39 10. Data Backup and Recovery: Implement regular data backup procedures and test data recovery processes to ensure that data can be restored in case of data loss or security incidents. 11. Incident Response Plan: Develop an incident response plan that outlines how your organization will respond to data breaches or security incidents. Assign roles and responsibilities for incident management. 12. Third-Party Risk Assessment: Assess the data protection practices of third-party vendors and service providers who have access to your data. Ensure they adhere to the same data protection standards. 13. Data Retention and Disposal: Establish data retention policies and procedures. Delete or anonymize data that is no longer necessary for your organisation’s purposes. 14. Privacy by Design: Integrate data protection principles into the design of new products, services and systems. 15. Regular audits and assessments: Conduct regular internal audit and assessments to ensure ongoing compliance with data protection rules and regulations. 16. Data Protection Officer(DPO): Appoint a Data protection officer (DPO) responsible for ensuring compliance with data protection laws, serving as a point of contact for data
40 subjects, and cooperating with data protection authorities where required. 17. Data Subject Rights: Be prepared to respond to data subject requests, such as access requests, rectification and data erasure (right to be forgotten). 18. Monitoring and Intrusion Detection: Implement continuous monitoring and intrusion detection systems to identify and respond to security threat in real time. 19. Employee Exit Procedures: Establish procedures to revoke access to personal data when employees leave the organization. 20. Regular Security Training and Awareness Programs: Keep employees informed about the latest cyber security threats and best practices through ongoing training and awareness programs. 21. Revisiting contracts executed with vendors, customers/clients, etc and channelizing KYC’s in more structured manner. B. For Board of Directors of all types of Companies: Protecting digital personal data in companies is responsibility that extends to the Board of Directors as they play a crucial role in setting the overall strategy, policies and culture for data
41 protection. Here are steps that the board of directors can take to ensure to effectively protect digital personal data in companies, reduce risks and maintain the trust of customers, employees and stakeholders: 1. Understand the legal and regulatory requirements. 2. Appoint Data Protection Officer (DPO) 3. Develop and approve data protection policies 4. Budget for data protection 5. Risk Assessment and Management 6. Cyber security oversight 7. Vendor and Third party data protection practices assessment 8. Incident Response Planning 9. Board Training Awareness 10. Audit and Compliance oversight 11. Developing effective Reporting Mechanisms 12. Data privacy impact assessments 13. Legal and Compliance Expertise
42 Sources: 1. European Commission's GDPR website (https://ec.europa.eu/info/law/law-topic/data-protection_en) and the California Attorney General's CCPA website (https://oag.ca.gov/privacy/ccpa). 2. Cyber security frameworks and standards like NIST Cyber security Framework (https://www.nist.gov/cyberframework) can offer guidance on best practices. 3. NIST’s Computer Security Incident Handling Guide (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST .SP.800-61r2.pdf) offers detailed guidance on incident response. 4. Guidance on data inventory and classification can be found in various data protection frameworks and standards, such as ISO 27001 (https://www.iso.org/isoiec-27001-informationsecurity.html). 5. Cyber security frameworks like NIST Cyber security Framework (https://www.nist.gov/cyberframework) offer guidance on data security best practices. 6. The "Privacy by Design" framework by Dr. Ann Cavoukian (https://www.ipc.on.ca/pbd/) offers guidance on incorporating privacy into organizational practices.
43 7. Bare Act: the Digital Personal Data Protection Act, 2023 and Bill- MeitY website (https://meity.gov.in/) and look for the "Data Protection" or "PDPB" section. 8. NLSIU website for research papers and publications related to data protection and the PDPB (https://www.nls.ac.in/). 9. News websites such as The Economic Times (https://economictimes.indiatimes.com/), The Hindu (https://www.thehindu.com/), and Livemint (https://www.livemint.com/) for articles and reports on data protection laws in India. 10. CA Kamal Garg LinkedIn Posts, Various new articles, reports, interviews of legal experts, policy makers on data protection development.