One of the tasks you will perform as a data protection & privacy consultant or a data protection officer is to conduct a data protection impact assessment or DPIA under Digital Personal Data Protection Act, 2023 (India) or EU GDPR (for clients or employers with presence in Europe).
If your clients have presence in other countries which have enacted data protection legislations, you will perform this assessment under those local legislations.
The process of conducting the DPIA is the same, even the concepts are the same.
You just need to know any specific local law variations, which are usually about 5% and not more.
We will now show you how to conduct a DPIA.
Most modern tech businesses or their clients ultimately process a lot of individual data – and hence, for all practical purposes, a DPIA is the first task that is performed to determine applicability of the data protection and privacy laws and to prepare for implementation.
If you perform this task well for a client, you can get a lot of follow-on data protection and privacy compliance work, whether in India or in Europe.
The purpose of this assessment is to identify the status of data protection & privacy implement & compliance in light of the company’s business.
You have to find answers to the following 10 questions:
- What kind of customer data is collected
- Which company departments and employees have access?
- Which third parties is it shared with?
- Where is the data stored – servers/mobile phones/computers?
- What is the geographical location of these servers
- Who has control over these assets?
- Under what circumstances can such data be accessed?
- What are the restrictions on misuse of such access?
- Is the current mechanism adequate enough or not?
- What further actions need to be taken so that data protection and privacy non-compliance risks are minimised?
All of this work costs USD 10,000K upwards!
Even at the initial stages you can charge USD 1000 to do an assessment. Our students charge far more after they have done a few such assignments.
Let us take an example of a simulation assignment.
Imagine an edtech startup which offers online courses in Europe.
It also has a mobile app listed on the iOS App Store and Android Play Store.
This startup could be based anywhere in the world.
Now, the company intends to start selling to EU residents.
They have also hired some remote freelancers there for sales calls.
You are required to perform a data protection impact assessment.
How will you go about this?
Step 1 – Understand the lifecycle and flow of user data
The first step is to understand the flow of user data throughout the company, from the point where a user lands on the website.
Most websites will have a sign up form which will trigger emails and marketing campaigns once a user signs up.
What user data is collected on the landing page? What fields does the sign-up form have?
What background information is being tracked (e.g. your settings, IP address, location?)
This is the business part.
From a DPDPA Act or GDPR perspective, you need to identify if proper consent is taken for collection of such data.
Indian and GDPR law are absolutely aligned on the principles for taking consent. California, however, works differently, and the manner of validly obtaining consent is different if your client operates there.
Step 2 – Documenting the data lifecycle, including third party sharing of data
After collection, such data may be shared with third parties.
Much of this occurs behind the scenes from a customer or a lawyer’s perspective. You must ask the business teams specific questions on this.
Any business uses 3rd party emailing tools, CRMs, marketing automation softwares, e.g. Mailchimp, or Aweber, Sendgrid, ActiveCampaign, or Constant Contact.
They may use Zoom (or similar software to conduct free webinars to educate users).
In addition to this, CRMs and marketing automation software will provide insights to identify which user is interacting with emails, clicking on links, proceeding to the shopping cart, etc.
Sales callers who make calls may input details about the personal situation of users which was obtained during the process of counselling.
It is possible that some of this data is not recorded directly on the CRM but on excel sheets (on their desktops), or Google Sheets (on the cloud).
This data may be further analysed for training and feedback purposes by trainers/quality team of the company.
Similarly, a customer completes a purchase through a payment gateway (3rd party administered), where they share their card details.
They would then complete an enrolment form to provide further information about their educational and professional background so that services can be delivered optimally.
This data is then passed through the finance team, customer onboarding and course delivery teams.
There can be more steps to the user’s lifecycle, such as:
- Upselling/customer success team may call students to purchase additional courses
- Marketing team may include success stories of students in marketing campaigns
Broadly, this is the entire lifecycle of user data in an edtech company.
You don’t have to memorise this. Every company works differently, so for each client this data flow must be specifically mapped.
You can get more details about this by “interviewing” with the business teams, finance, operations, HR and other teams. This is chargeable work.
From a data protection and privacy management perspective, few things are happening:
- Varying amounts of customer data is being collected at different points – your software is also processing and generating new patterns and insights
- The data is being transferred across different departments of the company
- The data is flowing through third party apps and software (which are not in physical control of the edtech company)
- These third party apps and software are on the cloud, so the physical storage of this data is located elsewhere
This data lifecycle must be mapped.
The basis of obtaining user consent for all this data, for sharing of this data, and the manner in which it can be used internally or by third parties, and potentially misused must all be pre-identified.
This is done on an excel sheet called the Personal Data Analysis Form.
We can restrict ourselves for the marketing and sales functions in our scope of work.
It mentions which department captures which parts of the data, who is the ultimate owner of that department, the way in which the data is used, whether consent has been obtained to deal with the data in the manner that it is being dealt with:
Personal Data Analysis form here
Step 3 – Mapping the list of 3rd party service providers
Now that you know that data is being passed through various third party tools, you need to make a list of all such 3rd party service providers who have access to data.
Appropriate documentation will be executed (if it is not already there) with such 3rd parties so that there are adequate protections against misuse or further sharing of data.
This is important to minimise the company’s liability against data breaches as well.
Here’s what such a list looks like:
3rd party processing providers here
It is not sufficient to identify the names of the corporate entity/ service provider, and the document executed with them which imposes a duty on them to protect user data.
Step 4: Map the physical assets and the location where the data may be accessible
Most of the storage on the internet today is on the cloud, i.e. the servers may be located elsewhere and be in physical control of another entity.
So, we will need to identify where the physical storage of such data is situated. Data protection laws impose conditions on international transfer of data.
It’s like import-export of products and services, but customs laws don’t deal with user data.
That is dealt with by data protection and privacy laws, which are far simpler than customs regulations.
Source: here
Do you think this is doable if you use common sense, logical thinking, and basic presentation skills, with some understanding of privacy work?
Step 5 – The findings of this work ultimately flow into a report and an action plan to fix any problems that are discovered.
We will teach you how to draft a report in the bootcamp.
Did you find this useful?
Would you like to learn more about the opportunities in this area?
As you may have realised, data protection and privacy management work is quite unique and fresh, and the practical aspects are not taught anywhere else.