The enactment of the Digital Personal Data Protection (DPDP) Act, 2023 by Government of India in August 2023, is seen as a step towards the global trend in terms of interoperability of businesses across domains and its collaboration with global partners; yet keeping the primary intent of the Government of India, to ensure the right of privacy to its citizens.
The Law is still awaiting its regulations as on date; but the stringent compliances and the penalties for non-adherence/compliance, that this law is to bring into the Indian ecosystem; makes the aspect of Privacy meriting due priority. This field of Privacy cannot be viewed in silos, and is applicable over varied industries like: healthcare, construction, manufacturing, finance, technology, cyber, services, and many more. Privacy across all spectrum of the interactive world has its responsibility towards making Data/Details sensitive and merits dealing with those data as per the law of the land wherever they go to work.
The writers of the Constitution of India had enshrined the aspect of Privacy in its various Articles; yet, the need to make privacy, especially in the digital era that is currently trending was to be solidified even further through exclusive enactment. India is now in the process of overhauling its data privacy regime. The need to designate an exclusive departments and appointments across sectors is what the DPDP Act mandates. The designation of a Privacy Officer or Data Privacy Officer within each organisation is stipulated under the law. The demand of Registered Indian Data Protection Professional, across all industries and its separation from the traditional Information Security is also being contemplated by the corporate and government offices.
The legal and operational management challenge as a Registered Indian Data Protection Professional, can thus be fulfilled through customized training and certification of the available human resource. The initiative by government and other allied organisation to upskill the human resource is underway through organisations like Data Security Council of India (DSCI), as any journey as Indian Privacy & Data Protection Professional starts with a solid basic training. The resource needs to imbibe aspects of Audit, Compliance & Sustenance; so as to take on the job of Privacy Professionals as mandated by law. A few salient highlights on career in Privacy in India:
- Once the Regulations are in place, the demand for professionals will be high and supply is currently low and it can be a game changer in your career.
- All business and government will need to comply, hence there would be no exclusion.
- There would be designations like: privacy counsel, data protection officer, chief privacy officer, privacy auditors, privacy manager, approvers, consultants, etc.
- The scope for a client/customer/citizen to litigate breach of privacy will be high, hence the safeguard within businesses will be of high stake.
- International opportunities that are not currently available to you but might be a game changer in your career and allow you to work anywhere in the world.
- The aspect of interoperability and compliances across geographical boundaries will be more than what is now, hence the demand for professionals in compatible compliances will be high.
- Global tech giants like Apple, Microsoft, Amazon, Alphabet, Ikea, and many more, who took Privacy for granted among Indians, will now have to employ and ensure safeguard to Indian citizens from all ambits of Privacy. Hence, the role of specialised data privacy professional will be high.
- The adoption of Internet of Things (IoT), Artificial Intelligence and other cutting-edge technologies of the future, will inherently demand stringent compliances to Privacy and hence Privacy Professionals will have to be engaged to ensure Business Continuity among all corporate and industry houses.
Why do businesses in India have to ensure compliances under the DPDP Act?
Organisations must address several key compliance requirements under the DPDP Act:
- Accountability: The newly setup Data Protection Board of India (DPB), will take over the aspect of accountability on behalf of the Act.
- Reporting: Reporting of compliance on security front to CERT-In and also to the DPB for violation/breaches.
- Designate: Privacy Manager, Consent Manager, DPO, Nodal Officer for Privacy, factoring the concern of Privacy at the Board Level, etc; need to be undertaken.
- Representation: The need to identify the organisation as Data Fiduciary, Significant Data Fiduciary, Data Principal and Data Processor.
- Transparency: Clearly communicate data collection, usage, and sharing practices to individuals.
- Consent: Obtain informed consent from individuals before collecting or using their personal data, unless there is another lawful basis for processing.
- Data Minimization: Collect only the data necessary for the specified purpose.
- Data Security: Implement appropriate security measures to protect personal data from unauthorized access, use, disclosure, modification, or destruction.
- Penalties: The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry.
- Data Breach Notification: Notify the Data Protection Authority (DPA) and affected individuals of any data breaches without undue delay.
- Individual Rights: Respect individuals’ rights to access, rectify, erase, restrict, port, and object to the processing of their personal data.
- Data Governance: Establish a robust data governance framework to oversee data privacy practices.
What is the role of data privacy professionals in DPDP Act compliance?
Data privacy professionals play a pivotal role in ensuring DPDP Act compliance within organisations. Their expertise in data privacy principles, regulations, and best practices is invaluable in guiding organisations towards effective data governance and risk management.
All the mentioned Privacy Professionals have to perform the undermentioned duties:
- Developing and Implementing Data Privacy Policies and Procedures: Create and implement comprehensive data privacy policies and procedures aligned with the DPDP Acts requirements.
- Reporting: Reporting to CERT-In, DPA, Government (Both Federal and Central).
- Certification: based on need as required for self-sustenance and cross-organisational collaboration.
- Conducting Data Privacy Trainings and Awareness Programs: Educate employees on data privacy principles, compliance requirements, and their roles in protecting personal data.
- Privacy Audit: The need to conduct and coordinate Audit activities.
- Advising on Data Privacy Impact Assessments: Assist in conducting data privacy impact assessments for new or significantly changed data processing activities.
- Managing Data Privacy Incidents: Oversee the investigation and remediation of data privacy incidents, ensuring compliance with reporting obligations.
- Maintaining Liaison with Regulatory Authorities: Liaise with the DPA to address regulatory inquiries and ensure ongoing compliance.