How India’s DEPA Framework Uses Software to Empower Privacy Compliance

As detailed as laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) are, there is no one-size-fits-all framework for data privacy. You may know the rules, but how do you make sure you and the rest of your organization are following them? More specifically, how do you implement privacy-focused behaviors into your organization from the bottom up? How can you make sure the third parties to whom you transfer data are holding themselves to the same standards? Agreeing to the idea of principles like consent and purpose limitation is not the same as executing them.

Frameworks tend to point to a few trusted tactics: training, communication, encryption, software. The latter may seem particularly appealing – wouldn’t it be nice if there was a program that did all the work for you? While many automated applications can master parts of the task, making sure they work in tandem with each other and your employees is a full-time job. Here’s how to approach using software to put each data privacy principle to which your organization has committed into action.

Looking to India

In his column for Mint, Rahul Matthan points to India’s Data Empowerment and Protection Architecture (DEPA) as a foundational resource for using software to adhere to data privacy principles. “It can establish a technological framework within which most—if not all—of the principles that underpin modern privacy legislation can be implemented in code,” he writes.

He maintains that DEPA offers a crucial solution to the risk and loss of control that comes with transferring data between fiduciaries. Instead of counting on third parties you work with to pull their own weight and adhere to every data privacy principle, Matthan points out that you can use and program software that ensures every transfer adheres to these principles.

Other industry figures echo Matthan’s emphasis on DEPA’s importance. “DEPA is aimed at empowering people to have a seamless and secure access to their data and share it with third-party institutions. It proposes creation of a new form of Consent Manager institution which would ensure that individuals can provide consent for every piece of data shared for protection of data rights,” says CocoFax co-founder Olivia Tan. “DEPA is aimed at replacing the current mechanism for data access and sharing mechanism which involves bulk printout notarization and physical submission, screen scraping, username/password sharing etc. It recognizes the problem of small firms not being able to reap the benefits of individual data.”

Notice and Consent

Most privacy laws include some obligation to take consumer concerns into account when processing their data, though many go as far as to ban the collection or processing of data with the subject’s consent. Even more common is the obligation to notify consumers if their data is being collected, including information on the categories of data in question and the purposes of collection.

Notice and consent is particularly relevant when transferring data to third parties. In many cases you will need to tell consumers where their data is going, often giving them the right to either opt-out of or opt-in to the collection of their data.

To guarantee consistent consent for third-party transfers, DEPA utilizes India’s MeITy’s electronic consent framework. This framework serves as something of a liaison between data subjects and data fiduciaries making a request for data. Before transferring data, fiduciaries must fill out a document explaining what data they need, what they need it for, and how long they plan to use it. After processors or controllers fill this out, due notice is provided to consumers, who then have the opportunity to consent to the transfer. The transfer can only be completed once consent is obtained.

Embracing a process like this will ensure that there are never any assumptions made between fiduciaries about whether consent has been obtained, making it physically impossible to transfer data without consent. While barriers like this seem restricting, anything less would go against the interests of data privacy and compliance.

Purpose Limitation and Data Minimization

While the issue of consent is pretty cut and dry, some principles allow for vague definitions and more confusing metrics. The idea that organizations should collect only as much data as is necessary to fulfill specific, explicitly stated, and legitimate purposes seems simple enough. However, the power to make value judgments about the legitimacy of a purpose and whether an appropriate amount of data was collected to fulfill has always fallen on regulators.

To simplify this, DEPA has established a series of templates for various purposes of data collection that fiduciaries must fill out upon transfer. The idea is that any legitimate transfer request should fall easily into one of these templates. This sets the boundaries for how organizations can use data while giving regulators a way to ensure that the amount collected is not excessive.

Retention and Use Limitation

As you might have expected, it is much easier to utilize software before the transfer to ensure that only compliant transfers go through. Once the transfer has been completed and the data is being used by a fiduciary, it’s much harder to come up with an automated way of ensuring compliance. As far as DEPA is concerned, the obligations to only use data for the expressed purposes and keep data no longer than necessary is something fiduciaries may be responsible for on their own.

Matthan recognizes this as a serious limitation of DEPA. “If DEPA is to be an end-to-end solution for privacy, we have to incorporate technological safeguards that address the issues of use limitation and data retention as well,” he writes.

However, he points to confidential compute solutions offered by companies like Microsoft as existing resources fiduciaries can use to comply with post-transfer principles. The idea of such software is to create a trusted environment on the cloud within which data can be processed. This ensures that the processor has constant eyes on the data, removing any blind spots that would allow third-parties to mishandle or overuse it.

Instead of handing data over to third-parties and taking their word for it, it’s wise to stay on the safe side to ensure that data is deposited into secure environments like this. Either way, it’s critical to have a mechanism that ensures fiduciaries know what purposes subjects have consented to and blocks data use for any other purposes.

That being said, it’s not about purchasing a mirage of software and hoping that does the trick. According to SpiderOak Software Solutions’ Cyber Marketing VP Andrew Friedrich “​​Financial institutions embracing DEPA’s principles of data protection, privacy, and governance cannot outsource the protection of their critical business applications and confidential information to perimeter defense products alone (firewalls, intrusion detection systems, application proxies, and virtual private network (VPN) servers). Organizations that view security as a cost center are forced to react when something bad happens, but by then it is too late. Moving forward, the FSPs best positioned to weather the storm will take a proactive approach and ensure that cyber and data security are engineered into critical systems and applications from the ground up.”

In other words, it’s time to start making sure every data privacy principle you need to follow is implemented into the technological infrastructure of your company, whether that means using existing software or programming one from scratch.