Finally India passed a new personal data privacy law - The Digital Personal Data Protection Act 2023. Personal data is usually any data that can be used to identify any individual. This could be in the form of Email Ids, GPS data or any others. The new law has made several changes and envisages severe consequences if data collected by companies is misused or compromised. This essentially changes how companies can now collect, store, distribute and erase data.
In the wake of these changes, many companies are facing uncertainty though.
The infrastructure that the new bill envisages can take anywhere from 6 months to up to 3 years to be implemented and then additional time and manpower to be maintained. The legal start-up ecosystem have sought at least two years to implement the new DPDP Act. The Government opened up the dialogue with the public and is duly taking suggestions from the stakeholders on how to implement the new act.
The new act requires small to mid size companies to revamp their data collection and storage infrastructure and rework both frontend and backend capabilities to comply with the new data privacy law. According to us, this should take around 2 years to set up, in-line with the strategy that was adopted by the EU when GDPR was implemented.
We were also expecting to see exemption being given to small and mid-size companies and start-ups, but the government has failed to announce any up till now leaving the, especially the start-up ecosystem in dismay.
The Road forward
The Legal as well as the start-up fraternity are eagerly waiting for the Rules to be drafted, which should lead to more clarity and structure to the new data privacy regime and how the act will be implemented. The longer the government takes to draft these rules, the longer we get to restructure our data collection and privacy.
By the time the rules come out, you should do the following:
Identify at what stage and how much consumer data is collected
Identify how many people have access to that data.
Once this data is mapped then you begin to optimise your data collection, storing, disposal and safety as per the core principles and provisions in the new DPDP Act 2023, which will include:
Changing the front-end collection prompts and authorisations
Optimising clear and transparent permissions from the customers.
True and honest representations to the customer, while transfer of data for the customer.
Have strong and secure network and servers along with trusted team-mated who have access to customer’s personal data. Some companies are coming up ingenious solutions like encrypting data to analyse it in-house which makes processing data cost-effective and yet ensures safety of the data.
Having a robust continuous mechanism of disposal of consumer’s data.
Whether you are a data fiduciary or a small start-up you will be liable for all the data you collected and processed. It is best to stay-up-to-date with the privacy laws as the penalty envisaged in the new regime can go as high as Rs. 500 Crore in addition to a long-drawn out investigation by the newly constituted Data Protection Board.
Get in touch with our data experts today!
Comments