sdecoret -

India gets ready for new data protection regime

The Digital Personal Data Protection Act will shape the way businesses collect, secure and use personal data as India looks to protect data privacy while driving innovation and economic growth

India’s new Digital Personal Data Protection Act (DPDP) is expected to send ripples across the country’s IT industry and shape the way businesses collect, secure and use personal data.

Specifically, it will require organisations that process personal data to seek consent from individuals before they can use it. The law will also apply to the processing of personal data outside India – if such processing is related to the offering of goods or services to individuals in India.

There are also special provisions for India’s central government to restrict the transfer of personal data from India to another territory for processing. A Data Protection Board of India is also being established with special powers and functions.

The DPDP recently received the President’s assent and will be implemented on a date to be decided by the central government. It is expected to be implemented in phases, with different provisions coming into effect on different dates.

Industry watchers expect the DPDP to not only shape how apps store data, but also demand organisations such as banks to relook their know-your-customer data. Cloud providers may also have to tweak their workload models to comply with data localisation requirements.

Aparna Gaur, leader of intellectual property, technology, media and education at Nishith Desai Associates, an India-based law firm, said one of the first things businesses will need to do is check on the types of data they have already collected and if consent was given for the use of the data.

Gaur said this is because previously, the majority of data protection rules in India applied only to “sensitive personal data or information” and not personal data. “Therefore, consents may not have been obtained for processing of personal data,” he said. “If that’s the case, consent will need to be obtained in accordance with the new law. If consent was already obtained, then adequate notice regarding the purposes for processing and other information will need to be provided.”

Data transfers

As for limitations on data transfers to other jurisdictions, Gaur said “the intent of the government appears to be to prohibit transfers to countries that do not have a robust data protection regime, so the practical impact of this will only be on those businesses transferring data to such jurisdictions”.

There will be cascading effects on IT security, too. Vishwas Chitale, CEO and chief technology officer of Chitale Dairy, said his organisation will maintain a “latch all locks and add more locks” approach. “There is no full-proof way to deter threats in today’s age, but the more doors we can put for protection of data, the better it gets,” he added.

Manoj Gupta, associate vice-president of IT at Restaurant Brands Asia – formerly known as Burger King India – said the DPDP’s emphasis on data privacy might require the implementation of more robust data handling practices.

“This could involve stricter data encryption, enhanced access controls, and improved data monitoring and audit capabilities,” he added. “Businesses will likely need to revamp their data-handling practices to comply with the stringent requirements. This could involve changes in data collection, processing, storage, and sharing practices.”

Among other things, businesses will have to pull up their socks on the compliance front. Besides the consent provisions, Gaur said the law also prescribes various rights of data principals, such as the right of erasure and right of grievance redressal. Organisations will need to ensure they have tools to enable data principals to exercise these rights, he added.

Datacentre strategies could also be significantly affected. Gupta said organisations may need to establish or reconfigure datacentres to comply with localisation requirements, and that complying with the DPDP’s security and privacy standards may lead to significant changes in datacentre infrastructure and practices.

Read more about IT in India

While the industry is still grappling with the impact of the DPDP, some experts have applauded the move.

Puneet Gupta, vice-president and managing director of NetApp in India and the South Asian Association for Regional Cooperation region, noted that the DPDP is an important legislation that will provide much-needed clarity and certainty for businesses and individuals alike. “It will aid in protecting data and privacy, while also promoting innovation and economic growth,” he said.

Vaibhav Tare, chief information security officer and global head of cloud and infrastructure services at Fulcrum Digital, a technology consultancy, said the law “sets forth a comprehensive framework for the collection, use, and sharing of personal data in India and empowers individuals to take action against businesses that misuse it”.

As with any new data protection regime, it will take time for organisations to navigate the rules. For example, organisations that collect and handle employee data may find that the “specific legitimate use” clause could introduce both opportunities and complexities, said Gupta.

“While streamlining consent procedures could potentially ease administrative tasks and enhance efficiency, it remains crucial for entities to exercise caution,” he said. “They should navigate this terrain carefully, ensuring that their data collection procedures are in harmony with the principles of fairness, transparency and accountability outlined in the law.”

Directly or indirectly, the DPDP will push many enterprises to shore up their data protection practices. “The primary demographic impacted is our Gen-Z,” said Gupta. “From this standpoint, the advantages are evident. As an app owner, it becomes essential to maintain and adhere to the policy, which will undoubtedly serve as a preventive measure.”

Read more on Data protection regulations and compliance

Data Center
Data Management