In our previous post, The Zugzwang won the challenge wee had raised some concerns of a DPO that arise when we receive a Data Access Request. This was discussed during an event in Bangalore yesterday and I share some of the thoughts that came up for discussion during the event.
Data Access Request is one of the first rights that a law like DPDPA provides to the data principal. Essentially it provides a right to a data principal to get a summary of how the data fiduciary is processing his personal data.
The DSAR request can be sent to the company through an e-mail and does not cost much effort to the data principal. But for the Data Fiduciary this is a ticking bomb and if not defused could explode with disastrous consequences.
Hence an organization needs to put in place a robust mechanism to handle the request.
DGPSI, (Data Governance and Protection Standard of India), the framework that addresses DPDPA compliance provides a right framework for meeting the challenges that the DSAR presents.
The challenges of DSAR under DPDPA include
a) Recording the request received
b) Acknowledging the request
c) Verification of the identity of the requester, his authority for the request and matching it with an existing data principal with whom the Data Fiduciary has a relationship
d) Extracting the related consent associated with the processing of the personal information of the requester
e) Extracting all the data elements that the Data Fiduciary has received and used in respect of the data principal.
f) Ensuring that the data is within the scope of the DPDPA
g) Identifying all the processes in which different elements of the data of the data principal are being processed
h) Identifying the external data processors involved in the process and the data shared with them.
i) Identifying if the data principal is not a minor or a nominee and if so identifying the related consent from the guardian and the nomination details along with the procedure for settlement.
j) Handling the grievance redressal along with the adjudication at the adjudicator of ITA 2000 or DPB.
lk Handling the data erasure process both at the level of the Data Fiduciary and the associated Data Processors.
l) Handling the data breach notification requirements
m)Handling the exceptions such as when the request applies to a legacy information for which a new consent was required.
Probably the above list is not exhaustive. But DGPSI is a system which asks the relevant questions and creates a foundation from which all these questions can be answered.
For example, DGPSI follows a data classification that tags the jurisdiction, focusses on the processes, recommends centralized data storage, recommends data valuation, set up a grievance redressal mechanism, ensure that the top management has considered and approved risks that cannot be mitigated and has to be absorbed, ensures that distributed responsibility addresses identification of data and proper documentation of all compliance requirements. Even when the cause of breach is through an AI, DGPSI has a necessary process to address the same.
If you are DGPSI Compliant you are ready to address all of the above requirements .
Naavi
