Meet the expert: Emma Green to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Emma Green is the Managing Partner of Cyber Data Law Solicitors, a role that sees her monitor the drive of improvements and the implementation of data protection and cyber security global programmes for clients and organisations. 

Leveraging over 25 years’ experience in IT, Emma is an award-winning trainer and speaker, and has co-authored an IBM Redbook. She is a member of the International Association of Privacy Professionals (IAPP) and is a Cyber Essentials assessor, marking over 600 assessments in the past two years alone. 

Emma appears exclusively at PrivSec Global to debate evolving data protection legislation frameworks in India.

Below, she answers questions on her professional journey and the themes of her PrivSec Global session.

Could you briefly outline your career pathway so far?

Over the years I have fallen into roles rather than following a specific path. What started out as working in IT on tech helpdesks morphed into becoming a Lotus/Domino technical trainer, co-authoring an IBM Redbook then 10 years training and consulting for Hewlett Packard’s products which then morphed into cyber security and data protection and ultimately into AI. 

John Green (same name no relation) is a senior solicitor specialising in cyber security and data protection and it seemed the perfect synergy of Tech and Law, so after working together for a number of years in our consultancy firm setting up a law firm was the natural next step.

I am now the managing partner of a rapidly expanding global law firm specialising in compliance frameworks such as cyber, data protection, PECR and AI. We work both proactively preparing such things as global compliance frameworks, contracts and training and reactively with such things as first responders to cyber-attacks, legal representation against regulators or defending litigation. We are very passionate about we do and the service we offer our clients.

What elements of the DPDP Act, 2023 will have the biggest impact on how global companies do business with organisations in India?

The Act received assent from the President of India on 11 August 2023. Until now there has not been any standalone law for the protection of personal data in India. The DPDP Act changes that and includes concepts not too dissimilar in principle to the GDPR, other countries around the world have also been implementing legislation similar to this European law. 

Adhering to this law will ensure organisations can facilitate cross-border data transfers smoothly and lawfully, improving an organisation’s ability to operate in a global marketplace.

EU organisations will be familiar with a lot of the concepts and ought to be able to take necessary steps to comply with the DPDP Act. It is likely to prove more challenging for Indian’s organisations as they will likely need to considerably adapt their current practices to ensure conformity.

It is unclear at this stage when the law will come into effect. Sub-section 1(2) of the DPDP Act clarifies that it will come into force on such date as the Central Government would appoint by notification in the official gazette, with different dates being appointed for different provisions.

It is worth noting there are many more obligations for Data Fiduciaries (similar to data controllers in the EU and UK) and these are categorised based on volume of data being processed. Those classed as significant data fiduciaries may be required to appoint a DPO, auditor and conduct DPIA’s. Smaller data fiduciaries will be exempt by the Indian Government from certain obligations.

Like the GDPR there are data principles, data subject rights, lawful basis, obligations when processing children’s data and breach reporting. One difference here is that there is no separate concept of special categories of data; the act covers all digital data equally.

The Data Protection Board of India will monitor compliance and impose penalties ranging from 50 crore (approx. £5 million) to 250 crore (approx. £25 million), data fiduciaries will be able to provide voluntary undertakings.

Organisations need to consider how the DPDP Act will impact on them, how it will impact on any outsourced service provider in India and what will need to be done to ensure compliance. To reiterate, just because there are similarities with the GDPR, does not mean compliance of the GDPR equals compliance with the DPDP Act as there are quite a number of differences. Similar to GDPR, audits will need to be carried out to understand what is being processed and what needs to be done to ensure compliance.

What are the primary benefits, both for outside companies and for clients and customers, that the new legislation will bring?

The primary benefit and purpose of the DPDP Act is to ensure protection of individuals privacy and personal data; it also helps build trust for those organisations who outsource services to Indian companies. 

This Act will give individuals more control to individuals over their personal information, how it is collected, processed, and shared by organisations. Consumers are increasingly concerned about the privacy and security of their data, and organisations that prioritise and protect this information are likely to build a positive reputation and be in a position to protect customers from the potential negative consequences of their data being compromised.

The benefits of a well-designed data protection compliance program will help organisations in India to ensure that their data practices comply with the law and ensure they are protected from any legal consequences and financial penalties for non-conformity.