DPDP Bill 2023: Key takeaways for the enterprise

The digital personal data protection (DPDP) Bill was approved by Rajya Sabha on August 9, two days after it was passed in Lok Sabha. The Bill puts forth a regulatory framework for the use, processing, and storage of citizens’ digital data.

Union minister Ashwini Vaishnaw, while addressing the house said that the Bill gives individuals more power, while greater obligations have been placed on companies utilising such data. He further added that citizens are being granted four rights — the right to access information, the right to correction of personal data and the right to eraser, the right to grievance redressal, and the right to choose nominal in case of death.

What does the Bill entail

The Bill places obligations on data fiduciaries (entities that collect and process data) for responsible handling of digital personal data. Firms can only take data posted by the user themselves; explicit permission would be required to use the data posted by a third person. Firms would not be allowed to store and process data beyond the time limit for which users had originally consented. 

The Bill seeks to impose a penalty of up to ₹250 crore per instance in case of data breach. This is lower than ₹500 crore penalty proposed in the earlier draft in November last year. 

The Bill also details provisions for cross-border data transfer. The government will be taking up a blacklisting approach. This means that data transfer will be restricted to certain countries which are placed on the blacklist, basis India’s geopolitical equation. 

The Bill also states that the minimum age of users determined as children is not constant at 18, considering modern-day internet usage. Companies would be required to process the personal data of children in a verifiably safe manner.

Industry body Nasscom’s president Debjani Ghosh said that the Bill is a giant step towards establishing India as a trusted innovation partner for the world. “We truly appreciate the consultative approach that engaged all relevant stakeholders at each phase in defining the digital data protection Bill and are really looking forward to India having its own Data Protection Bill.”

Need for more clarity on implementation: Experts

Murali Rao, cybersecurity consulting leader at Ernst and Young India said that the next step towards the enforcement process would be establishing a data protection board, against the implementational complexities that could prove to be a challenge for organisations to comply with the requirements of the Bill.

As per Nader Henein, VP analyst at Gartner, the Bill will have the highest impact on organisations in the B2C space which do not have an already established data governance program. “They will need to start with a detailed data discovery project to understand what personal data they hold and how it is being used, this will allow them to build a risk-based privacy program and address consumer privacy requests at scale.”

Echoing similar thoughts, Shreya Suri, partner at IndusLaw said that enterprises will be particularly impacted by the outcome of such legislation. She added that while certain factors have been prescribed, more clarification is needed in terms of requirements and the extent to which they would apply to different categories of data fiduciaries. 

“For example, startups may get a few relaxations and a few other classes of data fiduciaries would be exempted from complying with certain specific provisions of the legislation,” Suri said adding that in such cases the government may need to implement certain minimum standards that need to be ensured for security safeguards, especially since there is a penalty attached to non-compliance.

Manish Chowdhary, the head of research at stock broking firm Stoxbox said that from a longer perspective, enterprises will get a level playing field as they adapt to compliance needs. That said, enterprises would need more clarity on various aspects like data processing outside the country, children’s data, and other risks.

The Bill now awaits President’s assent, post which it will become law. In an August 9 interview with Mint, IT minister Rajeev Chandrasekhar said that the government will follow an orderly procedure to help the industry transition from the current framework to the new framework. He added that the industry will be given some transition period.