Digital identity verification firms verify individuals i.e. customers or employees on behalf of other organizations. As online ID verification service providers, they do not share a direct relationship with the individuals they verify, and since identity is established right in the beginning, they typically do not have access to personal data through the full course of the customer or employee relationship.
Nevertheless, the Personal Data Protection Bill imposes obligations on all entities to protect any personal data they might have access to, even if it is for a specific purpose and a limited duration of time.
On their part, digital identity verification firms can start by creating an inventory of all the data elements they collect and store, and the various data processing activities they perform. The data elements can then be mapped to their respective (i) data category — personal data, sensitive personal data, critical personal data (specified but not defined in the bill) and non-personal data, (ii) purpose of collection, and (iii) retention period (the bill outlines different collection, storage and transfer practices for different data categories). This is obviously not a one-time activity but it is also not meant to be a continuous drain on the firm’s time and resources. The idea is for firms to develop the habit of maintaining an on-demand record of processing activities.