Data Privacy Compliance Unwired: Start-ups and AI at the Forefront of Security
By BVLN Bhuvneshwaree and Akshata Das (Batch of 2027 – DSNLU Vizag)
[This Blogpost is a 6th Position Entry of the 1st Edition of the National Blog Writing Competition 2023 organized by Centre For Innovation, Incubation & Legal Entrepreneurship (CIILE) in Association with PANDA LAW (TEAM CODE-39)]
Introduction
The increasing ubiquity of technology has led to the accumulation of substantial volumes of personal data, posing risks to consumer privacy and creating heightened complexity in data protection for organizations.[1] Individuals share personal information knowingly or unknowingly through the internet and smartphones.[2] Data processing often spans legal jurisdictions due to global servers and cloud services. Emerging businesses exhibit disparities in success, with sectors like construction and manufacturing having low success rates, especially information-based startups. India witnessed a surge in tech startups, with over 1,300 emerging in the past year, bringing the total operational startups to 25,000 to 27,000. This establishes India as the third-largest hub for tech startups globally[3]. Startups must prioritize compliance with legal and regulatory requirements in this dynamic environment to ensure seamless operations, mitigate legal issues, financial penalties, and safeguard their corporate image.[4]
Stricter data protection regulations, may, at first glance, appear as a disadvantage in comparison to firms in regions with less stringent rules. [5]This seemingly counterintuitive perspective underscores the balance between preserving privacy and promoting competitiveness. However, an alternative viewpoint posits that more stringent regulations can play a role in restoring trust in the digital economy[6]. Drawing upon the concept of regulation as “coercive rules” shaping market activities[7],it is evident that companies operating under such regulations often perceive them as constraints. This perception arises from the inherent limitations these regulations impose on what companies can legally pursue, particularly concerning innovation. Innovators with novel product ideas may initially confront these limitations imposed by privacy regulations during product development and implementation. However, these challenges present opportunities for what we term “Compliance Innovation.”
A Theoretical Framework for Compliance
The Compliance Innovation approach involves adapting and innovating to ensure regulatory compliance while preserving the core architecture and value proposition of the product. This entails adjustments such as enhancing privacy through default settings or using anonymized data instead of personally identifiable information. This framework provides insights into how companies navigate the landscape of data protection regulations and the impact of these choices on their innovation strategies.[8]
Data protection regulations adapt to sector-specific activities, not enterprise size, with stricter rules for sectors endangering rights and freedoms. However, not all General Data Protection Regulation (GDPR) obligations apply universally to small and medium-sized enterprises (SMEs). Entities with fewer than 250 employees are usually exempt from data processing record-keeping, except when endangering rights, handling sensitive data, or criminal records. These regulations encompass all enterprises processing data of EU individuals, regardless of the data’s physical location. Non-compliance can lead to significant fines. The digital infrastructure’s adaptability and evolution ensure its relevance and effectiveness in the ever-changing landscape of data management and protection.
The Paradoxical but Necessary wall of Data Privacy Regulations
However, for start-ups, this compliance can be costly and difficult to establish at once. While walking this tightrope of regulation, how can we foster cheaper ways for start-ups to comply with data protection requirements while protecting consumers? At this point in time, 3 main regulations regarding data protection stand out; the General Data Protection Regulation of the European Union on a worldwide scale, the Digital Personal Data Protection Act of 2023 and the withdrawn Personal Data Protection Bill.
The GDPR is pioneering legislation on the definition of what personal data means and how it should be processed. It has an expansive definition of personal data given in article 4 of the regulation which includes “any information relating to an identified or identifiable natural person”[9]. This is slightly different to the withdrawn PDP Bill which defines personal data as information that can be used to identify a person[10]. Despite the scope of this definition being equally wide, the difference can already create issues of compliance. Moreover, the GDPR contains a special category of personal data which includes racial identity/ethnicity, political opinions, religious beliefs, health, sexual orientation and more. Such a distinction is not made in any other data protection bills or regulations.
It is important to understand the goal of data protection regulation for companies to be able to comply satisfactorily. Most data protection regulation aims for lawfulness, transparency, fairness and data minimization. The goal is to provide services by taking the minimum data required as transparent as possible[11]. This is best enunciated by the Right of Data Principles in the DPDP Act. The act elucidates on 4 rights: right to grievance redressal, right to nominate, right to access information about personal data and right to correction and erasure of personal data[12].
Employee Awareness Training[13]
Compliance with the obligations stipulated by the General Data Protection Regulation (GDPR) necessitates substantial investments in financial resources and human capital, along with adequate employee preparation. Employees may not be sufficiently prepared for the impending changes and potential enforcement measures outlined by the. Research conducted by Gunasinghe in 2019 shows the willingness of customers to embrace GDPR-related provisions.[14] This includes accurate customer notification, handling diverse customer requests related to data access, data deletion requests, and facilitating customer data portability requests.
A 2018 article published by Techworld, authored by Macaulay[15], delves into the GDPR preparations of a leading startup in the United Kingdom. The firm undertook a comprehensive assessment of all data stored, examining its utilization. An internal audit review identified discrepancies for each manager. Subsequently, external counsel provided recommendations that prompted the organization to modify its procedural framework and enhance data privacy and security measures. To address these new responsibilities, a designated member from each team was assigned to oversee compliance with data processing activities. The organization invested considerable effort in educating its workforce, with a standing policy requiring all employees to undergo routine training on various subjects, including data security and GDPR-related improvements. The organization underscores the notion that individuals who take a vested interest in their data ownership rights will have higher expectations of the entities representing them. This elevates competition for customer satisfaction and improved outcomes, positioning the organization as one that fully embraces this transformative shift.
Currently the process of data protection compliance is extremely expensive and cumbersome. It requires hiring a large number of data compliance experts or extensive training for the existing team. The resources are numerous and the regulations can sometimes be directly harmful for driving internet traffic to websites. For eg. the GDPR has a requirement for consent forms to include all terms and services as multi opt-in options. While the plain language can help people understand their rights and requirements, the length of the forms and the multi opt-in often deter users from signing up. While this in the long run ensures companies get loyal customers, for a start-up who needs traction, this can slow down growth. Moreover, consent for each individual customer must be monitored and kept track of which requires vast amounts of internet resources and space. All this can add up to be difficult for start-ups when they first begin. Especially if start-ups also require sensitive “special category” data.
AI is a Part of the Solution
However, one way for this process to be made easier for start-ups is with the use of artificial intelligence. AI can be classified as rule-based technology and machine-learning technology.[16] Rule-based technology is also called an expert system based on backward or forward chaining technology. One or more experienced humans must provide rules to the technology which is popularly done in the form of a decision tree. This is then refined by letting the AI run through scenarios on knowledge-engineering principles and ask questions. This helps add more information for the application of rules to the AI. Such an AI ‘checklist’ can help companies ensure compliance. Their requirement of a huge workforce of compliance experts is reduced to an AI, a full-stack developer and an expert. Mind you, compliance experts do not lose their place, they are still essential to the process of teaching AI. Rather than sit down and check through compliance guidelines and how the company follows them themselves, they can train AIs on a regular basis to do this job. It shifts their focus to consultancy.
Moreover, AI can help in implementing training. Article 39 of the GDPR states that Data Protection Officers must undergo adequate training. Hiring and training DPOs is a large cost add-on which can be minimized by having AI do the training. Similar to a decision tree, through backward-chaining, responses from experienced DPOs can be recorded. This then is used as a metric against newly trained DPOs to ensure their knowledge on compliance rules. The AI can formulate scenarios and questions based on the past data and set of rules provided. Here is where the machine learning aspect of AI can step in. AI can also help in other tasks such as pseudonymization and encryption of data stated in article 32 of the GDPR. AIs machine learning ability can be used to almost identify regulatory changes and shift training and compliance rules accordingly instantly without having someone sit down and rewrite this. All under the guidance of experienced DPOs and legal experts.
[1] Lindgreen, E.R., “Privacy from an Economic Perspective,” in The Handbook of Privacy Studies: An Interdisciplinary Introduction, Amsterdam University Press (2018), pp. 181–208.
[2] World Bank, World Development Report 2021: Data for Better Lives (Washington, D.C.: World Bank, 2021)
[3] Economic Times, “India Now Has Nearly 27,000 Active Tech Startups, Adds 1,300 Last Year,” (URL: https://economictimes.indiatimes.com/tech/startups/india-now-has-nearly-27000-active-tech-startups-adds-1300-last-year/articleshow/97940297.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst).
[4] Nitesh Kumar, “Decoding DPPA: Road Ahead For Startups,” Businessworld (in italics), (August 19, 2023), https://bwdisrupt.businessworld.in/article/Decoding-Data-Protection-Bill-2023-Road-Ahead-For-Startups/19-08-2023-488167/.
[5] (Wallace & Castro, 2018).
[7] Blind, K., Petersen, S. S., & Riillo, C. A., “The impact of standards and regulation on innovation in uncertain markets,” Research Policy, vol. 46, no. 1, pp. 249-264.
[8] Stewart, L. A., “The impact of regulation on innovation in the United States: A cross-industry literature review,” http://www.itif.org/files/2011-impact-regulation-innovation.pdf?_ga=2.205333144.926975793.1525166652-1519522663.1525166652.
[9] Robert Bateman, GDPR Compliance for Startups, TermsFeed (July 1, 2023), https://www.termsfeed.com/blog/startups-gdpr-compliance/.
[10] Robert Bateman, India’s Personal Data Protection Bill (PDPB), TermsFeed (Sept. 1, 2023), https://www.termsfeed.com/blog/pdpb/.
[11] Compliance Requirements under the DPDP Act – Tsaaro Consulting, Tsaaro (Aug. 11, 2023), https://tsaaro.com/blogs/compliance-requirements-under-the-dpdp-bill-2023/.
[12] Atul Gupta, Digital Personal Data Protection Act, 2023 – An Overview Digital Personal Data Protection Act, 2023 – An Overview Digital Personal Data Protection Act, 2023 – An Overview, KPMG India (Aug. 18, 2023), https://kpmg.com/in/en/home/insights/2023/08/digital-personal-data-protection-act-2023-overview.html.
[13] Gaurav Gupta & Shaji Joseph, “Challenges In Corporate Governance In The Implementation Of GDPR For IT Start-Up Companies In India.”
[14] U. Gunasinghe & P. Khanna, “GDPR Employee Awareness.”
[15] Macaulay, T., “How startups have prepared for GDPR,” Techworld, https://www.techworld.com/data/how-startups-are-preparing-for-gdpr-3668896.
[16] John Kingston, Using Artificial Intelligence to Support Compliance with the General Data Protection Regulation, University of Brighton