Data protection law needs clarity on risk threshold for breaches: Group

BSA, which represents the global software industry, wants companies to get at least 72 hours to report data breaches

BSA, which represents the global software industry, wants that rules in India’s data protection law give companies 72 hours for reporting breaches and have better clarity on “risk threshold”.

The Digital Personal Data Protection Act (DPDPA) became law in August and its rules are expected to be put up for public consultation after Lok Sabha elections. It asks companies to report breaches to a Data Protection Board.

“Cyber incidents are different from personal data breach incidents. There should be classification of risk thresholds based on factors such as the type of system affected – whether it's linked to critical infrastructure like government identity databases – and the severity of the breach,” said Venkatesh Krishnamoorthy, country manager for India at BSA.

“For instance, a breach in a system tied to sensitive data like government identity numbers would warrant immediate reporting due to its higher risk compared to breaches in systems handling less critical data such as book and shopping preferences,” he said.

BSA, whose members include Adobe, Cisco, Microsoft and IBM, works in more than 30 countries and engages with governments on policy related to privacy, artificial intelligence, cybersecurity and other issues.

In India, it seeks standardised reporting to regulatory bodies in case of cybersecurity incidents. “There are multiple regulatory bodies to whom the businesses have to report to, and if some sort of alignment or standardisation happens in those reporting formats that would be helpful,” said Krishnamoorthy.

BSA wants flexible data processing criteria and expanded grounds for personal data processing. “These are essential to ensure clarity and adequacy in addressing various purposes for data processing.”

Krishnamoorthy said DPDPA’s definition of data processing is broad and it is not clear whether some grounds that companies use for the work will be permitted. “Now we have to see how the rules are framed around it.”

As India’s first dedicated legislation on digital privacy, DPDP provides broad principles for collecting and processing personal information in digital form. It prescribes penalties of up to Rs 250 crore for each instance of a data breach and blocking entities for repeated violations.

DPDP defines 26 matters on which the government can make rules to enforce the provisions of the Act. 

Key expectations

> Better clarity on risk threshold of different types of data breaches

> A window of 72 hours for reporting  breaches

> Flexible data processing criteria, expanded grounds for personal data processing

> Standardisation in reporting formats across multiple regulatory bodies