How organisations can stay compliant with the latest data privacy regulations in India
By Akshat Gairola, Partner, Cybersecurity, BDO India
Digital Personal Data Protection Bill, 2023 (DPDP Bill) was introduced in the Lok Sabha on 3 August 2023, passed in the Lok Sabha on 7 August 2023, followed by the Rajya Sabha on 9 August 2023. The much-awaited bill applies to any organisation offering goods and services in India.
To assuage doubts or concerns regarding this bill, stakeholders and leaders would need to drive a change of mindset within their teams. They should effectively communicate the intent of the bill, which is not to complicate business operations but to ensure that Data Principal Identifiable Information is collected with consent and used for its intended purpose. This awareness is crucial as the success of any data privacy framework hinges on teams following it diligently.
It is important for organisations to conduct a gap assessment against the DPDP Bill to understand the maturity of their practices vis-à-vis the bill’s provisions. After analysing and discussing the outcome of the report, the relevant stakeholders and business leaders can define a roadmap in terms of designing and implementing the framework. It should be noted that educating the teams with their responsibilities is a pivotal, yet challenging, task. Organisations should know principally where all the data is stored and what departments it passes through, and develop a structured approach where data flow diagrams are created and updated annually or whenever a major change occurs.
If an organisation falls under significant data fiduciary, it is mandated to have a Data Protection Officer and conduct a Data Privacy Impact Assessment. Organisations must ensure that they have adequate security to protect data from breaches. However, in the event of a breach, an effective data breach management procedure is crucial to contain and report to the Data Protection Board and Data Principal. While there is no mandate on whether the framework should be managed manually or through technical solutions, leveraging technology is advisable for better assurance around the implementation and sustenance of the framework. Effective consent management is also one of the key elements of the bill. It is crucial for data fiduciaries to conduct a thorough review of existing contracts with data processors, particularly those organisations leveraged for processing principal data.
Additionally, it’s important to note that there are exemptions concerning data processing. One such exemption is related to the security of the state. Another exemption is applicable when data processing is deemed necessary for research, archiving or statistical purposes, providedthat the personal data is not used to make any decision specific to a data principal and such processing is carried on in accordance with the act/bill.
The awaited formation of a Data Protection Board is on the horizon. However, it is recommended that organisations need not wait for the board’s constitution to embark on their compliance journey. The board, when constituted, may have powers to audit organisations to assess their data privacy framework alignment with the DPDP Bill. Otherwise, if a Data Principal raises a complaint for a date after the bill’s enactment, the board should be well within its right to assess an organisation’s framework. To reiterate, it is essential that stakeholders and business leaders mandate their teams to follow the laid-out framework. Success for organisations in achieving this will significantly benefit Data Principals, leading to a societal win.
