The Digital Personal Data Protection (DPDP) Act that came into effect on August 11 has so far been met with a slow compliance from the industry. A report by PwC India shows that only nine out of the 100 companies surveyed presently seek a free, specific and informed consent from users before collecting their data.
Even as 41% of the companies analysed were found to specify data principal rights (correction, access and erasure) in their website privacy policies, 43% of them lacked in providing a well-defined purpose for which personal data was shared with third-party data processors.
The banking, fintech and insurance sectors are in a slightly better position to respond to DPDP Act requirements at their end due to limited sectoral regulation expectations in terms of data processing, PwC said in a report titled ‘Readiness of India Inc for the Digital Personal Data Protection Act, 2023: A PwC analysis’.
The preliminary statistics of compliance assume significance in the sense that the industry has also urged the government to give them at least two years to comply with the Act. However, the government does not seem convinced and wants the companies to comply with the provisions of the Act largely within six months.
“The Act itself is progressive and adaptive and is likely to keep pace with changing times without much systemic ado,” said Sivarama Krishnan, partner and leader – risk consulting at PwC India.
“To that effect, investments made by organisations now to become DPDP Act compliant will stand them in good stead in the foreseeable future,” Krishnan added.
Other key statistics in the report show that 48% of organisations provide the option to withdraw consent. However, the process of withdrawing consent is not as easy as providing it. Consent is obtained in multiple regional languages only by 2% of the organisations.With regard to appointing data protection officers (DPO), around 74% of these companies have listed contact details of a person or a team that can be contacted for queries around data processing, while 54% have proactively provided the contact details of their DPO, the report said.
Besides, 17% of organisations have listed the email IDs of customer care or other functions for queries with respect to data protection.The Act also mandates companies to specify the time period upto which it will retain the data collected. 54% of organisations analysed, predominantly from sectors such as fintech, e-commerce and information technology and other regulated sectors (banking, insurance and aviation) state the data retention period on their websites, the report said.With regard to children’s personal data, one out of ten schools provides a privacy notice customised to children and does age verification to check if a user is a minor.
Report Findings
41% companies specify data principal rights but 43% don’t provide a well-defined purpose for which personal data is shared with third-party processors
The banking, fintech and insurance sectors were found to be in a slightly better position to respond to DPDP Act requirements
48% of organisations provide the option to withdraw consent but the process is complicated
17% of organisations have listed the email IDs of customer care for queries with respect to data protection