The increased digitalization of our lives has meant that now more than ever, personal data is being shared and transacted, often without people’s consent.
Repeated instances of data breaches has prompted governments and organizations to implement robust cybersecurity solutions.
As another step in this direction, the Government of India released the Digital Personal Data Protection Act bill in August 2023. This bill entails extensive upgrades concerning personal data security for Indian citizens.
The Digital Personal Data Protection (DPDP) Act, 2023, applies to the processing of digital personal data within the territory of India, whether collected online or offline and later digitized. It also applies to the processing of digital personal data outside India’s territory if it involves providing goods or services to the data principals within India. e-commerce companies, retailers, courier and parcel services, FMCGs, and many other logistics players need to comply with the DPDP.
Key Terms
Understanding the terminologies is essential for organizations to align with the DPDP Act’s guidelines and ensure compliance. Let’s examine three main terminologies applicable to the supply chain and logistics industry:
Data Principal:
The individual to whom the personal data relates, also known as customers.
Data Fiduciary and Significant Data Fiduciary (SDF):
A data fiduciary is an entity or person who collects data from the data principal and determines the purpose and means of processing the personal data. An organization or entity is deemed an SDF based on the volume and sensitivity of the personal data processed, the risk to the customer, a risk to the security of the state, and the potential impact on the country’s sovereignty. The supply chain industry, housing and processing huge volumes of personal data, would definitely fall under SDF.
Data Processor:
A person or group responsible for processing personal data on behalf of the data fiduciary.
Impact on Various Players in Supply Chain and Logistics
Every sector, including the supply chain and logistics, falls under this act. Due to the sheer volume of personal data handled in this domain, every sub-industry within it is under its purview.
Let’s examine how these entities might be impacted:
Shippers:
E-commerce companies, retailers, FMCGs, and others who fall under the shippers category are considered data fiduciaries as they collect personal data directly from customers. The number of online shoppers in India is skyrocketing, expected to reach 425 million by 2027, creating more opportunities for cybercriminals to hack into shippers’ systems and websites to access this personal data.
Courier and Parcel Companies:
Since these companies don’t have direct access to customer data, receiving it from the shippers (Data fiduciaries), they essentially act as data processors. However, data processors need to have the technical capability to house data securely to avoid any lawsuits from shippers but aren’t eligible for penalties.
Now that we have an understanding of where supply chain major players fit within the DPDP Act, let’s explore how these players can comply with the mandate and avoid penalties.
The Journey Towards Compliance for Shippers:
Implement Top-Tier Security for Logistic Solutions:
A supply chain or dispatch management system is indispensable for companies in this industry. However, leaders must ensure these systems feature robust security, employing tools like Role-Based Access Management (RBAC), Single Sign-On (SSO), and Restful APIs to restrict unauthorized access and reduce data breach risks. Organizations not technologically and human resource-equipped to prevent data breaches could face hefty penalties, reaching up to Rs 250 crores.
Train Third-Party Delivery Partners:
The Act mandates organized logistics companies (data fiduciaries) to educate and sensitize data processors (carriers and transporters) about data protection obligations. This is crucial for smaller entities that may lack resources or awareness about data privacy. Larger logistics firms should limit the data shared with smaller partners to what is necessary and explore secure digital methods for sharing data, ensuring data is erased once tasks are completed.
3PL/CEP Responsibilities:
While 3PLs and CEPs, as data processors, are not the primary targets of the DPDP Act, maintaining top-tier security is critical. Some shippers might sever ties with carriers lacking in data security, fearing breaches and subsequent penalties. Upgrading logistics systems with the latest security features is essential for sustaining business relationships.
Evaluate Delivery Partners’ Tech Capabilities:
Shippers, often constrained by budgets, tend to evaluate carriers based primarily on cost, overlooking the technological inadequacies that might lead to data breaches. Tech and supply chain leaders should collaboratively assess carriers from both business and technology perspectives to ensure performance improvement and regulatory compliance.
Shippers can also utilize advanced carriers management solutions that can help narrow down carriers that are top performing which could imply they are likely leveraging a smart dispatch management system to make deliveries and these systems are typically enterprise-grade with top notch security features.
Appointment of Data Auditor and Data Protection Officer:
Given the substantial customer data handled, companies in the supply chain industry likely qualify as Significant Data Fiduciaries (SDF), implying stringent scrutiny and penalties. The DPDP Act mandates the appointment of a Data Protection Officer and an independent data auditor to manage, report, and evaluate compliance, ensuring periodic audits and impact assessments.
Data Protection Clauses for Carriers/Transporters:
Shippers must clearly delineate data protection responsibilities in contracts, explicitly highlighting the legal ramifications for carriers and transporters, who, although not directly liable for penalties, play a pivotal role in data processing.
Inform Customers about Breaches:
Non-compliant shippers face significant penalties and must promptly notify both the board and the affected customers in the event of a data breach. The act is yet to specify the timeline for reporting breaches, necessitating preparedness on the part of shippers.
Implement Consent Management System:
The right to withdraw consent emphasizes the need for a robust consent management system to accommodate customer preferences timely, preventing potential penalties.
Embrace Data Privacy
Shippers must adopt enterprise-grade logistic management systems, make it a practice to evaluate vendors’ technological capabilities and make preparations to appoint dedicated data security personnel to comply with this mandate.
Locus’ ISO-certified AI-driven logistics management solution helps shippers deliver value to customers and secure their personal data, leading to better customer experience and regulatory compliance. If your current system is vulnerable to data breaches, implementing a battle-tested solution like Locus can provide you the much-needed peace of mind you need to raise the bar on fulfillment and customer experiences.