For more updates follow Grant Thornton Bharat on WhatsApp
The long-awaited privacy law has been officially enacted and is known as the Digital Personal Data Protection Act, 2023 (the "Act"). Taking a forward-looking approach, the Act establishes a comprehensive legal framework for managing digital personal data in India. The rights of citizens, also referred to as data principals, are prioritised within the operating framework through explicit consent mechanisms and rights to access, erasure, rectification, and withdrawal of consent for shared data.
The law simplifies the privacy landscape for organisations. Key stakeholders are clearly defined, and the law mandates that organisations processing personal data, known as data fiduciaries, establish safeguards for the digital data they obtain from individuals. While drawing parallels with other global privacy laws, the Act aligns well and is primarily principle-based in nature.
Organisations, whether big or small, that handle citizens' digital personal information, may encounter a lengthy compliance journey ahead. This journey involves interpreting intricate compliance requirements, revamping data cataloging and inventory processes, ensuring transparent and easily understandable consent mechanisms for individuals, reviewing third-party contracts, raising awareness, and assigning responsibilities for employees. The task is challenging, yet essential for organisations. However, the current time presents an opportunity for them to leverage the dynamic shift across the nation caused by the digital ecosystem for their business advantage.
The government's transformation initiatives are reflected in the increased number of smartphone users, the revolution in digital payments and e-commerce, and the launch of 5G technology. Coupled with rising disposable incomes, the country is poised for a multi-decadal growth story. The enactment of this Act offers an opportunity for the nation to assess its cybersecurity, data protection practices, and citizen privacy amidst the data explosion era. Organisations must reassess their privacy strategies to unlock emerging business avenues.
Prioritising robust data protection measures signifies a commitment to safeguarding personal information, fostering higher stakeholder trust. This, in turn, can cultivate stronger customer relationships, enhanced loyalty, and attraction for privacy-conscious clientele. By delivering privacy-focused services, incorporating streamlined data management processes like discovery, classification, and leakage prevention, organisations can enhance their market reputation.
Maintaining precise records for data collection and processing not only mitigates data breach risks but also streamlines internal controls, contributing to informed decision-making. Simplifying the customer experience through user-friendly tools, interactive interfaces, and transparent data collection mechanisms is pivotal. The appeal to global investors becomes evident, as they are drawn to ethically driven, privacy-compliant organisations that embrace sustainability and forward-thinking strategies in their investments.
Furthermore, privacy regulations can drive innovation in the cybersecurity sector, spurring the development of enhanced data security technologies and services. Capitalising on the burgeoning cyber market can yield security solutions, data encryption tools, and privacy-centric offerings, providing elevated customer protection while adhering to privacy laws.
The compliance with privacy laws across sectors will vary, reflecting operational complexities within each segment. Data collection practices may undergo sector-specific changes. For instance, the financial sector could implement consent mechanisms for sensitive and personal data, while sectors like tourism and hospitality might adopt stringent measures for handling travel itineraries, hotel guest preferences, and payment information. In the healthcare/life sciences industry, robust privacy processes will be necessary for dealing with patient health records and clinical trial data. Similarly, the e-commerce and consumer retail sectors will need to implement controls to secure customer information and prevent its misuse in advertising campaigns.
Transition to the new data rules is expected to be in a phased manner with large technological companies being first for the law to be made applicable to. Industry representatives are being invited to discuss on operational challenges with the law. Detailed procedures on various aspects through delegated legislation (Section 40) are still awaited via the prescribed rules, which will outline the modalities and timelines. Setup of the new Data Protection Board is also expected to take time with rules to be issued around the powers of the Board.
By empowering citizens to control their personal information and holding organisations accountable for responsible data handling, the privacy law is expected to play a pivotal role in shaping India’s digital landscape and economy.