Gearing up for the new P of marketing

By: Siddharth Vishwanath, Cyber Security Leader, PwC India and Anirban Sengupta, Partner, Cyber Security, PwC India

With the Union Cabinet clearing the path for the Personal Data Protection (PDP) Bill to be tabled in the Parliament, India has reached one step closer to the privacy protection regime. The bill, once passed, will bring India at par with other leading markets like the European Union (EU) where the General Data Protection Regulation (GDPR) came into effect in 2018. Like the GDPR, the PDP Bill contains broad guidelines on collection, storage and processing of personal data by data fiduciaries or organisations owning customer/employee data.

While the Supreme Court upheld the right to privacy of Indian citizens in 2017, it is now that the actual effect of the SC’s judgment will be visible across all walks of business. Until now, customer data has been a low-hanging fruit, which businesses could exploit to market, pitch and sell their products or services in the digital ecosystem. In many instances, they have had the liberty to sell and monetise data in their possession without any questions being asked. But things are set to change. If the PDP Bill becomes a law, which is highly likely, digital marketing will no longer be the same. Digital marketers will need to toe the line as per the provisions of the bill.

So, what should brands and businesses do to set their house in order before the passage of the bill and gain an edge over competition?

1. Go by the toughest privacy regulations

Know your data in the first place. Identify the places where it resides and the techniques being employed to use it. Work with the teams who handle it and understand the current data types. Finally, adopt a data privacy programme that adheres to the strictest laws, such as the GDPR, the UK’s Privacy Protection Act and the California Consumer Protection Act (CCPA). The PDP Bill has many similarities with the global regulations. Adherence to the highest standards will help organisations in India to continue with business as usual even once India adopts its own regulation. You should be mindful of a piecemeal or case-to-case approach as maintaining a jumble of separate privacy policies will prove to be costlier and riskier of. Your privacy programme, if built on the highest global standards like the GDPR, will help you function not only in India but also in the global markets. The programme should, however, be tailored to your type of business.

2. Know your data by employing data mapping

As prescribed in the PDP Bill, the Data Protection Authority will be the watchdog/regulator for privacy-related matters in India for all sectors. Given the nature of your business, it is probable that your organisation faces several access requests by data principals, which you need to fulfil in a limited timeframe. If your data has not been mapped adequately, you might end up violating the timelines, thereby inviting fines and penalties. Employ data-mapping techniques to store your data so that it is possible to fetch the details whenever the regulator demands.

3. Build trust to be a better digital marketer

Data is now available at the click of a button in any corner of the globe and it’s exactly this flexibility that has caused immense concerns around protecting its confidentiality and integrity. Thus, building trust becomes critical for digital marketers, although it requires a few steps to be taken in light of the provisions prescribed in the PDP Bill. As a digital marketing firm, you will need to consider the following aspects:

  • What are you collecting and why?
    Identifying types of data that qualify as sensitive or confidential is the key step an organisation needs to take. Further, understanding if such data sets are being acquired and processed and, more importantly, if there is a legal basis to gather such information. Assessment of data at its source aids in limiting its collection if that collection doesn’t satisfy any legal basis.
  • Are you permitted?
    The next important step is to ensure that data subjects have provided explicit and exclusive consent for data collection. Lack of adequate consent has led to severe penalties from global regulatory authorities.
    Establishing other consent-gathering mechanisms such as active opt-in for receiving email communication will be mandatory. The inclusion of such mechanisms will build trust in your organisation and protect you from regulatory actions and fines.
  • Are you segmenting the data collected?
    As per the PDP Bill, data is classified as:
    1. critical – yet to be adequately defined but expected to cover data related to matters of national interest
    2. sensitive − this includes financial data, health data such as biometrics, medical records, religious or caste-specific data
    3. general − non-sensitive or critical data.

Data segmentation or classification is important as the bill mentions the requirement of storing and processing of critical data within the nation’s geographical boundaries. Sensitive data may be processed outside with the explicit consent of the data principal. There is no limitation on the storage and processing of general data.

  • Are you maintaining records of processing activities?
    Data privacy regulations require us to store records of the personal information processed. This is typically done by listing out various personally identifiable information (PII) data sets utilised across the organisation for various processes. This data is maintained in the form of inventory workbooks and data flow diagrams along with a periodical assessment. Conducting these activities not only fulfils the compliance requirements but infuses transparency in the business operations from inside out.
  • Are you able to process a data principal’s right in a timely manner?
    Time taken for servicing a data principal’s request is not defined. But, going by the GDPR standards, it could be in the range of four weeks. This calls for building an internal process, workflows and teams to not only address the requests of data subjects but also assess the legitimacy of requests and provide appropriate responses to them. This also entails providing the necessary training and awareness to employees supporting the request-handling process.

The impact of the PDP Bill is going to be visible across industries and sectors, and more so in the domain of marketing as the new regulation will give every customer in India increased control over his or her personal data. This regulation requires digital marketers who rely heavily on collected data to retrace their footsteps and ensure compliance, particularly with respect to the points discussed above.

Contact us

Siddharth Vishwanath

Siddharth Vishwanath

Partner and Leader, Cyber Security, PwC India

Tel: 022 66 691 559

Anirban Sengupta

Anirban Sengupta

Partner, Cyber Security, PwC India

Tel: +91 98 1075 5426

Follow us