How India’s New Data Protection Law Works at the Workplace

Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old. Richard McClintock, a Latin professor at Hampden-Sydney College in Virginia, looked up one of the more obscure Latin words, consectetur, from a Lorem Ipsum passage, and going through the cites of the word in classical literature, discovered the undoubtable source. Lorem Ipsum comes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum et Malorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC. This book is a treatise on the theory of ethics, very popular during the Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sit amet..", comes from a line in section 1.10.32. The standard chunk of Lorem Ipsum used since the 1500s is reproduced below for those interested. Sections 1.10.32 and 1.10.33 from "de Finibus Bonorum et Malorum" by Cicero are also reproduced in their exact original form, accompanied by English versions from the 1914 translation by H. Rackham.

There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary, making this the first true generator on the Internet. It uses a dictionary of over 200 Latin words, combined with a handful of model sentence structures, to generate Lorem Ipsum which looks reasonable. The generated Lorem Ipsum is therefore always free from repetition, injected humour, or non-characteristic words etc.

Organisations will have to pay close attention to their internal employee data handling policies and processes. But they tend to also share their employee data with others. In such cases risks to employee data can arise out of at least two scenarios – sharing data among group companies or outsourcing it to third parties for provision of certain services.

It is common for group companies constituted of several distinct companies fulfilling different functions, to share data among themselves. This data could include employee data which may be shared for purposes such as standardising salaries across the group. Under EU’s GDPR, group companies can transfer data among themselves, but they need to be able to prove a legitimate interest for transferring such data. If legitimate interest is not proved, it could have implications not just for the company processing the data, but also for the entire group. They are likely to have similar implications under the DPDP Act.

Many organisations also outsource employee data for provision of certain services. Recently, the demand for business process outsourcing has increased, which frees-up businesses to focus on their core functions. There are many Human Resources functions being outsourced to third party service providers. Several such providers also use automation and AI for greater efficiency, and their data processing practices could be vastly different from that of the data fiduciary’s.

The DPDP Act makes it clear that any processing of personal data is the primary responsibility of the data fiduciary. This means that employers will be accountable for the data processing activities of their data processors, such as the ones discussed above. It is therefore crucial for organisations to look both inward and outward to carefully examine all their data flows.