The Digital Personal Data Protection Act will have an implication on how media companies collect and process personal data for multiple purposes.
The report is created by Mini Gupta, Partner, M&E, Security and the Cyber Team of EY.
As per the report, privacy is important for customer trust, brand image, competitive advantage and compliance.
The M&E companies will have 12-24 months to comply with the provisions of this Act. EY report stated, “Their business will have to seek consent, provide notice, update applications, re-engineer the process of targeting, personalisation, profiling etc.
Non-compliance with the provisions of the Act can lead to a fine of up to Rs 250 crore, in addition to the loss of consumer trust.
According to the report, the following require adequate governance to ensure compliance with the obligations of the act:
M&E companies will have to showcase notice across websites and applications, prior collection of data in English and 12 Indian languages. There should also be a provision for consumers to raise complaints.
Consent should be obtained for the profiling, promotions, personalised advertisements, cookies, retargeting, newsletters, SMSs, and emails.
Verifiable parental consent is to be obtained for processing children’s data. Tracking or behavioural monitoring of children or targeted advertising for children is prohibited.
Only voluntarily provided customer data will fall under legitimate use. Processing data carried out for interviews, print digital news and political opinion may not fall under legitimate use and require consent.
Data principal rights
Provisions to erase, correct, and provide access to the Data Principals Personal Data. There should also be provisions for Data Principals to nominate someone to erase, correct and provide access to personal data.
Cross-border data transfer
The central government may notify countries where personal data cannot be transferred leading to the identification of alternate service providers.
The company cannot retain data post the purpose for which it was collected is completed.
Other implications for the M&E sector:
A consent manager can be a person or a framework that has to be implemented in managing consent.
Significant Data Fiduciary (SDF)
M&E companies may fall under the category of SDF due to the large volume and nature of processing. Additional obligations such as performing audits, appointment of DPO and performing data protection impact assessment will be applicable.
Personal Data breaches shall have to be reported to the Data Protection Board and informed to the Data Principals.
As per the EY report, there are certain ambiguities related to the M&E sector:
The Act does not provisions the usage of personal data for journalistic purposes such as processing news, views of people, public interviews, running polls, etc.
M&E companies process a lot of personal data which is in the interest of the public at large; however, no provision for processing of such data in the public interest exists.
Publicly available personal data
The Act exempts personal data that is available publicly, but it doesn’t clarify if the information made available publically can be used for processing or can be for view-only purposes.
Exemption for start-ups
Startup companies processing personal data have been exempted from the act. Maximum personal data of data principals in India is processed by startups, which may lead to misuse of such data without any obligations of its usage.
What the M&E sector needs to do?
In the next 3-6 months, businesses need to undertake a data privacy assessment, develop a data privacy framework, data discovery classification and managing exercise and develop an inventory of assets managing personal information.
In the next 6-12 months, the companies in the M&E space need to develop/update relevant policies and underlying procedures to outlay the intent and the consistent approach towards privacy and protection. Businesses need to conduct data privacy impact assessments and establish mechanisms for consent management, data principal rights and breach notifications.
Beyond 12-24 months, companies in this space need to implement privacy-enabling technologies to reduce manual tasks and manage data governance activities in an automated manner. M&E businesses also need to take external certifications to demonstrate compliance towards the Privacy Information Management System.