After August 11, 2023, DPDPA 2023 or Digital Personal Data Protection Act 2023 has become a law in India. Though the notification of rules is pending, DPDPA 2023 as of today is considered “Due Diligence” and part of “Reasonable Security Practice” under Sections 43A and Section 79 of ITA 2000.
The provisions of the Act are therefore considered effective as of now though the penalty clauses may not be fully relevant. However the Adjudicator under ITA 2000 has the powers to impose penalties if there is an adequate cause of action and may use the penalty table under DPDPA 2023 as a guidance.
To be fair however, no Adjudicator in India may be aware of this power nor are inclined to use them. So the companies who want to procrastinate can breath easily for some more time. Assuming that the Modi Government comes back to power after the elections, the notification of rules may be in the First 100 day agenda.
Hence companies need to start working on compliance today.
If however we try to identify the accountability at corporate level on who has to raise the red flag first, it appears that only the CISOs/CIOs or GDPR aware CCOs/designated privacy officers are the first to recognize the potential impact of the DPDPA and trying to draw the attention of their Board into sanctioning budgets for next level action.
Ideally it should have been the “Independent Directors” or the “Company Secretaries” who should have brought it to the notice of the Board the need to initiate compliance action.
Given the importance of DPDPA compliance and the need to cover the potential penalty risk, associations of these professionals need to draw the attention of these professionals to start understanding their specific responsibility in this regard.
Naavi
