Archiving Tomorrow, Erasing Yesterday

By

adarsh

March 26, 2024

Unpack the critical processes of data revoke, archive, and purge in adherence to the DPDP Act, highlighting the path to privacy-focused data management.

Data Revoke, Archive & Purge:

In the intricate events of data governance, on revocation, the archiving and purging emerge as concurrent moves, each having its implications & significance. Let's explore their collective impact on sculpting agile and privacy-respecting data management.

As conveyed by the DPDP Act of 2023, every data fiduciary(the business that collects the personal data for providing so & so services) must enable the data lifecycle to be mapped to the consent lifecycle and made available to the data principal (owner of the data) who now has the option to not only review the consent given but also can update & revoke them in the time. While we try to accumulate thoughts about what happens with the dump of data collected when thousands of users request for revocation, This article puts a data governance perspective around the same.

On revocation, As per the DPDP act the consent manager will now update the data fiduciary about the purpose for which the data principal submitted a revoke request & series of events will follow this:

A. Data fiduciary will now stop the services associated with the purpose of revocation

B. Data fiduciary or Consent manager will now notify all the processors involved in processing the personal data of the revocation.

C. Data fiduciary or consent manager while notifying the principal will also clearly mention the tentative period after which the data will be permanently erased from all the systems.

D. Data fiduciary will also mention in case any superimposing laws or regulations they are abiding by, which asks them to store the data for a certain period post the revocation request.

E. Data fiduciary is now in charge of making sure that the data shared with any processors is erased from their end and the same would be reflected in the consent manager principal view

F. If there are no super-imposing regulations or post that, a purging policy needs to be articulated in the place where the PII data is purged or erased from all the systems leading to true privacy over personal data.

Conclusion:

At the end, beyond legal mandates, these processes signify a commitment to transparency, user control, and responsible businesses. As data fiduciaries navigate their way towards post-revocation, their adherence to explicit communication, cessation of services, and the articulation of purging policies becomes a testament to their user privacy. Creating a seamless & compliant flow of data collection upto data deletion is the new normalcy of data governance.