The world has moved past a phase when technology was just an enabler, today it is fueling businesses to touch newer heights and ‘Data’ has taken center stage. As data forms the backbone of business functions today, even for governments, the security of this most crucial asset of the contemporary world is of paramount importance. A 2021 report by the United Nations Conference on Trade and Development (UNCTAD) underscores that 137 of 194 countries, around 71 percent, have proper legislation for data protection and privacy. And, around 9 percent of countries, majorly the Middle Eastern ones and a few in Africa and Asia, have draft legislation. Shockingly though, 15 percent of countries do not have any legislation in place to safeguard their digital data.
However, a new research published by Graham Greenleaf from the Faculty of Law at the University of New South Wales, suggests that “from February 2021 to March 2023, 17 new countries have enacted data privacy laws”. Though the content of the legislation varies from country to country, a resemblance to the European Union’s (EU) General Data Protection Regulation (GDPR) can be seen in a lot of these.
In a much-awaited move, the Government of India rolled out the Digital Personal Data Protection (DPDP) Act 2023, post the President’s assent in August 2023. The DPDP Act forms a policy framework that extends a higher level of accountability and responsibility to entities and businesses dealing with the collection, storage, and processing of citizens’ data. The legislation lays strong emphasis on the ‘Right to Privacy’ while ensuring transparency and answerability of companies dealing with citizens’ personal data.
What’s the DPDP Act?
The DPDP Act was first tabled in the Parliament House in 2019, and since then the draft legislation underwent nearly 81 amendments before it was finally rolled out as an official Act in the present year. Numerous concepts under the DPDP Act find a resemblance to the EU’s GDPR framework. The Act is germane to all the data, be it online or originally offline but digitised later, within the country. It also stays relevant for personal data processing beyond the land, particularly for provisions of goods and services to the people within the Indian borders.
Further, the legislation mandates explicit consent from the respective individual before collecting and processing the personal data. This will hold unless specific circumstances require otherwise in the case of national security, law, and order.
The DPDP Act has introduced the term ‘Data Fiduciary’ that poses as data regulators or controllers. These entities will independently or in collaboration with others define the goal and ways for processing personal data. The Center, considering the sensitivity and amount of data processed, can label any Data Fiduciary as a ‘Significant Data Fiduciary (SDF)’. Moreover, the SDFs will have an additional obligation under the Act to appoint a Data Protection Officer (DPO). The officer will be poised with the role of addressing the concerns of the individuals whose personal data will be leveraged. The Act allows the fiduciaries to transfer personal data beyond borders for processing, however, the Centre has the authority to restrict data sharing through notifications.
The need for ‘Data Protection Board’
In an effort to ensure the proper implementation of the DPDP Act, the Government of India will also form the ‘Data Protection Board’. The board will function as an unbiased adjudicatory body to address cases of data privacy breaches and resolve relevant grievances. In the role of an independent regulator, the Board will possess the power to ascertain non-compliance of the DPDP Act and impose relevant penalties on the defaulters. The power to appoint chief executive and board members of the Board will rest with the Centre. Moreover, as a provision to allow users to challenge the Board’s decision, the Center will also devise an appellate body which may be assigned to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The body will ensure no wrongful conviction by the Data Protection Board.
Impact on industries
The DPDP Act has a direct impact across industries. Organisations not only need to reassess their existing compliance status and gear up to cope with the new norms but also create a phased action plan for various processes. Moreover, if labeled as SDF, organisations also need to appoint a Data Protection Officer (DPO).
Companies have to additionally invest to adopt the necessary changes in compliance with the law. They need to list down their third-party data handlers, consent types and processes, privacy notices, contract clauses, categorise data, and develop breach management processes.
Sharing his perspective on the DPDP Act, Amit Jaju, Senior Managing Director, Ankura Consulting Group (India) says, “The Digital Personal Data Protection Act 2023 has ushered in a new era of data privacy and protection, compelling solution providers to realign their business strategies with its mandates. The Act emphasizes stringent consent management, requiring providers to transparently handle the data collection, storage, and sharing processes. This shift necessitates a thorough review and modification of existing practices, especially regarding the restricted sharing of data outside India. Service providers are thus prompted to not only enhance their data security measures but also to scrutinize and possibly overhaul their data governance frameworks. This extends to revisiting strategic partnerships, ensuring that all collaborative efforts meet the new standards set forth by the Act.”
“Moreover, companies are now tasked with reshaping their marketing strategies to demonstrate their commitment to data protection, which could serve as a pivotal trust-building element with consumers. The need to comply with the DPDP Act also presents an opportunity for businesses to differentiate themselves, emphasizing their dedication to safeguarding customer data as a core value proposition. In essence, the DPDP Act compels solution providers to leverage compliance as an advantage, potentially augmenting their offerings and reinforcing their position in a competitive, privacy-focused market landscape,” he adds.
“Cybersecurity and Privacy both domains have a significant symbiosis with each other and hence my enthusiasm that with the DPDP Act, we should expect a significant shift in the maturity of the cybersecurity practices in our country… The introduction of the DPDP Act is a momentous occasion that creates a great opportunity for India to be on the list of the safest nations in the world for conducting digital business,” highlights Vishal Salvi, CEO, QuickHeal Technologies Limited.
Rasika Kuber, Chief Compliance Officer, Digit Insurance, calls the move “an added layer of regulation and security with more significant oversight on the data governance.” Kuber, elaborating on the impact of the DPDP Act on Fintechs’ business strategies, product development and services delivery, says,”Fintech companies must show adaptability and have a welcoming approach towards the new framework and the underlying requirements, as this will not only help them remain legally compliant but will also pave the way for growth and better opportunities in this data-driven world. They must redesign their products and services keeping in mind the protection of customers’ trust by means of responsible data handling as well as management, and development of effective privacy governance programs and practices. All in all, they will have to delicately balance the preservation of customer’s rights with the fulfilment of necessary data processing requirements.”
While, Krishnan Chari, Chief Risk Officer, Worldline India underlines, “The roll-out of the Digital Data Protection Act 2023, is timely. It is a strategic regulation impacting the National Digital Financial Data Security, Digital Financial Architecture, and Digital Economics of the country. These macro areas have a clear and deep influence on fintech business and product strategy, including the operational aspects of acquiring, storing, and processing information in a secure manner.”
“Additional capex outlay for redesigning processes that collate and evaluate customer data and data protection controls. Digital customer interface – Apps and Website processes will need to be upgraded in terms of their user interface and provide customers with appropriate consent form, and terms and conditions. Further, there is a challenge in creating awareness and enabling correct customer actions.
Customer personal financial and demographic data such as CIBIL will have an additional cost attached to it as consent managers will charge for mobilising customer consent for the use of their data for marketing, product research, financial research, demographic research, etc. Besides, direct impact on financial inclusion programs and overall customer data cost for market research will increase,” Chari adds.
How the DPDP Act will impact security service providers? In an answer to this, Trishneet Arora, CEO & Founder, TAC Security paints a descriptive picture of the changes in the security service industry, once the legislation is in action completely, “Before the Act’s activation, security service providers need to prepare comprehensively. The compliance requirements, which include data protection measures and breach notification protocols, will necessitate substantial adjustments to their existing security strategies and technologies. It’s imperative that these providers proactively update their systems and practices to align with the DPDP’s stringent provisions. Once the Act is in action, security service providers will see an upsurge in demand for their services. Organisations will need to ensure they comply with the bill’s data protection requirements, and this translates into increased demand for security assessments, audits, and cybersecurity solutions. Service providers need to be ready to assist companies in securing their data and ensuring DPDP compliance.”
When asked about the impact of the DPDP Act on the data center industry, Venkatesh Rajeswaran, President – Technology Solutions Group, Redington says, “The DPDP Act of 2023 will have several implications for all service providers, including data center solution providers and cloud providers in India. These implications will include the implementation of appropriate security measures to protect customer data, the appointment of data protection officers, and the establishment of procedures for responding to data breaches.
These requirements will impose additional costs and responsibilities on data center providers, but will also create new opportunities in the market. The Act will catalyse the emergence of new Indian cloud providers that can compete on a global scale, thereby advancing India’s digital stream and promoting digital transformation capabilities for Indian companies.”
Further sharing his perspective on the change in market demands, Rajeswaran underlines, “Enterprise customers’ expectations and demands in the data center market will be affected by the DPDP Act in various ways. Customers will expect more transparency and accountability from the data center providers regarding how they collect, store, use, and share their data. They will also opt for data center providers that have a local presence in India, as the DPDP Act imposes restrictions on the cross-border transfer of personal data.”
All in all, the Act will help India to strengthen its digital security posture and pose as an attractive and safe place for digital business. Besides, the huge base of internet users that the country houses will be relieved and able to trust online services be it from the private or the government sector. Ultimately, the DPDP Act will contribute in securing and bolstering the country’s IT infrastructure and making it future-ready.