HR Community Meetup: The Digital Personal Data Protection Act and what it means for HR departments

"Privacy is not an afterthought. It shouldn't be taken lightly. It's a fundamental right just like the right to speech and right to information," said Zoho's privacy program manager Andrew David Bhagyam when reflecting on a Supreme Court ruling. Speaking at the HR Community Meetup co-organized by Chroma and Zoho, Andrew shed light on the highly anticipated Digital Personal Data Protection (DPDP) Act and its implications for HR departments. 

Scope and Applicability

At the Community Meetup, Andrew went on to explain the scope and applicability of the DPDP Act. This act only applies to data that is in digital form and data that is processed digitally, either wholly or partially. So, if you are an organization that only manages HR processes through paper-based processes, this act may not apply. Further, this act applies to any organization located outside of India if it processes the personal data of people located in India. For instance, if there's an HR outsourcing organization based out of a foreign country that manages the HR processes of an Indian organization, this act will apply.

According to the DPDP Act, any information used to identify an individual, including IP addresses, names, ages, dates of birth, email IDs, and Aadhar numbers, will count as personal data. Bhagyam explained the areas of HR that affect employee privacy. These areas include CCTV, workplace monitoring, background screening, social media monitoring, BYOD policies, profile information, and performance reviews.

If the personal data is not used for commercial purposes, you'll be exempted from the act. Similarly, the act will not apply to any data that is present in a record for more than 100 years. 

Pillars of the act

Explaining further about the act, Andrew elaborated on its four principal actors, including the Data Principal, Data Fiduciary, Data Processor, and Data Protection Board. 

1. The Data Principal is the person who's in charge of the data. 
2. Data Fiduciary refers to an individual or organization that has the duty of trust concerning the data. For instance, between an employee and an employer, the organization is obliged by a factor of trust to protect their employee's personal data. 
3. The Data Controller determines why and how the data should be processed. 
4. The Data Protection Board will manage cases that are not compliant with the act.

Notice and consent 

According to the act, every organization will be expected to prepare a notice, perhaps a privacy policy, that provides information to applicants and employees on what types of data are collected from them, why it's collected, what will be done with the data, for how long will the data be retained, and who it'll be passed on to. Andrew explained that this particular policy has to be plain, clear, itemized, and explained in a regional language. 

Consent doesn't usually apply to HR-related activities that are done for employment purposes. However, the DPDP Act notes that consent has to be specific, informed, freely given, and unambiguous. Organizations have to state the purpose and intent directly. Any mandatory consent is not consent. 

The path to compliance 

According to Andrew, following the below practices can help organizations comply with the DPDP Act effectively:

1. Review data that is available within your digital records regularly.
2. Establish a well-defined process in place to handle the rights of the data principals (in your case, employees).
3. Define a process to handle the data breach grievances meticulously.
4. Specify the data retention and deletion schedules.
5. Set up and continuously improve the security and accountability measures.
6. Make use of consent mechanisms wherever it is required.
7. Refresh and update your contracts with third-party vendors regularly.

Technology and compliance

Our product manager, Vijaya Sarvanan, and our security advisor, Amponvizhi, took over the session to elaborate on how HR technology tools can be used effectively to ensure compliance with the DPDP Act. Vijay suggested using data encryption methods on the backend to prevent unauthorized access to data since employee data is often exposed to many users in an organization. He also explained in detail about role-based and attribute-based access that provides employee data access based on roles or specific attributes, like the location or department. Amponvizhi went on to explain about having a well-defined process in place to facilitate data classification and retention to ensure compliance with the act. 

Final thoughts

The definition of data privacy can differ from person to person, but legislation like the DPDP Act delineates distinct requirements for organizations. If your organization falls under its jurisdiction, you must have a clear policy in place to ensure compliance and protect the privacy of your employees' personal data.