Explore the robust measures within the Digital Personal Data Protection Bill in India, ensuring prompt response and accountability in the face of data breaches.

Imagine this. A major retail chain experiences a data breach. The compromised data includes customers’ names, addresses, and purchase histories. Soon, you find yourself battling a rush of spam calls. However, others are also falling victim to phishing scams and even stolen identities.

As you can see, data breaches are no joke. They can happen to anyone and anytime, especially since we live in the digital era where our lives are extensively connected through online platforms and technology.

However, under the DPDP Act 2023 the issue of data breaches is addressed to provide the much-needed data security. So, let’s understand more.

What Does The DPDP Act 2023 Say About Data Breaches?

According to the DPDP Act Section 1 and Chapter I, any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data is categorized as a data breach.

What Happens When There Is A Data Breach In DPDP Act 2023?

The previous versions of the Data Protection Bill 2018 and 2019 stated that data breaches should be reported when they were likely to cause harm to the individual. This placed the responsibility on data collectors to assess whether a breach had the potential to cause harm and lead to subjectivity and ambiguity.

To address these concerns, the 2021 version of the bill introduced a significant change. Instead of relying on data collectors to decide on reporting, the responsibility shifted to the Board. Now, data collectors were required to inform the Board about all data breaches.

However, a new issue emerged, the Board became the central authority to decide whether affected individuals needed to be informed.

Now, as per the DPDP Act 2023, Data Fiduciary is entrusted with the handling and management of personal data. This can be an organization, business, or any entity that collects and processes personal information. The primary duty of a Data Fiduciary is to safeguard this personal data.

To fulfill this obligation, the Data Fiduciary must implement reasonable security safeguards to prevent a Personal Data Breach. However, if there is a data breach, the Data Fiduciary is legally obligated to promptly notify the Data Protection Board of India, established by the Central Government under section 18. This notification is a crucial step in ensuring transparency and accountability, and it allows regulatory bodies to evaluate the severity of the breach and potentially take necessary actions.

Strict penalties are also imposed on data collectors who haven’t taken the necessary measures to safeguard the data. Penalties for breach in observance of the duty of the Data Principal can go up to INR 10,000. Also, noncompliance issues by Data Fiduciaries, failure to notify Personal Data Breaches, disregard for specified provisions, and a breach in fulfilling additional obligations related to children’s data can lead to heavy fines of up to 250 cr.

Challenges In Addressing Data Breaches

1. No Proper Timeline

The main concern with the DPDP Act 2023 regarding data breaches is the lack of a specific timeframe. In the 2021 version of the bill, there was a clear and defined timeline of 72 hours within which data collectors were required to report any breaches to the regulatory board. This timeframe was intended to ensure a quick response to data breaches to maintain transparency and timely actions to address security incidents.

However, in the current version of the bill, this specific timeline appears to be omitted. The absence of a clear reporting deadline raises concerns among critics as timely reporting is crucial in the aftermath of a data breach to curb the potential damages, protect affected individuals, and allow regulatory bodies to take prompt action.

2. No Customization of Penalties

There is also a concern with the bill’s approach to imposing penalties for failure to implement adequate safeguards against data breaches and for not reporting such breaches.

However, what the bill misses is that the same strict rules and penalties cannot be applied to both larger and smaller internet companies. The bill must also consider the nature of its operations and the potential harm caused by a data breach and only then decide on proper penalties.

Wrapping Up

The recently released data protection bill is a positive stride in addressing data breach concerns and strengthening individual privacy. It categorizes any unauthorized processing or accidental disclosure of personal data as a breach and introduces a Data Protection Board for oversight and enforcement.

The bill stresses prompt reporting by companies in case of a breach. However, concerns arise over the absence of a specific reporting timeline and undefined security safeguards. While the bill is a commendable step, it needs thorough examination and thoughtful planning in terms of how to put it into action.

If you are looking to understand the DPDP Act 2023 better and adhere to all the clauses, we, at DPDPA Consultants are here for you:

• The DPDPA Readiness Review assists in comprehending the DPDPA’s impact on all operational aspects.
• Ensuring compliance, our Data Protection Officer (DPO) services enable organizations to engage our experts for audits and oversee DPDP implementation.
• For existing agreements, our Contract Review service ensures compliance with DPDP specifications, prompting revisions as needed.
• Our dedicated team offers comprehensive DPDPA Compliance Assistance, establishing internal audit frameworks for regulatory alignment.
• The DPDPA Training program emphasizes the practical implications of policies, providing effective compliance education for all employees.
• Our Data Protection Impact Assessment (DPIA) process aids in identifying and mitigating privacy risks linked to projects and policies.

DPDP Compliance Made Seamless with DPDP Consultants

If you are looking for the right guidance to navigate through the complexities of the new DPDP Act 2023, we are here for you. Get In Touch With Us Today