While we patiently wait for the rules and guidelines under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), a news clip started doing the rounds in the last week of October. It essentially said, “Dear businesses, do not wait for the final DPDP rules. Start preparing now!” Is this a gentle reminder from the government to get compliance in order? Compliance is a continuous process, after all. By the time rules are completely implemented, a lack of preparation may cause serious problems. In the Indian context, the DPDP Act is a landmark legislation governing the processing, storage, and transfer of personal data. The Act establishes a consent-based framework, ensuring that personal data is used only with express consent and in line with minimisation principles. In this article, we explore the DPDP Act from the lens of compliance for a modern-day business.

Impending Risks Due to Delayed Compliance

Businesses may face long-lasting risks with delayed compliance with the DPDP Act. Several serious dangers include:

• Legal Compliance: Non-compliance with the DPDP Act carries a high risk of severe fines and penalties. The Act penalises up to ₹250 crores in violations resulting from the lack of appropriate safeguards.
• Reputational Risks: As we move towards a privacy-aware society, non-compliance may lead to reputational damages, loss of customer trust and other business opportunities.
• Technical Risks: Implementing adequate security practices to protect personal data is a significant component of any organisation’s security defences. Businesses may find it difficult to continue operating smoothly due to operational disruptions and financial losses caused by data breaches.

In addition to these challenges, businesses may need to cope with legal challenges and compensation claims before the regulatory authority. Legal costs can mount up quickly, further affecting the overall financial stability of a business. But fear not! Proactive compliance is the key to managing the relevant risks and gaining a competitive advantage in the market.

Action Plan for Businesses

India is not a pro-compliance society. Most businesses avoid compliance and consider it as an unnecessary expenditure. However, now is the time to change this notion. Compliance helps build customer trust, enhances your reputation, and ensures smooth operation. In addition, it also prepares your business for regulatory changes, securing its financial health and maintaining operational continuity.

A solid grasp of the DPDP Act’s basics is crucial to ensuring compliance. While compliance is something that you can always delegate to your legal team, be it internal or external; however, as a business owner, a foundational understanding can go a long way in managing privacy-conscious business operations.

We have prepared this Action Plan to act as a stepping stone in your journey towards DPDP compliance.

Step 1: Understanding the Basics

• Consent and Notice: A business must give proper notice and take consent as per Sections 5 and 6 requirements. In this relationship, your existing or potential customer is a data principal while you are a data fiduciary. You cannot process a data principal’s data without proper notice and consent. Here, data processing is any operation or set of operations carried out on digital personal data, whether wholly or partially automated.
• Data Principal Rights: Section 12 provides for rights data principals have over their data stored with data fiduciaries. These rights include the right to access, portability, modify, or seek erasure of their data. You may need to appoint a Data Protection Officer (DPO) to handle requests from data principals in a time-bound manner.
• Data Fiduciary Obligations: As data fiduciaries, businesses must safeguard the personal data of data principals and promptly notify them in case of a data breach. Section 8 lists the obligations of data fiduciaries. One must understand here that data fiduciaries determine the purpose and means of processing personal data. On behalf of data fiduciaries, data processors collect data.
• Applicability: The DPDP Act applies to businesses that process personal data, irrespective of whether data processing occurs in India. If unsure about the Act’s applicability, consider speaking to your in-house legal team or external legal consultant specialising in data protection and privacy.

Step 2: Conducting Data Audit

People get scared the moment they hear the word “audit”. However, a thorough data audit is one of the most essential steps in determining and reducing the risks related to the processing of personal data. This process involves steps such as:

• Data Inventory: A data inventory keeps track of personal data your business collects, processes, and stores from your customers, employees, or other relevant individuals.
• Data Flow Documentation: A data flow document visualises how data flows inside and outside your organisation.
• Processing Activity Risks: This risk assessment determines and evaluates the risks related to data processing operations.

Step 3: Data Protection Measures

Compliance with the DPDP Act requires implementing a set of data protection measures to put the safeguards in place. Such safeguards directly reduce the chances of data breaches. Some of these measures are:

• Minimise Data Collection: You should only collect the bare minimum personal data required for the purpose for which you are collecting data. Excessive or irrelevant personal data collection is against the principles of the DPDP Act.
• Data Encryption: You should encrypt data not only when it is in transit; but also in rest. Encryption is the first barrier in preventing any random person from comprehending what your data is about.
• Role-based Access: If you already comply with one or more security standards, there is a good chance that you are already doing it. Role-based access limits access to personal data based on the roles and responsibilities of your employees. It should not be the case that an employee joined yesterday and they have access to the entire customer database.
• Regular Audits: Audits are a way of checking whether what you are doing is right. You should conduct audits regularly to ensure that your practices remain compliant with data protection laws.

Step 4: Data Breach Response Plan

A data breach response plan helps in a crisis as your employees know their roles. Otherwise, things can quickly go here and there in a crisis without a standard plan in place. A data breach response plan must consist of the following:

• Detection and Reporting: It should define mechanisms to promptly identify and notify data breaches to the relevant authority.
• Containment and Mitigation: It should cover mitigating steps to reduce the damage caused by the breach.
• Notification Protocol: This protocol dictates how your business will notify the regulatory authority and data principals regarding a data breach.

Step 5: Cross-Border Data Transfer

If you are transferring collected data to a different country, you need to refer to this step. While cross-border data transfers are crucial for international business operations, ensuring compliance with legal requirements is essential. In time, the government or the Data Protection Authority will designate certain countries where you can transfer data without additional compliance requirements. However, you must check for local storage requirements if your industry has a sector-specific regulator such as RBI or SEBI.

Step 6: Employee Training

Your data protection compliance program cannot succeed without providing training for employees. Once all the policies and procedures are implemented, employees practice and follow them. You should conduct regular training sessions on data protection principles and good practices. Moreover, you can monitor compliance with training and data protection policies through regular audits and assessments.

 Step 7: Periodic Reviews

Every data protection law requires businesses to conduct periodic reviews and modify their policies and procedures to meet business requirements. You should frequently update and modify data protection policies to consider new developments and the evolving technological landscape. Regular reviews ensure that your policies do not become outdated in the foreseeable future.

What’s Next?

While the government has not finalised the DPDP Rules, it may need to amend the DPDP Act occasionally to match the pace of technological developments. With emerging technologies like AI and ML, data processing is being transformed into a far more efficient activity. Moreover, individuals now call for more control over their data and transparency in data handling processes. It will become crucial to communicate clearly and employ user-friendly data management techniques.

---

With inputs from Raj Pagariya.