NASSCOM interacted with the industry during an online policy roundtable organized by NASSCOM on 16 October 2020, to discuss NITI Aayog’s draft discussion paper on Data Empowerment and Protection Architecture (DEPA). The roundtable saw participation from companies who are both actual (for instance, existing Account Aggregator licensees) and potential stakeholders in the DEPA framework. For background on DEPA, please read here.
The program for the roundtable was as follows:
- Overview of DEPA, by NASSCOM team
- Learning from the Account Aggregator Experience (Speakers: Krishna Prasad, CEO, Onemoney and Prashant Paliwal, CEO, Yodlee Finbit)
- Learning from an Information Provider/User: Improving the DEPA (Speaker: Ashish Singhal, Head of Credit Business, Experian)
- Discussion on Areas of Concern
The discussion during the roundtable, raised several points with respect to the implementation roadmap for DEPA mission and the foreseeable challenges in the operationalization of DEPA. In particular, the following issues were highlighted by participants:
- There is a need to ensure timely onboarding of stakeholders, especially, information providers to get the DEPA operational as soon as possible;
- There is a need for alignment of incentives amongst various stakeholders (data principal, consent manager, information provider and information user) in order to ensure that the quality of service is maintained across the ecosystem, and data sharing happens effectively;
- There is a need to ensure both high-quality and high-variety data sharing, in order to develop some of the solutions envisaged under the draft discussion paper. Currently the DEPA stops at enabling the availability of data, without considering ways of enabling higher-variety and quality of data;
- While the discussion paper highlights that the consent manager would be a separate entity engaged only in the business of consent management and it will also be data blind, there is need for detailing in the paper to ensure implementation
- Simplifying the architecture for asking for granular consent without making it too burdensome on the data principal;
Institutional Coordination for DEPA
- There is a need to highlight the role of sectoral regulators in implementing the DEPA and the need for creation of a dedicated channel of communication between the regulator and stakeholders for continuous improvement, given the evolutionary nature of DEPA;
- Sectoral regulators should enable participation of more entities as an information provider/user (for example, credit bureaus), and providing an enabling legislative framework for leveraging the consent-based data sharing framework in the most valuable way;
- There is a need to establish data security standards that need to be followed by stakeholders, and the need for an authority to monitor the implementation of these standards (possibly the Data Protection Authority (DPA) proposed to be established under the Personal Data Protection Bill, 2019); and
- There is a need for greater awareness among data principals about their rights and consequences of sharing or not sharing data, the availability of consent management services etc.
The issues mentioned above, and additional issues are being examined by NASSCOM, as we work to formulate a comprehensive response to the DEPA draft discussion paper. We appreciate the inputs that have already been sent to us in this regard and request Members who haven’t sent their inputs yet, to share their inputs latest by 6 November 2020 to firstname.lastname@example.org.