Naavi.org

Now that DPDPA 2023 has been gazetted with the Presidential Assent professionals in the industry are wondering what they should do now?

Should they expect that the Government will now sleep over it and the date of applicability may not be announced for the time being and they can relax and go back to what they were doing earlier?

With Mr Rajeev Chandrashekar driving the Act, it may not be wise to think the Government will forget DPDPA and move on. Probably by this time the Government has shortlisted the members of the Data Protection Board and would soon come up with the names of the members of the DPB and the Chairman so that they can take charge at the earliest. If DPB is set up in Delhi or Bangalore, or any other place, the selected members need to move into their destination and set up their preliminary office.

The DPB will then have to get a few members of their technical team to get ready and open a website and backend server to maintain whatever data they need to maintain.

Then the Government (MeitY) and the DPB will be working on the different notifications that would be required starting with the laundry list in Section 40.

Section 46 lists 26 different rules that needs to be made as per the law. Several more sub rules and clarificatory notifications will also be issued from time to time.

The rules include the “Manner of appointment of the Chairperson and the Members of the Board” [Sec 40(r)]. This notification has to be released before the constitution of the DPB is announced. Along with it the details of salaries and allowances and conditions of services of the Chairperson and the members of the Board need to be announced [Sec40(s)]. Then the terms and conditions of appointment and service of officers and employees of the Board [Sec40(u)] and the manner of authentication of orders, directions and instruments [Sec40(t)] need to be notified. The technolegal measures to be adopted by the Board [Sec 40(v)] and other matters related to DPB [Sec 40(w)] also have to follow.

These should be the first set of rules to be released.

However, for the industry it is immaterial how the DPB is going to be constituted or who will be the members of the DPB. They need to presume that sooner or later the DPDPA will become effective and non compliance could lead to penalties.

Hence the organizations need to start looking at what they should do now. The very first step that any responsible Corporate entity should do is to take note of DPDPA having been passed and start analysing its business impact.

Hence Corporate Managements need to include in their next Board Meeting a resolution that the Board takes note of the passing of DPDPA and develops a “Business Impact Report” to be submitted to the Board or a sub committee of the Board probably the Audit Committee within a short time.

The Independent Directors need to take the lead in this respect.

Next: Who should the Board ask for the Business Impact Assessment?

Naavi

India has just now passed DPDPA 2023. While there is an expectation in the air about organizations becoming more responsible in handling personal information, I came across a request for permission for installation of SonyLiv app on an Android mobile. This was recommended by Samsung along with one of its updations.

I wonder how SonyLiv can justify the need for all this information and how Samsung can recommend such app that too after DPDPA 2023 has become a law in India.

The Data Protection Board to be set up has one case to follow up. May be many more such instances be reported by Naavi.org in the times to come.

Naavi

We the data protection professionals were already feeling that we were on the moon when DPDPA was passed into an act

Now we are elated that India has joined the select band of countries which have soft landed on the moon and first on the Moon’s South pole .

Our hearty congratulations to the entire team.

Naavi

FDPPI and Manipal Law School (MLS) conducted a Round Table Discussion at the MLS Campus in Yelahanka, Bangalore on DPDPA and its impact on the Fintech industry, yesterday.

Several industry professionals attended the discussions. It was a lively discussion to unravel the intricacies of the proposed Act and its challenges to the Fintech industry. MLS/FDPPI will be collating the views from the industry professionals and documenting the industry response.

Some photographs of the event is given below.

India is in the midst of a major overhaul as to the Privacy and Data Protection legislation. After 5 years of uncertainty the DPDPA has finally been enacted.

However we all know that due to the unreasonable and often politically motivated opposition, the law had to be repeatedly re-drafted. Now we have a law that is simple and difficult to be challenged.

Current Challenges are limited to why Privacy is given a priority over RTI? Why the DPB is not constituted by the Leader of Opposition?. Some are asking why non digital information not included? Why CJI is not the head of DPB? Why Government has to have power to make rules and not me? etc. These are great questions to ask but most of the objections are without substance and donot answer the question …How long we need to delay the passing of the law till a consensus is arrived at which the nay-sayers are determined not to allow.

Hence Government has passed the law in its present form and will issue notifications to provide more clarity. The GDPR fans will realize that despite a 99 article law in a society with a long history of Privacy legislations, EDPB guidelines and earlier WP guidelines continue to come out as subordinate legislation. Hence our law with a simpler construction will also need to be supplemented with subordinated legislation.

Recognizing this, FDPPI has designed all its Certification Courses with a guarantee of providing one major update after 3 months on whatever notifications come through and bring the certified professionals into a close group to continue their education through self learning with weekly knowledge sessions.

Thus FDPPI programs are future proof.

It may sound crazy that when FDPPI recently launched its new DPDPA based CDPP trainings, it offered it’s earlier certified members a complete remission of their earlier fee provided they join the new training. Though new trainings were at a higher price, the discounts were huge enough to call it commercially unwise and unnecessary.

As an NGO committed to the Data Protection Industry, FDPPI/Naavi wants every person who undergoes FDPPI certifications to feel that he/she has received value for money several times over. Fortunately this has not been difficult since the others have voluntarily placed themselves at a range where comparison is meaningless.

Quality or Price, FDPPI Certifications are the Gold Standard for the industry and will continue to be so…. This will be the Mission of FDPPI and Naavi

Naavi