The Digital Personal Data Protection (DPDP) Act, 2023 is poised to release its draft rules within the next two weeks, sparking discussions across industries. What’s particularly notable is the brief transition period—expected to be just 6 to 8 months—far shorter than the 18 to 24 months requested by several technology firms and telecom operators. This compressed timeline will put immediate pressure on companies to realign their data management systems in line with the new standards.
A Push for Quick Compliance
Many digital companies, especially social media platforms and telecom operators, have been lobbying for a longer transition period due to the technological complexities involved in meeting the DPDP Act’s requirements. The current systems in use, often legacy-based, will require a substantial overhaul to comply with the new consent management frameworks, data minimization mandates, and storage limitations prescribed by the Act.
Notably, other global data privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union and Singapore’s Personal Data Protection Act (PDPA), allowed companies approximately two years to make the necessary transitions. However, Indian companies now face a much shorter window. This abrupt transition period is likely to impose stricter compliance demands on established, larger companies compared to smaller entities and early-stage startups, which may be granted a slightly longer grace period of 3-6 months to adjust.
Key Challenges Ahead
The DPDP Act is built around principles of lawful, fair, and transparent data processing, emphasizing the need for explicit consent from individuals regarding data collection and use. However, implementing these principles may prove challenging for many organizations, which are still grappling with the scale of change required for compliance.
One sector that will be especially impacted is mar-tech (marketing technology). Companies maintaining marketing databases without proper consent will need to delete these records and build consent-based databases from scratch, a task that demands time and resources.
The Act's Guiding Principles
The DPDP Act operates on seven guiding principles aimed at enhancing data privacy and protection. Here’s a closer look:
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully with proper consent, and companies must inform individuals about the data being collected and its intended purpose.
- Purpose Limitation: Data collected for a specific purpose cannot be used for any other purpose.
- Data Minimization: Only the necessary data for providing services can be collected. Additionally, companies must dispose of the data once its purpose has been fulfilled.
- Accuracy: Companies are obliged to ensure that data remains accurate and up-to-date.
- Integrity and Confidentiality: Personal data must be protected from breaches, ensuring confidentiality and integrity throughout its lifecycle.
- Accountability: Companies must appoint data protection officers to handle grievances and ensure compliance with the Act.
The Act further emphasizes data minimization, purpose limitation, and storage limitation. Digital platforms will have to obtain explicit consent from each user for data collection, future use, and other processing activities. Failure to comply with these principles can lead to hefty penalties of up to ₹250 crore for data breaches, compelling companies to implement robust data protection mechanisms.
For a detailed breakdown of the key provisions and objectives of the DPDP Bill, check out our earlier post on Unlocking the Digital Personal Data Protection Bill, 2023
Complexities in Compliance
A significant compliance aspect involves the notification of data breaches to the Data Protection Board, the designated regulator under the DPDP Act. Unlike global data privacy laws, which often include a risk threshold for notifying breaches, the DPDP Act mandates reporting all breaches irrespective of risk. Companies that fail to notify the regulator face penalties of up to ₹200 crore, adding to the stringent compliance environment.
Additionally, the Act mandates that companies provide a privacy notice in clear, simple language across 23 languages. This notice must include the purpose of data collection, the type of data collected, and the rights of individuals under the law, ensuring transparency.
The Path Forward
Despite being passed by Parliament on August 9, 2023, the Act has not yet come into effect, pending the release and finalization of its rules and regulations. The forthcoming draft rules will not only lay down the compliance roadmap but also clarify the provisions for penalties and grievance mechanisms.
The short transition period signals the government’s intent to swiftly enforce data privacy norms and bring India on par with global data protection standards. However, this rapid implementation may pose significant challenges for companies, especially those relying on legacy systems. To navigate these complexities, organizations need to begin aligning their business processes with the Act’s requirements immediately.
To review the official government draft of the DPDP Act, 2023, click here .
How Prime Infoserv Can Assist
With the transition period fast approaching, companies across industries must act swiftly to establish comprehensive compliance frameworks. At Prime Infoserv, we offer expert guidance on navigating data privacy regulations, including the DPDP Act. Our team specializes in overhauling data management systems, implementing consent mechanisms, and crafting data protection strategies tailored to your unique business needs.
By partnering with Prime Infoserv, businesses can confidently tackle the complexities of compliance, minimizing risks and enhancing data security. Contact Prime Infoserv today to begin your DPDP Act compliance journey