For more updates follow Grant Thornton Bharat on WhatsApp
With an increasing collection and processing of personal data, lack of a comprehensive data protection law, and growing incidents of data breaches and privacy violations, there was a need to introduce a law that addresses these concerns. The Digital Personal Data Protection Act, 2023, (DPDP ACT, 2023) is a landmark legislation introduced by the government that provides a comprehensive framework for personal data protection.
As data is the centre of the consumer industry, the new Act will have a significant impact. It imposes several regulations on e-commerce/D2C businesses, which will push companies to revamp their strategic approach towards digital safety. Apart from these, other players in the ecosystem, such as retailers, call centre operators, third-party logistics, marketing agencies, sales/distribution outsourcing companies, and payment enablers, will also come under the purview of the new Act.
The DPDP Act gives users certain rights, such as the right to access, right to correct or delete, and the right to object to processing of their personal data. Businesses must familiarise themselves with these rights and begin complying with them.
It is expected to increase the transparency between users, brands or platforms, make businesses accountable, improve security and privacy of user data, and potentially build trust and confidence within the industry. This is because the Act requires businesses to obtain explicit user consent before collecting, processing, or using their personal data. It also requires them to limit the collection and use of personal data to what is necessary for the purpose for which it was collected and to take appropriate security measures to protect personal data from being breached by unauthorised access, use, or disclosure.
As with any opportunity comes certain challenges, consumer-oriented businesses will need to implement new protocols to comply with the Act, invest in new technologies to improve data security, and educate users and staff about data privacy rights.
Overall, the DPDPA is a positive development for the industry in India. However, it is pertinent for players to be aware of some of the challenges that the Act will pose and to take certain steps to address and mitigate these challenges.
Here are some specific ways in which the DPDPA will impact consumer businesses:
Consent: Businesses will need to obtain ‘express consent’ from users before collecting, processing, or using their personal data. This consent must be freely given, specific, informed, and unambiguous. Companies will need to maintain clear communication for the same.
Purpose limitation: They can only collect and use personal data for the specific purpose for which it was collected. Companies must have full clarity on the details they seek from the customers and the purpose of collecting the same.
Data minimisation: Businesses should only collect the bare minimum amount of personal data necessary for the purpose for which it is being collected.
Data security: They must take appropriate security measures to protect personal data from unauthorised access, use, or disclosure. This means that there is need to implement data masking and encryption technologies to mitigate the risk associated with data thefts.
Breach notification: Businesses must notify users of any data breaches that have occurred. Robust mechanisms must be put in place to identify the data breaches. Currently, the time frame for communication has not been defined and the same will be notified in the rules of the act.
A data fiduciary is responsible for determining the methods and purposes of collecting personal data. In e-commerce, the brand owner, platform provider, or seller on record is usually one of the data controllers since they gather personal data during registration and use it for various purposes like marketing, analytics, and delivery. However, they become data processors if they only provide goods and services without accessing personal data.
In both platform and retailer scenarios, their roles as data fiduciaries may vary depending on their involvement in data collection and processing. The key principle is that any entity determining how personal data is collected and processed acts as a data fiduciary.
E-commerce companies are likely to be significant data fiduciaries under the Act. This is because they collect and process large amounts of personal data about their users, including names, addresses, contact information, payment details, and browsing history. This data can be used for various purposes, such as providing personalised shopping experiences, targeted advertising, and fraud prevention.
As significant data fiduciaries, e-commerce companies will be subject to additional obligations under the DPDPA, such as:
Strong consequence management measures, such as non-disclosure agreements, are necessary to deter the misuse of personal data. The focus should be on minimising data collection and sharing only data needed for processing. Data should be encrypted or masked before being shared for enhanced protection.
Overall, the DPDPA is still in its early stages of implementation, so it is not yet clear how it will be enforced. This can be a real challenge for start-ups who are currently more focused on setting up businesses and may not have a robust IT framework in place.
In addition to the legal obligations under the DPDPA, e-commerce / D2C companies have a moral obligation to protect their users’ data. Consumers are becoming increasingly aware of the importance of data privacy and are more likely to do business with companies they trust to handle their data responsibly.
By complying with the DPDPA and taking other steps to protect their users’ data, these businesses can build trust with their customers and position themselves for long-term success.
This article first appeared in News18 on 18 October 2023.