In the rapidly evolving digital landscape, the protection of personal data has become a paramount concern for individuals and organizations alike. With the proliferation of digital technologies, vast amounts of personal information are being collected, processed, and stored, often without sufficient safeguards. This introduces the risk of breaches and privacy violations and highlights the urgent need for robust data protection frameworks. In response to these challenges, India has introduced the Digital Personal Data Protection Act (DPDPA), a groundbreaking legislation designed to secure personal data in the digital age.
In this interview, Smitha Chandrashekhar, legal director at HARMAN International, delves deep into the intricacies of the DPDPA, its implications for businesses, and the role of effective contract management in achieving compliance with the act. Here’s an overview of our discussion with her.
What is the DPDPA?
The DPDPA is the latest comprehensive law enacted to regulate and protect personal data in India. According to Smitha, the DPDPA is forward-looking and broader in scope than other international data protection laws like the GDPR because it focuses on all forms of personal data, whether it’s in digital form or yet to be digitized. Smitha also mentions that a unique aspect of the law is that it mandates data principals should be given various forms of accessibility, including the request for consent to be viewed in various languages.
What should organizations do in order to achieve compliance?
Smitha has outlined several crucial steps that organizations need to take in order to achieve compliance with the DPDPA as mentioned below:
1. Identify the data.
Organizations must understand the vast array of personal data they handle, including data from employees, marketing activities, websites, and third-party interactions.
2. Categorize the data.
Determine the purpose of collecting personal data, and where it resides.
3. Review and update existing contracts.
Ensure all existing contracts, especially those involving agreements related to personal data, include references to the DPDPA to comply with its provisions.
4. Implement strong data protection measures.
Audit and enhance information security systems, establish robust access controls, and define data retention periods.
How to manage data during cross-functional collaboration
Smitha emphasizes that it is the collective responsibility of all functions in an organization to ensure that personal data is protected at all costs. She highlights the following measures to be taken to manage data shared between multiple functions in an organization as well as externally.
1. Sales teams should work closely with the information security teams to ensure that all customer data is duly protected and that the required access controls are in place.
2. Apart from the sales and legal teams, other relevant teams, such as operations and finance, must also have information security measures in place to achieve compliance with the DPDPA.
3. For multinational companies that have teams working internationally, it is common to send and receive data from all over the world. In such situations, the teams must know where the data centres are located and if they comply with the data protection law of that location.
4. When sharing data with third parties and vendors, organizations must amend their existing contracts to add data protection clauses. Organizations must also have audit clauses, which should be broad enough to allow them to conduct audits of how their data will be stored and processed.
5. Smitha also says that it is very important to sensitize the stakeholders on the importance of data protection. Organizations should provide regular training and updates and make them aware of the legal requirements. This will ensure that the organizations comply from a 360-degree perspective.
What changes need to be made to existing contracts?
Smitha suggests that even though the standard form contracts already include data protection clauses, they need to be modified to comply with the DPDPA. She recommends the following changes to the existing contracts:
1. Reference to the DPDPA should be added to the existing contracts to ensure compliance.
2. Ensure that the data protection clauses check all the boxes from a DPDPA compliance perspective; otherwise, they need to be amended.
3. Another alternative is to have a generic clause in contracts that states that all data-related transactions shall be governed by the DPDPA and other applicable data protection regulations.
What changes should organizations make in their existing CLM process?
Smitha suggests that organizations should base any changes to their contract lifecycle management (CLM) processes on the organization's CLM maturity and risk appetite. She emphasizes that organizations should regularly update their existing contract templates and automate the approval workflows accordingly to accommodate new regulations. Smitha notes that common contracts, such as NDAs, are already automated, and legal intervention only occurs in complex transactions when fallback clauses are exhausted.
She also points out that using a CLM software is beneficial especially in cases involving complex transactions and multiple teams. "We recently implemented a CLM tool for our organization, enabling any lawyer within the organization, regardless of location, to access all contracts. Regional counsels regularly audit and update contracts from within the tool itself," Smitha says. She explains that issues arise when the third parties organizations deal with are not equipped to deal with such sophisticated systems. The organization is left with no choice but to go back to traditional processes like sharing word documents and red-lining.
How do CLM tools help in achieving compliance with the DPDPA and other data protection laws?
Smitha says that the new-age CLM tools are built for compliance for the following reasons:
1. They offer transparency into the organization's CLM process by providing granular visibility into contracts and their associated data.
2. The tools are built with regulatory requirements in mind to help organizations improve compliance.
3. They have robust access control mechanisms.
Smitha also notes that CLM tools eliminate the need to use multiple applications and optimizes process efficiency, reduces the contract cycle times.
What are the future trends in data protection and contract management?
Smitha acknowledges that compliance with regulatory requirements in India is tricky because of the many different laws it has. She anticipates that a new digital act in India may address these ambiguities, providing a more consolidated framework for privacy and data protection. She is also pleased that the government is proactive in implementing reforms and that the citizens are more aware than ever before about data privacy and protection.
Conclusion
Smitha offers invaluable insights into the DPDPA and its implications. Organizations must take a proactive approach to data protection, leveraging tools and cross-functional collaboration to ensure compliance. As the digital landscape evolves, staying informed and adaptable will be key to navigating the complexities of data protection laws.
In navigating the complexities of data protection laws like the DPDPA, organizations require robust CLM tools like Zoho Contracts to streamline their contract management processes, mitigate risks, ensure compliance, and improve governance. Read our ebook to know more. Sign up for a free trial or request a personalized demo to learn more.
Comments