Data Privacy Management by Taxation and Finance Teams

Data Privacy Management by Taxation and Finance Teams

by | Nov 10, 2023

By Gajendra Maheshwari (Partner, ReinHeads Legal LLP)

A. Background

The recently enacted Digital Personal Data Protection Act, 2023 (DPDPA) holds immense significance in safeguarding the personal data of individuals. It is crucial to understand the key provisions of the law and the impact it could have on various functions of an organization, including taxation as well as finance functions.

To begin with, it is relevant to grasp the meaning of the term ‘Personal Data’. It encompasses the data through which an individual can be identified. For instance, phone numbers, email IDs, postal addresses, biometric details, health records etc, can be termed as Personal Data if it is possible to relate them to the individual to whom such data belongs.

In the context of Personal Data, DPDPA recognises the rights of individuals (termed as ‘Data Principals’) as the true owners of their Personal Data and casts several obligations on the person processing (i.e., collecting, storing, retrieving, using, sharing etc.) the Personal Data (referred to as ‘Data Fiduciaries’).

Within an organisation, the taxation/ finance functions are responsible for processing various sets of personal data, such as:

• Individual’s name (including individual customers, vendors etc.)
• Postal address
• E-mail identity
• Bank account details
• Date of birth
• Permanent Account Number (PAN)
• Goods and Services Tax (GST) registration number
• Aadhar or other Government ID details

Given these responsibilities, it is imperative for the relevant teams to understand the key features of DPDPA to ensure compliance.

B. Key Features of DPDPA

Key features of DPDPA with relevance to taxation/finance functions include:

  • Consent Mechanism
    • DPDPA mandates ‘consent’ of the Data Principal for processing of her Personal Data.
    • Consent must be free, specific, informed, unconditional, and unambiguous so as to clearly demonstrating a clear agreement to process Personal Data.
    • In the case of children (i.e., individuals below the age of 18 years) verifiable consent must be obtained from their parent or lawful guardian.
  • Notice
    • Consent must be obtained on the basis of a ‘notice’ given to the Data Principal.
    • The notice should be presented to the Data Principal in a clear and plain language. It must be accessible in English or any other language specified in the Eighth Schedule to the Constitution of India.
  • Purpose limitation
    •  The notice should explicitly state the ‘purpose’ of processing the Personal Data.
    • Accordingly, the Personal Data collected may be processed only for the specified purpose.
  • Data Retention
    • Data Fiduciaries must erase the Personal Data if the Data Principal withdraws consent.
    • In any event, the Personal Data should be erased once the specified purpose is fulfilled.
  • Transfer of Personal Data
    • DPDPA mandates a valid contract for the transfer of Personal Data by a Data Fiduciary to a Data Processor (i.e., the third party who processes Personal Data on behalf of Data Principal). For example, where a Data Principal shares Personal Data of vendors with a Chartered Accountant for undertaking compliance with the tax withholding provisions, the Chartered Accountant would be treated as the Data Processor.
    •  The Data Principal remains responsible for DPDPA provisions where a Data Processor is involved.
    •  Personal Data can be transferred outside India for processing, except to notified country or territory as may be notified by the Central Government.

In addition to the above, DPDPA grants additional rights to Data Principals that include right to access information, withdrawing consent etc. This requires compliance readiness by businesses for honouring such rights.

C. Compliances to be undertaken by Taxation/ Finance Departments

To ensure compliance with the law, the concerned employees should consider conducting a data mapping exercise. The objective of this exercise is to:

• Identify the type of personal data collected.
• Determine the database where the data is stored.
• Identify team members with access to the data.
• Understand the nature of processes undertaken with respect to the data.
• Identify third parties with whom the data is shared.
• Determine the manner which personal data is shared (e.g., through cloud server, email etc.)
• Establish data retention periods.

Based on this assessment, the following actions may be required:

• Implementing a consent mechanism for the collection of the Personal Data.
• Issuing notices to Data Principals for obtaining their consent.
• Specifying the purpose for which Personal Data will be processed.
• Assessing the need to create or amend contracts with Data Processors to extend the responsibility of compliances under DPDPA to them.
• Introducing policies and mechanisms for responding to Data Principal rights including data sharing, retention and erasure.

It is important to note that certain provisions of DPDPA related to consent, notice etc. apply to the Personal Data collected even before the commencement of the Act. While the law does not specify any specific deadline for such compliance, it emphasises that the compliance should be made ‘as soon as it is reasonably practicable’. In view of the transition provisions compliance is required for previously collected Personal Data.

D. Way Forward

As per the recent government announcements, the rules for DPDPA are expected to be released soon. Initially, the law would be made applicable to large tech companies, allowing more time for other industries the implement.

Nevertheless, organizations must acknowledge that DPDPA will impact various functions and processes. For many organizations, the data mapping exercise may require a significant amount of time and effort. The subsequent measures such as introducing a consent mechanism may take even longer. Consequently, there is a need to raise awareness about
this law within an organization, beginning with the top management.

Sooner rather than later, organizations would need to adopt ‘privacy by design’ principles, whereby business processes are (re)designed in such a way that data collection is minimized, and the data access rights, retention policies, and third-party transfers are properly documented and monitored.

This path-breaking law aims to cultivate a culture of privacy in the country, and organizations should gear up for its implementation in a timely manner.

                                                                                                                   Published by – Taxsutra

Reach Us

*In association with Moore, UAE

Disclaimer

You might have been redirected to this website if you accessed ReinaLegal.in or Headsup.in since both the firms have merged to form ReinHeads.

As per the rules of the Bar Council of India, we are not permitted to solicit work or advertise for our services. The user acknowledges the following:

  • there has been no advertisement, personal communication, solicitation, invitation or inducement of any kind whatsoever from us or any of our members to solicit any work through this website;
  • the user wishes to gain more information about us for his/her own information and use;
  • the information about us is provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site would not create any lawyer-client relationship.
I AGREE