Data Privacy Management by Taxation and Finance Teams

Data Privacy Management by Taxation and Finance Teams

by | Nov 10, 2023

By Gajendra Maheshwari (Partner, ReinHeads Legal LLP)

A. Background

The recently enacted Digital Personal Data Protection Act, 2023 (DPDPA) holds immense
significance in safeguarding the personal data of individuals. It is crucial to understand the
key provisions of the law and the impact it could have on various functions of an
organization, including the taxation as well as finance functions.

To begin with, it is relevant to grasp the meaning of the term ‘Personal Data’. It encompasses
the data through which an individual can be identified. For instance, phone number, email
ID, postal address, biometric details, health record etc. can be termed as Personal Data if it is
possible to relate them to the individual to whom such data belongs to.

In the context of Personal Data, DPDPA recognizes rights of individuals (termed as ‘Data
Principals’) as the true owners of their Personal Data and casts several obligations on the
persons processing (i.e., collecting, storing, retrieving, using, sharing etc.) the Personal Data
(referred as ‘Data Fiduciaries’).

Within an organization, the taxation/ finance functions are responsible for processing
various sets of personal data, such as:

• Individual’s name (including individual customers, vendors etc.)
• Postal address
• E-mail identity
• Bank account details
• Date of birth
• Permanent Account Number (PAN)
• Goods and Services Tax (GST) registration number
• Aadhar or other Government ID details

Given these responsibilities, it is imperative for the relevant teams to understand the key
features of DPDPA for ensuring the compliance.

B. Key Features of DPDPA

Key features of DPDPA with relevance to taxation/finance functions include:

  • Consent Mechanism
    • DPDPA mandates ‘consent’ of the Data Principal for processing of her
      Personal Data.
    • Consent must be free, specific, informed, unconditional, and unambiguous so
      as to clearly demonstrating a clear agreement to process Personal Data.
    • In the case of children (i.e., individuals below the age of 18 years) verifiable
      consent must be obtained from their parent or lawful guardian.
  • Notice
    • Consent must be obtained on the basis of a ‘notice’ given to the Data
      Principal.
    • The notice should be presented to the Data Principal in a clear and plain
      language. It must be accessible in English or any other language specified in
      the Eighth Schedule to the Constitution of India.
  • Purpose limitation
    •  The notice should explicitly state the ‘purpose’ of processing the Personal
      Data.
    • Accordingly, the Personal Data collected may be processed only for the
      specified purpose.
  • Data Retention
    • Data Fiduciaries must erase the Personal Data if the Data Principal withdraws
      consent.
    • In any event, the Personal Data should be erased once the specified purpose
      is fulfilled.
  • Transfer of Personal Data
    • DPDPA mandates a valid contract for the transfer of Personal Data by a Data
      Fiduciary to Data Processor (i.e., third party who processes Personal Data on
      behalf of Data Principal). For example, where a Data Principal shares
      Personal Data of vendors with a Chartered Accountant for undertaking
      compliance with the tax withholding provisions, the Chartered Accountant
      would be treated as the Data Processor.
    •  The Data Principal remains responsible for DPDPA provisions where a Data
      Processer is involved.
    •  Personal Data can be transferred outside India for processing, except to
      notified country or territory as may be notified by the Central Government.

In addition to the above, DPDPA grants additional rights to Data Principals that includes right
to access information, withdrawing consent etc. This requires compliance readiness by
businesses for honouring such rights.

C. Compliances to be undertaken by Taxation/ Finance Departments

To ensure compliance with the law, the concerned employees should consider conducting a
data mapping exercise. The objective of this exercise is to:

• Identify the type of personal data collected.
• Determine the database where the data is stored.
• Identify team members with access to the data.
• Understand the nature of processes undertaken with respect to the data.
• Identify third parties with whom the data is shared.
• Determine the manner which personal data is shared (e.g., through cloud server,
email etc.)
• Establish data retention periods.

Based on this assessment, the following actions may be required:

• Implementing a consent mechanism for the collection of the Personal Data.
• Issuing notices to Data Principals for obtaining their consent.
• Specifying the purpose for which Personal Data will be processed.
• Assessing the need to create or amend contracts with Data Processors for extending
the responsibility of compliances under DPDPA to them.
• Introducing policies and mechanism for responding to Data Principal rights including
data sharing, retention and erasure.

It is important to note that certain provisions of DPDPA related to consent, notice etc. apply
to the Personal Data collected even before the commencement of the Act. While the law
does not specify any specific deadline for such compliance, it emphasizes that the
compliance should be made ‘as soon as it is reasonably practicable’. In view of the transition
provisions the compliance is required for previously collected Personal Data.

D. Way Forward

As per the recent government announcements, the rules for DPDPA are expected to be
released soon. Initially, the law would be made applicable to large tech companies, allowing
more time to other industries for the implementation.

Nevertheless, organizations must acknowledge that DPDPA will impact various functions and
processes. For many organizations, the data mapping exercise may require a significant
amount of time and effort. The subsequent measures such as introducing consent
mechanism may take even longer. Consequently, there is a need to raise awareness about
this law within an organization, beginning from the top management.

Sooner rather than later, organizations would need to adopt ‘privacy by design’ principles,
whereby business processes are (re)designed in such a way that data collection is minimized,
and the data access rights, retention policies, third party transfers are properly documented
and monitored.

This path-breaking law aims to cultivate a culture of privacy in the country, and organizations
should gear up for its implementation in a timely manner.

                                                                                                                   Published by – Taxsutra

Reach Us

*In association with Moore, UAE

Disclaimer

You might have been redirected to this website if you accessed ReinaLegal.in or Headsup.in since both the firms have merged to form ReinHeads.

As per the rules of the Bar Council of India, we are not permitted to solicit work or advertise for our services. The user acknowledges the following:

  • there has been no advertisement, personal communication, solicitation, invitation or inducement of any kind whatsoever from us or any of our members to solicit any work through this website;
  • the user wishes to gain more information about us for his/her own information and use;
  • the information about us is provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site would not create any lawyer-client relationship.
    • I AGREE