Meet the expert: Nandita Rao Narla to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today. 

Nandita Rao Narla is the Head of Technical Privacy and Governance at DoorDash, where she leads the privacy engineering, assurance, and operations teams. Previously, she was part of the founding team of a data risk intelligence startup and held various leadership roles at EY, where she helped Fortune 500 companies build and mature privacy, cybersecurity, and data governance programs. 

Nandita appears exclusively at PrivSec Global to discuss India’s new Digital Personal Data Protection Bill. Below, Nandita answers questions on her professional journey and introduces the themes on the table at her PrivSec Global session. 

Could you briefly outline your career pathway so far?

My career journey over the last 15 years has been an exciting mix of experiences in privacy, cybersecurity, risk management, AI governance, regulatory compliance, data governance, and product management. 

This diverse exposure has been invaluable in giving me insight into the interdependencies of adjacent privacy fields and shaping my approach to helping organisations embed trust in their products and processes.

With a Bachelor’s degree in Computer Science and a Master’s in Information Security, I started my career as a technical advisor at EY, where I had the opportunity to work on large-scale complex projects at Fortune 500 companies. 

I quickly transitioned from a security engineer performing secure code reviews, building insider threat models, and deploying data protection controls to broader data governance and strategy functions. I held various R&D and leadership roles at EY, and my tenure here laid the foundation for technical expertise, a deep understanding of data ecosystems, and insight into privacy pain points across industries.

Eager to take what I learned from my consulting career and build technical solutions, I joined the founding team of a data risk intelligence startup. I led solutions engineering and helped create an AI based platform for data discovery, tagging, and defensible data deletion.

In my current role at DoorDash, I lead the technical privacy and governance teams focusing on privacy by design, AI governance, privacy operations, privacy engineering, and privacy assurance.

The field of privacy is constantly evolving due to changes in technology, regulations, and user expectations. This growth has led me to make learning and research components of my career goals within this dynamic field. I contribute to research and open-source development in privacy engineering, AI ethics, and technical standards as part of several research institutes and privacy think tanks. 

Some notable current projects include a study of privacy engineering practices for the Future of Privacy Forum, Privacy Enhancing Technologies (PETs) adoption research for ISACA, the development of a Privacy by Design certification standard for the Institute of Operational Privacy Design, and a reference architecture for privacy for the Ethical Tech Project.

What elements of the DPDP Bill 2023 will have the biggest impact on how global companies do business with organisations in India?

The DPDPA outlines the basic principles of digital data protection but is not as prescriptive as the GDPR, so it is hard to estimate the full extent of the compliance burden for global companies. 

Several implementation-specific aspects are expected to be formalised in the next 6-12 months through delegated legislation and rules; however, with the information at hand, I speculate global companies will have the most significant impact in areas where DPDPA departs from common frameworks such as GDPR or CCPA.  

Firstly, the DPDPA has broad coverage. It applies to all personal digital data without categorising it as sensitive or critical. As a result, a uniform protection standard will need to be applied to all classes of personal data, which the act defines broadly as “any data about an individual who is identifiable by or in relation to such data.” It also extends coverage to all entities that process personal data regardless of size or status and has significant extraterritorial application. 

Secondly, consent will likely serve as the primary legal basis for processing under the act, as other legal bases available are highly restrictive and narrowly defined. For instance, DPDPA does not include “contractual necessity” and “legitimate interests,” which are common grounds for data processing in other frameworks such as GDPR. Multi-national companies that rely on these grounds for processing will be challenged to find solutions and may need to alter their business processes to account for these changes. 

Thirdly, DPDPA permits data principals (data subjects) to use a “Consent Manager,” an accessible, transparent, and interoperable platform registered with the Data Protection Board of India, to grant, manage, review, and withdraw their consent to companies. Consent Managers are part of India’s “Data Empowerment and Protection Architecture” offering currently used in the financial sector. Handling individual consent and integrating with consent managers to manage consent on behalf of data principals may significantly impact global companies, especially when including additional scenarios such as parental consent and age verification requirements.   

Lastly, global companies that are designated as ‘Significant Data Fiduciaries’ based on the volume or sensitivity of data they process, risk of privacy harms to data principals, or other factors in future rulemaking will have the added obligations of conducting periodic data protection impact assessments, appointing a DPO in India, appointing an independent compliance auditor, and performing regular audits to demonstrate adherence to mandated compliance requirements. 

What primary benefits, both for outside companies and for clients and customers, will the new legislation will bring?

The Digital Personal Data Protection Act 2023 is a significant step in empowering a population of 1.4 billion with rights over their personal information and, after more than six years of deliberations, it finally provides a regulatory framework to safeguard personal data for organisations in scope. It seeks to balance the privacy of individuals and nurture India’s growing digital economy. 

Primarily, this act is bound to benefit data principals (individuals such as customers or employees) who will have increased control over their data. Per the act, individual consent is vital, and individuals must provide consent for using their personal information in most data processing scenarios. If the data principal withdraws consent, processing must cease ‘within a reasonable time.’ This intense focus on specific and informed consent will prevent data misuse by companies and promote data empowerment.  

Data principals will also enjoy new personal data rights such as the right to access their personal information, the right to request the erasure of their data, the right to correct their information, the right to receive sufficient notice before requesting consent, and the right to grievance redressal. With DPDPA data fiduciaries will now be held accountable for safeguarding personal information and expected to be responsible stewards of personal data shared with them.

An interesting fact is that DPDPA uses she/her pronouns for data principals, which is a first in Indian law and makes an impactful gesture towards promoting diversity and inclusion in legislation. 

The new legislation will also benefit companies who want to use privacy as a competitive differentiator and build a trusted brand serving customers in India. Several recent surveys have shown that consumers are increasingly concerned about their privacy and are more likely to give their business to companies that respect privacy and comply with privacy regulations. DPDPA encourages companies to implement measures to safeguard personal data and demonstrate a commitment to use data responsibly, which will help foster trust in the company. Implementing robust data protection measures to comply with DPDPA prevents data breaches, reducing negative financial impact and reputational damage. 

The act is also a forcing function to implement efficient data management practices such as comprehensive data inventory/mapping, data minimisation, data retention, and data quality enhancement initiatives, which drive a better understanding of data, help streamline processes, and achieve cost savings. Beyond treating DPDPA as a compliance checkbox and regulatory burden, companies that adopt the essence of the act - responsible data use, and respect for individual consent within their overall data strategy will see manifold benefits. Besides, it is the right thing to do.  

I hope this legislation will have the same effect in India as GDPR in the EU, making privacy a board-level issue and setting the stage for accountable data processing practices.