By Tushar Gandhi and Pranjal Chaturvedi
India, as one of the world’s largest and fastest-growing digital markets, has taken a significant step towards bolstering data protection and privacy with the proposed establishment of the Data Protection Board. The board is envisaged in the Digital Personal Data Protection Act 2023 as a central authority whose primary responsibility will be to oversee and enforce data protection regulations in India. It will be responsible for interpreting and implementing the provisions of the DPDP Act, as well as addressing any concerns or complaints by data principals (individuals) related to data privacy.
As per the DPDP Act, organisations, specifically significant data fiduciaries, are required to appoint a ‘data protection officer’. The data protection officer will be tasked with ensuring compliance with the DPDP Act, handling data protection-related queries, and acting as a point of contact between the organisation and the Data Protection Board. The Act also talks about ‘Consent Managers’ that will function as a nodal point between organisations, individuals and the Data Protection Board. The consent managers will be third-party independent entities registered with the Data Protection Board and their role will be to be in charge of managing the consent given by individuals to use their data. Organisations are required to evolve frameworks that will allow these consent managers to represent individuals.
Also read: DPDPB versus GDPR! Where does the Indian bill stand
During a stakeholder consultation meeting held on September 20, Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, said that the board would be set up within the next 30 days. He added that the government expects most provisions of the Act, except those related to age-gating and similar aspects, to be implemented within a 12-month timeframe. This indicates the government’s recognition of the complexities involved in aligning operations with the new data protection requirements.
While the establishment of the Data Protection Board would be a significant milestone, we can expect some implementation challenges. The DPDP Act brings forth a comprehensive framework that requires organisations to adopt robust data protection measures, ensure transparency in data processing, and obtain explicit consent for data usage. However, compliance with these provisions is likely to pose technical and operational challenges. Industry’s concerns revolve around ensuring a balanced regulatory approach that considers business continuity, technical complexities, and alignment with global data protection standards.
With the DPDP Act in place and the board’s role defined, India aims to enhance trust in the digital ecosystem and ensure the responsible handling of personal data. However, the successful implementation of the DPDP Act and the smooth functioning of the Data Protection Board will require close collaboration between the government, industry stakeholders, and technology companies to address any challenges effectively and strike a balance between data protection and business needs.
(Tushar Gandhi is the Founder and Pranjal Chaturvedi is a researcher at public policy firm Gateway Consulting. Views expressed are personal and not necessarily that of financialexpress.com)