DPDP Act to reshape India's privacy, security landscape like GDPR: DSCI CEO

India's Digital Personal Data Protection Act will fundamentally alter how companies handle user data, mirroring GDPR's impact in Europe, says DSCI CEO Vinayak Godse

The implementation of the Digital Personal Data Protection Act’s administrative rules, when completed, will change India’s security and privacy landscape in the same way that the General Data Protection Regulation did for the European Union, the Data Security Council of India’s Chief Executive Officer Vinayak Godse said.

 

Encompassing regulations such as the DPDP Act, which applies to nearly every digital and social media intermediary that collects or handles users’ digital data in any manner, impose both procedural and prohibitory obligations on all such companies, Godse told Business Standard.

 

Earlier this year, in November, the government notified the administrative rules under the DPDP Act, marking the start of India’s first digital personal data privacy regime. Under the rules, the government allowed companies 12 months to put the consent management framework in place, and an outer time frame of 18 months for all other rules.

 

How will the DPDP Act affect the data privacy ecosystem?

 

During the 18-month timeline that the government has provided for companies to put in place the infrastructure for compliance with the DPDP Act’s administrative rules, there is bound to be significant focus on firms that help manage procedural obligations for both data principals as well as companies that deal in data, Godse said.

 

What kinds of companies are expected to benefit from the new regime?

 

A second type of company will be those that deal in technologies that improve data privacy governance and the rights of data principals or users, he said.

 

A third group of companies that will emerge with the advent of the DPDP Act regime is privacy-enhancing technology firms that will have the know-how on what sort of data to allow for which purposes, Godse said.

 

What obligations will companies have under the administrative rules?

 

Under the administrative rules, social media and internet intermediaries, as well as any other companies that deal in user data, must provide data principals, or users, with an itemised description of their personal data to obtain their consent and specify the purpose for which their data will be used.

 

Companies must also allow users to easily withdraw their consent for the processing of personal data or file a complaint with the Data Protection Board if they believe the platform has violated their rights.

 

How will the DPDP Act change data security practices?

 

All data fiduciaries will have to focus on securing user data better and think about data protection at a fundamental level, so that even if data is breached, the “blast radius”, or impact on users due to the leak, is reduced, Godse said.

 

“Because a lot of companies and their data systems these days are high-velocity and highly interdependent, one small compromise leads to a larger, catastrophic impact,” he said, adding that such events can only be reduced if foundational elements such as data discovery, classification and leak-prevention solutions, among others, are in place.

 

What additional safeguards will companies need to implement?

 

Companies that deal in user data must also put in place more stringent measures, such as defining the purpose for every connection to the place where user data is stored, so that all traffic in and out is constantly monitored and no unauthorised access is permitted even by mistake, Godse said.