Should we start DPDPA Compliance today?

Five most frequent queries we receive in the market from companies today are

1. Is DPDPA 2023 is effective today or should we wait for the notification?

2. Should I start my compliance program today or wait till the rules are notified?

3.How long will the implementation typically take?

4. If we want to start a DPDPA compliance program what is the right framework to adopt?

5. Who has to lead the implementation in a company?

Let me try to add my views on each of the above queries.

1. Is DPDPA 2023 is effective today or should we wait for the notification?

DPDPA (Digital Personal Data Protection Act 2023) was passed by the Parliament and the relevant gazette notification was issued on August 11, 2023 with the President signing the Bill into an Act.

However, one of the sections of DPDPA 2023 (section 1.2) states that the Act shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.

One school of thought is that since the notification has not yet come, the Act is not yet in force.

This view cannot be brushed aside strictly from the legal perspective.

However, a prudent corporate entity does not wait for the penalty notice to be delivered to them or an arrest warrant is issued before taking steps to be compliant.

Compliance to DPDPA 2023 is a “Risk Management Measure” for all Companies and more so the Board, the Independent Directors, the CEO, CRO and CFO to recognize the possible impact of non compliance.

We can procrastinate and say “Let the rules be notified”, “Let the DPB be appointed”, “Let a Breach happen”, “Let me receive a notice” etc… and then say I can challenge the notice in a Court and escape.

But is this the wise strategy for a corporate entity?..one needs to ponder.

It must be remembered that DPDPA 2023 is not a completely new legislation as many may think. It is a continuation of ITA 2000/8 since one of the sections 43A is being replaced with the new Act. Section 43A expects companies handling sensitive personal data to follow a reasonable security practice and the “Reasonable” includes “Due Diligence” which is acting in a manner which is considered a best industry practice from the perspective of both the law which is effective today and the law which is pending notification of a date from which penalties may become effective.

Even otherwise, ITA 2000 has Sections 43 along with Section 66, Section 72A as well as Sections 66C and 66D read with Section 85 all of which may impose both civil and criminal penalties on the persons in charge of business in a company, the Directors, the Company Secretary etc.

ITA 2000 already has a regulatory mechanism which includes the Adjudicating officer under Section 46, the CERT IN under Section 70A and 70B and the Police. Adjudicator can impose penalties, CERT In can impose penalties and also recommend prosecution and the Police can start prosecution in case there is a breach of data.

DPDPA can only be considered different in the fact that liabilities under ITA 2000 may fructify after a breach has taken place while penalties under DPDPA can be imposed in many cases even if there is no breach. ITA 2000 is however more risky in another angle since any action under ITA 2000 could lead to imprisonment of corporate executives which DPDPA 2023 does not contemplate.

Even after DPDPA 2023 comes into existence, ITA 2000 will not vanish and hence some of the liabilities under ITA 2000 may still be relevant for the companies.

Those companies who donot flag these risks today are probably those who will face the wrath of law on a later day.

I therefore consider that wise managements need to treat that the DPDPA 2023 is in principle, effective as of date.

2. Should I start my compliance program today or wait till the rules are notified?

Compliance is a journey and the earlier one starts, better it is. Even before the first controls are in place an organization needs to “Discover” the covered data and have the necessary classification.

Consent need to be obtained from legacy data principals and any delay will only add to the legacy personal data which is not in conformity with the DPDPA 2023. The previous consents obtained on the basis of our understanding of GDPR or under the guidance of earlier privacy consultants may not suffice for the compliance of the new law.

A wise corporate executive will therefore start the compliance today and make necessary updations when the rules are notified. Such updations are a routine requirement and will continue.

3.How long will the implementation typically take?

It is difficult to say how much time it takes to achieve compliance. Normally it takes not less than 3 months for a medium sized company to take care of the basic requirements. Satisfactory implementation may take a further 6 months. The actual time depends on the size and operations of the organization.

4. If we want to start a DPDPA compliance program what is the right framework to adopt?

At present the only framework that is designed to meet the DPDPA compliance is DGPSI (Digital Governance and Protection Standard of India) developed by the professionals of FDPPI.

ISO 27701 which was developed for GDPR is not suitable for DPDPA compliance and no other framework is available.

DGPSI is a combination of compliance of DPDPA 2023, ITA 2000/8 as well as the draft BIS standard for Data Protection (Released on August 10, 2023). The book “Guardians of Privacy-Comprehensive Handbook on DDPDPA and DGPSI” would be the starting point for the journey to understand DGPSI. Getting certified with FDPPI as Certified DPO and Data Auditor (C.DPO.DA) is the next step.

5. Who has to lead the implementation in a company?

Most Indian companies donot have a DPO at present and some of them have designated their CISO as the DPO. DPO is the designated person in a company who needs to assume the leadership for DPDPA compliance. Small companies which are not “Significant Data Fiduciaries” need not have a designated DPO but may designate one suitable person as a “DPDPA Compliance officer”.

However, the DGPSI recognizes that compliance of DPDPA is an enterprise level responsibility and hence the implementation responsibility has to be shared. The Apex Governance committee consisting of different stake holders and the policy of “Distributed Responsibility” suggested in DGPSI makes the implementation a joint responsibility of the Governance team though DPO remains the leader.

The starting point for organizations today may actually be from the CFO and CRO who has to flag the risk of penalty and start working on Cyber Insurance and appointment of a DPO.

The lead therefore is with the Board of the Company which should do a quick business impact analysis and decide how they should move ahead with compliance.

I welcome any queries on the above and happy to debate any disagreements.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

One Response to Should we start DPDPA Compliance today?

  1. Neha Roy says:

    Excellent article!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.