Principal Rights Follow us:

Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.

Sign up for Newsletter Get in touch

Table of content

Last Updated: 2024-02-27 ~ DPDP Consultants

Data Breaches and The DPDP Act 2023

Understanding data breaches under the DPDP Act 2023, ensuring compliance with breach notification and penalty guidelines to protect personal data and avoid heavy fines.

Imagine this. A major retail chain experiences a data breach. The compromised data includes customers’ names, addresses, and purchase histories. Soon, you find yourself battling a rush of spam calls. However, others are also falling victim to phishing scams and even stolen identities.

As you can see, data breaches are no joke. They can happen to anyone and anytime, especially since we live in the digital era where our lives are extensively connected through online platforms and technology.

However, under the DPDP Act 2023 the issue of data breaches is addressed to provide the much-needed data security. So, let’s understand more.

What Does The DPDP Act 2023 Say About Data Breaches?

According to the DPDP Act Section 1 and Chapter I, any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data is categorized as a data breach.

A screenshot of a computer AI-generated content may be incorrect.

What Happens When There Is A Data Breach In DPDP Act 2023?

The previous versions of the Data Protection Bill 2018 and 2019 stated that data breaches should be reported when they were likely to cause harm to the individual. This placed the responsibility on data collectors to assess whether a breach had the potential to cause harm and lead to subjectivity and ambiguity.

To address these concerns, the 2021 version of the bill introduced a significant change. Instead of relying on data collectors to decide on reporting, the responsibility shifted to the Board. Now, data collectors were required to inform the Board about all data breaches.

However, a new issue emerged, the Board became the central authority to decide whether affected individuals needed to be informed.

Now, as per the DPDP Act 2023, Data Fiduciary is entrusted with the handling and management of personal data. This can be an organization, business, or any entity that collects and processes personal information. The primary duty of a Data Fiduciary is to safeguard this personal data.

To fulfill this obligation, the Data Fiduciary must implement reasonable security safeguards to prevent a Personal Data Breach. However, if there is a data breach, the Data Fiduciary is legally obligated to promptly notify the Data Protection Board of India, established by the Central Government under section 18. This notification is a crucial step in ensuring transparency and accountability, and it allows regulatory bodies to evaluate the severity of the breach and potentially take necessary actions.

Strict penalties are also imposed on data collectors who haven’t taken the necessary measures to safeguard the data. Penalties for breach in observance of the duty of the Data Principal can go up to INR 10,000. Also, noncompliance issues by Data Fiduciaries, failure to notify Personal Data Breaches, disregard for specified provisions, and a breach in fulfilling additional obligations related to children’s data can lead to heavy fines of up to 250 cr.

Challenges In Addressing Data Breaches

1. No Proper Timeline

The main concern with the DPDP Act 2023 regarding data breaches is the lack of a specific timeframe. In the 2021 version of the bill, there was a clear and defined timeline of 72 hours within which data collectors were required to report any breaches to the regulatory board. This timeframe was intended to ensure a quick response to data breaches to maintain transparency and timely actions to address security incidents.

However, in the current version of the bill, this specific timeline appears to be omitted. The absence of a clear reporting deadline raises concerns among critics as timely reporting is crucial in the aftermath of a data breach to curb the potential damages, protect affected individuals, and allow regulatory bodies to take prompt action.

2. No Customization of Penalties

There is also a concern with the bill’s approach to imposing penalties for failure to implement adequate safeguards against data breaches and for not reporting such breaches.

However, what the bill misses is that the same strict rules and penalties cannot be applied to both larger and smaller internet companies. The bill must also consider the nature of its operations and the potential harm caused by a data breach and only then decide on proper penalties.

Wrapping Up

The recently released data protection bill is a positive stride in addressing data breach concerns and strengthening individual privacy. It categorizes any unauthorized processing or accidental disclosure of personal data as a breach and introduces a Data Protection Board for oversight and enforcement.

The bill stresses prompt reporting by companies in case of a breach. However, concerns arise over the absence of a specific reporting timeline and undefined security safeguards. While the bill is a commendable step, it needs thorough examination and thoughtful planning in terms of how to put it into action.

If you are looking to understand the DPDP Act 2023 better and adhere to all the clauses, we, at DPDPA Consultants are here for you:

  • The DPDPA Readiness Review assists in comprehending the DPDPA’s impact on all operational aspects.
  • Ensuring compliance, our Data Protection Officer (DPO) services enable organizations to engage our experts for audits and oversee DPDP implementation.
  • For existing agreements, our Contract Review service ensures compliance with DPDP specifications, prompting revisions as needed.
  • Our dedicated team offers comprehensive DPDPA Compliance Assistance, establishing internal audit frameworks for regulatory alignment.
  • The DPDPA Training program emphasizes the practical implications of policies, providing effective compliance education for all employees.
  • Our Data Protection Impact Assessment (DPIA) process aids in identifying and mitigating privacy risks linked to projects and policies.

Looking for expert advice from top consultants?

Whether you need guidance on legal compliance consulting or tool-based technical solutions, DPDP Consultants can help you with the best professional services in the industry. Get tailored insights and practical solutions to help you succeed.

For News updates, expert insights, and practical tips on DPDP compliance and personal data security please subscribe to our newsletter Privacy Talks.

Similar Read

DPDP Act vs ISO 27001: Key Differences, Compliance Guide & Data Security Strategies

DPDP Act vs ISO 27001: Key Differences, Compliance Guide & Data Security Strategies

How will the DPDPA Impact Artificial Intelligence?

How will the DPDPA Impact Artificial Intelligence?

Copy of Data Processing Agreement Under The DPDP

Copy of Data Processing Agreement Under The DPDP

DPDP Act: Draft Rules Released – A Significant Step Towards Data Privacy in India

DPDP Act: Draft Rules Released – A Significant Step Towards Data Privacy in India