A step forward – Digital Personal Data Protection Bill in the making!

The DPDP Bill focuses on digital personal data and does not apply to non-personal data. Once enacted, the DPDP Bill will replace Section 43A of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules).

After much deliberation and time investment, Lok Shaba and Rajya Shaba have passed the Digital Personal Data Protection Bill, 2023 (DPDP Bill) and retained the contents of the original version of the legislation proposed last November. The DPDP Bill reflects India's commitment to safeguarding personal data in the digital age. If the Act is implemented effectively, it has the potential to empower individuals with greater control over their data and encourage responsible data processing practices by organisations. However, the success of the legislation will depend on its adaptation to the rapidly evolving digital landscape and the establishment of a robust regulatory framework.

The DPDP Bill focuses on digital personal data and does not apply to non-personal data. Once enacted, the DPDP Bill will replace Section 43A of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules). The DPDP Bill only applies to personal data, which is collected in digital form or non-digital data, which is digitised subsequently; however, any other form of data will not be considered. This applies to digital personal data that is processed outside India by companies with activities related to the offering of goods or services to data principals in India. The DPDP Bill does not apply to personal data processed by an individual for any personal or domestic purpose; or personal data made publicly available by the data principal themselves or any other person under a legal obligation.

The DPDP Bill seeks to establish a framework to protect individuals’ privacy rights and regulate the data processing by multiple institutions and entities. Implementing data protection regulations comes with its own challenges, especially for companies that manage large data or those highly dependent on digital/ marketing campaigns.

Companies will face multiple challenges which will include awareness and understanding. They might not fully understand the intricacies and implications of data protection laws, so it is essential for them to invest in understanding the legal requirements and how it applies to them and affects them. Some small or medium enterprises may face a lack of financial resources and expertise required to implement comprehensive data protection measures. Compliance can entail costs related to technology, training, and legal consultation. A high level of change management is required wherein implementing data protection often requires significant changes to existing processes and practices. Companies might need to restructure their data collection, storage, and processing methods, which can be disruptive and time-consuming. Companies required to invest heavily in Technology, ensuring data security and compliance, might necessitate upgrades to existing IT infrastructure and cybersecurity measures such as having adequate data loss prevention techniques, secured data vaults, etc.

Other than the aforesaid challenges, some adaptations in terms of legal and regulatory requirements, e.g. Consent Management, may change the landscape of business. Having valid consent from individuals is key for data processing, and obtaining and managing the same would be challenging. This also entails possessing clarity in terms of having deemed or explicit consent.

Data breaches and security incidents can happen despite the best efforts. Companies are required to institutionalise a robust incident response plan to address breaches promptly and mitigate potential harm. Employees need to be trained and informed with respect to data protection procedures and practices. This includes understanding how to handle personal data responsibly and securely in compliance with requirements and the newly developed procedures to safeguard personal data.

Large companies carry out significant outsourcing pertaining to their products or services and often share data with third-party vendors. Ensuring compliance with these vendors will continue to be a challenge with the roll-out of the DPDP Bill.

Data protection laws are not limited to India. Many countries have their own regulations, and private entities with international operations must navigate a complex web of compliance requirements. To make the DPDP Bill simple and short, this draft leaves us with multiple ambiguities and companies are left to rely on their best interpretation and expert opinion. These factors also complicate aspects to integrate Indian law with global practices and standards. Further, maintaining comprehensive records of data-processing activities and demonstrating compliance with regulatory authorities can be time-consuming and problematic.

To overcome these challenges, it is recommended that companies prioritise data protection as a strategic goal. This involves allocating resources, carrying out maturity assessments, technology upgradation and seeking expert guidance to ensure adherence to the law while maintaining business operations.

Source : Cisco Economic Times