Indian firms are yet to acquire the required skill sets to implement DPDP Act: EY Report

With the passing of the Digital Personal Data Protection (DPDP) Act 2023 by the government, nearly half of Indian organizations - both enterprises and startups - believe they lack the necessary skill sets to implement the DPDP Act 2023, according to a new report.

The DPDP law became an Act after it received the President's assent on August 12. Although the DPDP Act has been passed, it is not yet in force.

The report, titled "The India Data Protection Readiness Report," published on Sunday by consulting firm EY shows that 32% of organizations foresee technical implementation challenges, while 50% are yet to acquire relevant skills but are open to outsourcing data privacy tasks.

Survey findings also highlight that only 36% of organizations have Data Protection Officers (DPOs) based in India, impacting their ability to manage consent and comply with the provisions of the DPDP Act. Other challenges identified include inadequate awareness of regulatory guidelines, resource constraints in their compliance journey, and organizational resistance to change, which may create obstacles in implementing the necessary changes within the organization.

Lalit Kalra, Cybersecurity Consulting Partner at EY India, stressed the importance of establishing a robust technological infrastructure to guarantee data security and accountability. "Organizations must also cultivate a proficient workforce capable of comprehending the legal and ethical dimensions of data processing and adeptly managing data breaches," he said.

Notably, over three-fourths (76%) of the respondents expressed that an organization's commitment to data privacy and transparency would indeed influence their buying preferences. This indicates an increasing awareness among consumers regarding data privacy matters and a readiness to support companies that make privacy a priority. The report therefore recommends companies to focus on transparency, privacy, and clear communication as they endeavor to build trust with their customer base.

Consulting major PwC, after analyzing 100 websites, mentioned in its report titled "Readiness of India Inc. for the Digital Personal Data Protection Act, 2023: A PwC Analysis," that a mere 9% of organizations obtained consent in a manner that was free, specific, and informed. While 48% gave an option to retract consent, the procedure to do so was not as straightforward as giving it. Furthermore, only 2 out of the 100 analyzed websites provided consent in multiple regional languages, it said.

Consulting firm Deloitte has also recommended a list of measures for companies in view of the new law, including conducting a "gap assessment to evaluate readiness." In a report published in August 2023, Deloitte has also advised companies to prepare and deploy mechanisms to respond to data principal rights requests, ensure valid contracts are maintained with data processors, and monitor changes or updates to data protection laws and regulations.