India tops the world’s population with 1.4 billion people. Sixty percent of that population fall under the working age group, which is expected to increase over the next decade. The world’s eyes are on India, as the country sees a fair amount of digitization among all tiers of its cities. With the ambitious goal of developing the entire technology value chain, India’s businesses must follow a comprehensive data management process as mandated by the Digital Personal Data Protection Act (DPDPA).
The DPDPA explained
The DPDPA creates a robust framework for data protection within India’s existing digital landscape. This framework aims to provide clear guidelines for processing digital personal data without compromising the right of individuals to protect their personal data. As well as, balancing the need to process such personal data for lawful purposes.
Under the DPDPA, data fiduciaries (data controllers and processors) must get clear consent from the data principles (the people whose data it is) after informing them about the purpose and intention of the data being collected. Let’s take a look at some pertinent obligations of data fiduciaries under the DPDPA:
-
Maintaining security safeguards and ensuring the completeness, accuracy, consistency, and erasure of personal data.
-
Declaring data breaches in a prescribed manner to the Data Protection Board of India (DPB).
-
Appointing a data protection officer (DPO) and having an effective mechanism in place to assist grievances. The DPO’s information should be shared by the organization.
-
Getting the consent of the parent or guardian in the case of data collection of children and minors (i.e., individuals under eighteen years of age).
-
Restricting AI use only to generate specific algorithmic decisions.
-
Preventing the tracking and monitoring of children’s behavior and abstaining from targeted advertisement towards children.
There are some legitimate use cases defined by the act. Data fiduciaries can use the personal data of the data principle for the following uses:
-
Compliance with any judgment or decree.
-
Responding to any immediate medical emergency, during epidemics, outbreaks, and any kind of national breakdown.
Fulfilling any obligation under any law, for the time being.
A few exemptions
Now, let us look at some exemptions outlined in the DPDPA that are extremely important for businesses to know:
-
Data can be analyzed for research, historical records, or creating statistics, as long as it is not used to make choices about individual people or individual data principles.
-
The government can allow certain data fiduciaries, like startups, to follow less strict rules for handling information. This includes things like notifications and removal of data when requested, among others.
How to transform your business while complying with DPDP
What does all this mean for your business? It means you need to manage the flow of data inside your company and in any type of partnership.
Brands can start with implementing a privacy by design approach while building or modifying products. By implementing a privacy by design approach, companies can better manage customer data. To adopt the approach, companies need to have better visibility over their data—what data they have, who has access to it, etc. Apart from managing access controls and streamlining data flow in the organization, better visibility also supports data minimization, reducing attack surface, and lowers the risks.
The privacy-by-design approach also allows businesses to ensure the protection of customer data during partnerships or collaborative activities, thus preventing any misuse of customer data. All of this together will make it easy for companies to comply with the DPDP Act.
In addition to this, being DPDP compliant translates to better trust from the first step of the service journey. It also becomes increasingly easy to comply with data protection frameworks for other regions. It is so because although the controls might vary, many requirements are common to all data privacy laws.
What’s next?
The data protection industry is set to grow, and there’s a significant need for experts in this area.
Moving forward, the government should integrate these laws with various intergovernmental organizations, such as National Association of Software and Service Companies (NASSCOM), to help customize these guidelines to specific industries. Leaders of both the private and public sectors must remember that technology is just a tool to transform and innovate businesses, making their operations more effective. To keep up with the increasing market demands, it is the social responsibility of the business concerned to make their consumers feel secured and protected.
How to comply with the DPDPA
To comply with the DPDPA, a company must first appoint a DPO, who will be responsible for defining, storing, handling, and protecting different standards of data. In the case of a data breach, the data fiduciary (along with the data processor) must report the incident to the Data Protection Board of India (DPBI). The DPDPA also mandates the organization to inform each affected individual.
Although the act does not specify a time frame for notification, the emphasis is on informing and reporting incidents promptly to minimize any potential harm. The fine for noncompliance, including failing to report an incident, ranges anywhere within INR 10,000 to INR 250 crore. There are distinctions in terms of the size and scope of the data fiduciary, which allows proportionate regulation to level the scope of penalty for enterprises and startups.
Executives should keep in mind that these laws are industry agnostic, and the Reserve Bank of India (RBI) or the Security and Exchange Board of India (SEBI) might come up with other sets of rules and regulations. For now, the DPDPA will help give structure to India’s business ecosystem and pave the way for the technology-driven privacy-focused marketplace.