WhatsApp Us

infotcc

The DPDP Act and Its Implementation Challenges

by Leave a Comment

Data Protection and Privacy (DPDP) Act, 2023, is a remarkable step in safeguarding individual privacy rights and promoting responsible data management practices. The DPDP Act was enacted to regulate the collection, storage, use and processing of personal data. This act acknowledges the importance of personal data protection and aims to maintain a balance between the individual rights and an organisation’s legitimate data-processing needs.

The primary purpose of the Act is to regulate the processing of digital personal data and respect individuals’ right to protect their data while recognising the necessity of processing and using such data for lawful purposes. It applies to any entity (Indian or foreign) processing the personal data of individuals within India.

Challenges in DPDP Act

The implementation of the Data Protection and Privacy (DPDP) Act presents several challenges for organisations, especially for Governance, Risk, and Compliance (GRC) firms. Some are mentioned below:

1. Cross-Border Data Transfers: The DPDP Act uses certain standards to govern cross-border data transfers, providing that any transfer of such data to any country or region requires clearance from the government and thus creates some challenges for the multinational firms that depend on global data movement. The DSCI paper defines cross-border data transfer under DPDPA by reading Section 16(1) in conjunction with Section 2(x).

  • Processing of personal data of individuals in India from any other country. This processing can occur through automated or manual means and includes activities such as sharing, disclosing, or disseminating personal data, whether stored in cloud or non-cloud environments globally.

The DPDPA’s provisions on cross-border data transfers apply to all data fiduciaries, including startups, Micro, Small, and Medium Enterprises (MSMEs), and SDFs.

The DPDPA does not override existing sector-specific laws for cross-border data transfer that provide greater protection, establishing DPDPA requirements as a baseline. Regulations from entities like the Reserve Bank of India (RBI) and the Securities Exchange Board of India (SEBI), which require financial data to be stored in India, remain in effect alongside the DPDPA.

2. Lack of Enough Data Infrastructure: Data infrastructure in India is largely underdeveloped, particularly for sectors that require massive amounts of data processing. This will create significant challenges for smaller firms or those transitioning from older systems to meet the technological standards set by the DPDP Act.

GRC companies will need to invest heavily in purchasing infrastructure and maintaining it to comply with the protective measures for handling data outlined in the Act.

3. Expensive Compliance: The DPDP Act will gradually raise operational costs for businesses, particularly smaller GRC firms with limited budgets. Investments in advanced data security measures, regular audits, and breach detection tools will be essential.

4. Explicit Consent: The Act mandates obtaining clear and informed consent from data subjects, who also have the right to withdraw their consent. This creates a dilemma for GRC companies, which are required to have systems in place to effectively manage consent workflows. Therefore, the implementation of rights, including the right to be forgotten, will necessitate innovation within data governance mechanisms,

4. Accountability and Penalties: The DPDP Act introduces strict penalties for non-compliance, ranging from hefty fines to restrictions on business operations. GRC firms are under pressure to ensure their clients meet the Act’s stringent requirements. Businesses should adopt risk management strategies and implement robust compliance monitoring to avoid any violations.

5. Integration with Global Standards: Aligning the DPDP Act with international standards, such as GDPR and CCPA, presents a challenge for firms operating across multiple jurisdictions. Differences in data processing and security standards must be managed with caution to mitigate the risk of non-compliance, which could ultimately undermine data governance frameworks.

Conclusion

The Act establishes a broad and basic framework for a comprehensive data protection system in India. The Act’s provision granting significant discretionary powers to the Central Government in the realm of data protection has raised apprehensions. This power includes determining the scope and applicability of data protection provisions. The focus of the DPDP Act seems to be more aligned with the mechanics of how data is processed, rather than ensuring the privacy of individuals. Businesses should proactively engage with regulatory authorities to ensure compliance with cross-border data transfer rules. Establishing regional data centres or utilising compliant cloud solutions will eventually diminish the challenges.

However, the Act does incorporate important principles like consent for data processing and obligations for data fiduciaries. Organisations, particularly SMEs, should prioritise upgrading their data infrastructure to meet the technological and consent requirements of the DPDP Act. Partnerships with technology providers can help ease the transition to compliant systems.

The user seeks additional information about TCC for their own purposes. User acknowledge that TCC website does not constitute an attempt to advertise or solicit business. Accessing or downloading information from our website does not establish an attorney-client relationship between TCC and the user. The content on our website does not constitute legal advice or opinions.
Our website uses cookies to enhance your experience. By continuing to use our site, you consent to our use of cookies. For more details, please refer to our Cookies Policy and Privacy Policy.
All information on our website is the intellectual property of TCC.

Agree