We are inching to the end of 2023, and while a data protection law is finally in place, India has only just about started. The Digital India Act is expected to replace the Information Technology Act and Rules of 2000. Once enacted, this law will address online safety, cybersecurity, Artificial Intelligence regulation, and surveillance matters. It will be interesting to see potential overlap and inconsistencies between this statute and the DPDP Act. The DPDP Act is 'principles-based legislation' that relies on concepts broadly similar to those in the GDPR. It governs data fiduciaries (i.e., data controllers), data processors, and data principals (i.e., data subjects). A unique feature of the DPDP Act is that data fiduciaries have been classified into different brackets based on personal data volume and sensitivity (and other prescribed criteria). Organizations routinely dealing with large volumes of personal data will be classified as significant data fiduciaries and have additional obligations such as appointing a data protection officer and an independent data auditor and conducting data protection impact assessments.
On the other hand, small-sized data fiduciaries, including start-ups, can be exempted by the Indian Government from certain obligations such as notice, ensuring accuracy, completeness, and erasure of personal data, and ensuring data principals' right to access information.
The Digital Personal Data Protection Act (DPDP) is a complex law with a wide range of provisions and requirements and is dynamic. Interpreting and applying the law can be challenging, even for organizations with dedicated data privacy teams. This complexity necessitates ongoing effort and vigilance to ensure consistent compliance.
The DPDP's emphasis on user control reflects a growing global recognition of the importance of individual privacy in the digital age. By empowering individuals with greater control over their data, the DPDP aims to foster a more privacy-protective environment in the digital realm. The Digital Personal Data Protection Act (DPDP) seeks to empower individuals with greater control over their data by granting them rights and obligations for businesses and organizations that collect, process, and store personal data. They can exercise their power to access, rectify, erase, object, or restrict the processing. Individuals can receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller without hindrance.
Who Must Comply with the DPDP Act?
Under the DPDP Act, 'Data Fiduciaries' – entities that handle personal digital data in India – are primarily responsible for compliance (Clause 2 (i), DPDP Act). This responsibility includes adhering to DPDP regulations and identifying data processors. Consent managers registered with the Board also have duties under the DPDP. All data fiduciaries must comply with the Act's regulations (Clause 2 (g), DPDP Act).
Why Must Data Fiduciaries Comply with the DPDP Act?
There are several compelling reasons why data fiduciaries must ensure compliance with the DPDP Act:
Safeguarding Privacy: The DPDP Act's primary goal is to protect the digital personal data of Indian citizens. Data fiduciaries managing such data must ensure its processing is fair, transparent, and accountable.
Avoiding Stiff Penalties: While the DPDP Act isn't legally mandatory, data fiduciaries risk severe penalties in case of a data breach. Therefore, it's beneficial for them to be DPDP compliant. In a data breach scenario, the Data Protection Board could hold the fiduciary accountable, potentially leading to fines of up to INR 250 crore (approximately USD 30 million).
Upholding Reputation: Compliance with the DPDP Act demonstrates a data fiduciary's commitment to privacy, enhancing its reputation and aiding in customer attraction and retention.
What's in for Businesses?
The Digital Personal Data Protection (DPDP) framework promotes data protection and privacy while encouraging businesses to adopt modern privacy practices, utilize privacy-enhancing technologies, and educate employees on proper personal data management.
Data protection regulations may seem uncertain, but they can help businesses proactively protect personal data. The Act fosters a culture of vigilance, enabling organizations to conduct gap assessments and implement remedial strategies. In addition, the Digital Personal Data Protection Act (DPDP) will be an additional obligation for businesses operating in India. The law will require companies to change how they collect, use, and store personal data, which will involve additional costs and resources. Businesses must invest in new technologies, processes, and personnel to comply with the DPDP. This will include the fees of training employees, purchasing data security software, and hiring data protection compliance specialists besides data management, which is more complex for businesses. This is because businesses now have to track and manage personal data more granularly. While achieving compliance may be difficult, it allows companies to improve their data security procedures, win over consumers, and cultivate a culture of responsible data handling.
The Act strikes a crucial balance between safeguarding user rights and fostering innovation in the digital realm. Investing in robust cyber security measures protects customer data and maintains a strong security posture against cyber threats. The established cross-border data transfer mechanism will attract foreign investments, boost start-ups, streamline compliance, and enable the government to address data transfer concerns effectively.
As data collection and processing practices evolve, organizations must adapt their compliance strategies to meet the law's ever-changing requirements. Treating privacy as a fundamental right means creating a culture of privacy where it is prioritized, valued, and protected! The dexterity, agility, and resilience with which businesses achieve the goals defined in the DPDP Act will determine their ability to remain fit for the future and contribute to India's transition to a mature digital economy.