As a natural development of technology there is a scramble by product manufacturers to create products and services to offer “Compliance Products”. Most of these vendors are focussing on developing a “Consent Management Solution”.
The essential feature of such software would be to record the consent for a given set of personal data, give it an identity tag and attach it to the personal data set so that it can be referred to whenever required. The consent has to meet the expectations of “Purpose Orientation”, Data Minimisation” and “Data Retention Minimization”.
One of the dilemmas the companies have is that whether they can take one perennial consent for collecting personal data for multiple purposes which is logically the most suited for business.
However the law does not support such an omnibus and omnipotent, omni present, ever alive consent.
Hence consent collection, use and retention mechanism has to be a carefully considered plan that should meet the legal requirements without seriously hindering the business operations.
Probably the appropriate use of AI should help. However, when an AI is developed on a faulty training data, the AI output will also be faulty. One option that thee ML program has is to parse all similar websites and the privacy policies and gather intelligence which can be incorporated in its own policy. Obviously the user will provide his own inputs on the purpose, data requirements, retention objectives etc so that the AI algorithm will develop a suitable privacy policy that can be used.
In such automation, it is important to recognize that a “Legal Compliance” is difficult to be successfully automated and a strict human supervision is essential.
As more and more such products surface, FDPPI will apply its “Product-DTS” tool to evaluate the compatibility of the product to Indian DPDPA system and provide a “DTS Score”.
Data Fiduciaries need to be careful when selecting solutions since any purchase of such a product is likely to be a long term purchase and difficult to be changed subsequently.
When FDPPI auditors evaluate a Data Fiduciary, they look at such service providers as “Joint Data Fiduciaries”. But the product vendors themselves have an option to get their products evaluated as a pre-sales qualification criteria. Such evaluation takes into account the principles of EU-AI act, the ISO 13485 etc. Obviously this is a complex process which is perhaps more complex than a routine DPDPA audit for a Data Fiduciary.
FDPPI therefore operates such assignments through a “Consortium” of its experts so that the technology intricacies are considered along with the Legal, Governance and Business issues. Exciting days are ahead in incorporating EU-Ai act with the DPDPA compliance and w look forward to the same.
Naavi
