes introduced in the DPDP Bill compared to its predecessor bills.

So, what else has changed in this bill?

Comparing the DPDP Bill and Previous Personal Data Bills

Like India’s previous personal data bills, the DPDP Bill focuses primarily on three types of stakeholders:

• Data Fiduciaries: These are companies that collect personal data from individuals (data principals), and who might work with one or more data processors. Their duties include protecting that data from misuse, processing requests from data principals, and informing them in the event of a data breach (and also informing the DPB). 
• Data Processors: These are companies that process data on behalf of data fiduciaries. They're also obligated to protect that data from misuse and inform data principals and the DPB in the event of a data breach. 
• Data Principals: These are the individuals who provide their personal data to data fiduciaries. They have a range of rights, including the right to correct or update their personal data as recorded by data fiduciaries, or request its erasure if it is no longer needed for its intended purpose. Collectively, such requests are known as Data Subject Access Requests (DSARs).

There are several key differences between the DPDP Bill and the previous personal data bills, most notably:

• Data Regulation Scope: The DPDP Bill applies to the processing of “digital personal data”, so it doesn’t impact non-personal data or data stored in non-digital formats. It applies to the processing of this data within the territory of India, or outside of India when related to business activities involving data principals within India.
• Increased Fines: Under the DPDP Bill, fines for non-compliance are much higher than in previous bills, ranging as high as Rs 500 crore ($60m) for data fiduciaries and data processors.
• Data Principal Duties: Under the DPDP Bill, data principals have not only rights but also several duties, such as: not making false or frivolous complaints or impersonating other data principals. And, data principals can be fined Rs 10,000 if they don’t uphold these duties. 
• Removal of Data Residency and Data Transfer Requirements: The DPDP Bill removes the requirement for “critical personal data” (a subset of data defined in previous bills) to be stored locally in India, which was a requirement present in the previous personal data bills. In fact, the DPDP Bill doesn’t define multiple classes of personal data – all personal data is subject to the same regulations. The DPDP Bill also doesn’t regulate cross-border data transfers, unlike previous bills.

As stated above, the DPDP Bill is a streamlined framework designed to clarify the obligations of companies that collect, store, and process personal data in India. Like preceding bills, it creates a set of rules, and also defines consequences, including large fines, for companies that don’t honor the rights of data principals or protect their personal data. 

However, unlike many privacy bills, it contains many exemptions to this rule, with significant latitude when it comes to cases where data can be obtained and utilized without a data principal’s explicit consent. 

The DPDP Bill is unique in many ways and warrants a close analysis for anyone considering how to prepare for its passage, but it has some similarities with the EU's GDPR.

Next, let's look at how the DPDP Bill compares to the GDPR.

What Does the DPDP Bill Have in Common With GDPR?

Both the DPDP Bill and the EU’s GDPR are, broadly speaking, examples of a global shift towards “privacy as a right”.

A few areas that they have in common include the following:

• Data Subject Access Requests: Both the DPDP Bill and GDPR grant various rights to individuals (i.e., data principals), like the right to request a copy of their data on file, correct that data, and erase data that’s no longer needed through a process called data subject access request (DSAR). And, they both define significant fines for violations of these rights.
• Personal Data Protection: Both the DPDP Bill and GDPR require that personal data is protected (although they define the types of data they protect somewhat differently).
• Breach Notification: Both the DPDP Bill and GDPR require notification of individuals and authorities in the event of a data breach impacting personal data.
• Non-technical Requirements: Both the DPDP Bill and GDPR have certain non-technical requirements. For example, both require that certain companies that process a large volume of their residents' personal data appoint a data protection officer that resides within their jurisdictions. In the case of the DPDP Bill, this requirement applies only to companies who are notified of their status as “significant data fiduciaries”.
  

And of course, there are several key differences between the DPDP Bill and the EU’s GDPR, such as how they define the personal data that they regulate, and the GDPR’s restrictions on cross-border data transfers.

But, the core ideas underlying both the DPDP Bill and the GDPR are the same. And although the DPDP Bill is less comprehensive than GDPR, global companies can use the same techniques to ease compliance with GDPR and prepare for compliance with the DPDP Bill.

How Can Skyflow Help Manage Regulatory Uncertainty?

Whether you’re looking to comply with the DPDP Bill, GDPR, or another data privacy law, the only certainty is that data privacy legislation will continue to evolve, causing potential disruptions or restricting market opportunities for companies that use personal data but aren’t fully compliant. 

This is why we believe that the best way to prepare for this uncertainty is to develop a strong privacy posture, going beyond what’s required by current laws to protect your customers’ personal data from misuse. 

By taking this approach, you’ll be ready when the DPDP bill (or a similar bill) becomes law in India. And this means you’ll be ready to comply more quickly than your competitors, rather than having your business operations vulnerable to disruption.

How Skyflow Protects Personal Data and Eases Compliance 

Skyflow Data Privacy Vault ​​isolates, secures, and tightly controls access to manage, monitor, and use personal data. 

Skyflow is certified SOC2 Type 2 and PCI Level 1 compliant and eases compliance with any data privacy law, including DPDP and GDPR. It uses a set of advanced data protection techniques, including advanced encryption, redaction, and access control to isolate, protect, and govern personal data. 

To learn more about these capabilities and how Skyflow can help you protect the privacy of personal data without sacrificing data utility, check out this post from our blog: What is a Data Privacy Vault?‍

Skyflow offers a wide range of capabilities to protect customer data and ease compliance, including a data governance engine, polymorphic encryption, and flexible tokenization.

Data Governance Engine

How much control do you have over your data if employee credentials are compromised? With Skyflow’s unique data governance engine, you can control who sees what, when, where, and how. 

You can also add column- and row-level data access controls, based on any combination of policy, role, or attribute; so you can keep your customers’ most personal data beyond the reach of employees who don’t need it. 

And with context-aware authorization, you can go beyond the limits of traditional access control.

Next, let's look at polymorphic encryption.

Polymorphic Encryption

Encryption-at-rest is required by several industry standards, and it's far better than storing unencrypted data. But in many cases, encryption-at-rest isn’t sufficient. 

Skyflow’s polymorphic encryption lets you treat each type of personal data differently, so when you only need one part of a user’s address, that’s all you decrypt. It also lets you run matching and comparison operations on encrypted data without the need to decrypt it, so you can run credit and KYC checks while keeping personal data fully encrypted.

Keeping personal data fully encrypted in a data privacy vault helps you protect it. But, what if it’s already scattered across your systems and services?

Avoiding Data Sprawl: Tokenize and Isolate Personal Data

How can you isolate personal data if you need to use it and it’s present everywhere: databases, logs, data warehouses, etc?

This is such a common problem that it has a name: data sprawl. And it makes compliance with DSARs, especially deletion requests, exceedingly difficult. 

A typical example of an architecture with data sprawl looks like this:

Skyflow’s flexible approach to tokenization lets you prevent data sprawl while putting all of your access controls – and personal data – in one place, where they can be centrally managed (and quickly located in the event of DSARs, including deletion requests). 

And those databases, logs, and data warehouses? Tokenizing personal data gives you “stand-ins” to help with those. 

‍Tokenization is a non-algorithmic data obfuscation technique that swaps personal data for tokens. For example, if you tokenize a customer’s name, like “Manish”, it gets replaced by an obfuscated (or tokenized) string like “A12KTX”. 

Because there’s no mathematical relationship between “Manish” and “A12KTX”, even if someone has the tokenized data, they can’t get the original data from tokenized data without access to the tokenization process. So, even if an environment populated with tokenized data is breached, this doesn’t compromise the original data.

By using Skyflow’s APIs to collect personal data and tokenize it, you can manage this data without having your backend systems ever touch it. Instead, your backend manages tokens that point to personal data that’s isolated in your Skyflow Vault.

The result looks like this:

To detokenize your customers’ personal data, your backend systems provide those tokens to Skyflow, which confirms that your request meets strict zero trust access controls before detokenizing and returning the requested data. 

You can learn more about Skyflow's flexible approach to tokenization in our tokenization blog post.

Skyflow Is In India, Ready to Help

Many members of the Skyflow team are located in India, based in our Bangalore office. We're excited to work with you to help you to protect the privacy and security of personal data with sales, solutions architecture, and customer implementation teams – all based in India.

And with much of our engineering team also located in Bangalore, you won’t have to worry that you’re not getting the same level of service and support that a business in North America would.

Skyflow is built in India, staffed up, and ready to help businesses prepare for the passage of the DPDP bill into law by protecting their customers’ personal data.

Final Thoughts

Data protection regulations can be a source of uncertainty for businesses, but they don’t have to be a stumbling block for businesses that take a proactive approach to protecting personal data.

By using Skyflow, you can:

• Isolate personal data in a data privacy vault, where it’s stored and managed separately from the other data your business handles. Having all personal data isolated in a vault, separate from other data, makes it much easier to process DSARs like personal data deletion requests.
• Govern access to personal data, so critical workflows get the exact level of data access that’s required. 
• Protect personal data by encrypting and storing it in your Skyflow Vault as it’s being collected, freeing your infrastructure from compliance concerns.

If you’d like to learn more about how Skyflow can help you protect the privacy and security of your customers’ personal data while easing compliance, contact us to learn more.