In the current era of Generative AI and other related technologies, business leaders face pressure on two common fronts: achieving profitable growth and fostering innovation. To meet stakeholder expectations, CxOs have widely adopted outsourcing. This strategic move allows companies to concentrate on their core activities. However, if the outsourced relationship encounters challenges, it can pose a significant threat to the organisation’s existence. Regulatory compliance is one such critical area. On August 11, 2023, the President of India assented to The Digital Personal Data Protection Act (DPDPA) following its approval from both houses of the Indian Parliament. This enactment establishes India’s first-ever privacy Act designed to empower individuals (referred as Data Principal in DPDPAA) with their right to privacy. The Act regulates the processing of digital personal data, acknowledging both individuals’ right to govern the use of their personal information and organisations’ legitimate purposes for data processing. Enterprises collecting personal data and defining purposes for collection and processing (referred as Data Fiduciaries in DPDPAA) can appoint Data Processors (DPs) or Third-Party service providers (TSPs) to process the personal data on their behalf. This is where DPDPA intersects with Third Party risk management.
The challenges faced by DPs and TSPs are what we, at Deloitte refer to as “Compliance by Association”. Simply put, it refers to the compliance requirements of a customer flowing down to their service providers. For example, banks are required to comply with all RBI guidelines, but a Fintech may not be regulated by RBI. However, if the Fintech works with any bank in India, it will be required to comply with the RBI guidelines relevant to the services it provides to banks. This is “Compliance by Association”. The DPDPA 2023 is a prime example of Compliance by Association wherein Under Chapter 2 Section 8(2), the Data Fiduciary is required to appoint a Data Processor only under a valid contract.
DPDPA impacts Third Party risks in three ways. To begin with, organisations will evaluate what data can and cannot be shared with their DPs and TSPs. Outsourcing activities that involve sharing sensitive personal data and information will undergo a reassessment. We believe that while such outsourcing may not come to a complete halt, it will undergo a transformation where the Third Party has to operate within the physical and virtual boundaries of their client organisation. Secondly, considering the Data Fiduciaries will be largely held responsible for data privacy controls under the provisions of DPDPA, Data Fiduciaries are likely to enhance the contractual obligations signed with DPs and TSPs.
Thirdly, clients are not only requiring their Third-Party Service Providers (TSPs) to comply with Compliance by Association requirements but also to monitor and report on their compliance. Data Fiduciaries are also likely to scrutinize the operating environment at Data Processors (DPs) to ensure it aligns with the requirements of DPDPA. This may prompt additional assessments and reviews by Data Fiduciaries on DPs.
Additionally, incident management processes will need updating and tracking. Under Chapter 2, Section 8 of DPDPA, DPs and TSPs must prepare and update their incident management processes and procedures to reflect the requirements of the DPDPA. Moreover, under Chapter 2, Section 13, the Data Principal has the Right to Grievance Redressal, which may impact both the Data Fiduciary and DPs and TSPs.
There are practical illustrations within the DPDPA Act itself that can serve as examples in various scenarios. One common example we encounter daily is that banks and Telcos typically outsource the physical mailing and emailing of monthly statements to Data Processors (DPs) and Third-Party Service Providers (TSPs) for their millions of customers. With the increasing prevalence of customers opting to download statements on their mobile phones using the apps provided by banks and Telcos, DPs and TSPs will need to cease processing the personal data of customers for physical mailing and emailing of the monthly statements. Such requirements will compel organisations to collaborate closely with their DPs and TSPs.
We recommend certain controls as best practices for organisations. Firstly, organisations need to understand the Data Privacy requirements within their end-to-end outsourcing activities. Often, partial knowledge leads to lapses in compliances. Secondly, organisations need well drafted outsourcing contracts which articulate the compliance obligation of the DPs and TSPs. Thirdly, monitoring mechanisms need to be in place that can detect compliance violations, take remedial actions as part of the corresponding incident management, and inform data principals in a timely manner.
Courtesy : https://www.financialexpress.com/business/digital-transformation-dpdp-act-revolutionising-third-party-risk-management-in-india-3273200/
