Consumers fed up with the promotional calls of banks, insurance firms, telcos and others, and wary of their personal data getting into the hands of telemarketers will have to wait longer for some relief. The Digital Personal Data Protection (DPDP) Bill, which became a law in August last year, is unlikely to come into force for at least another 18-24 months.
The delay in the implementation, so far, was because the rules under the Act had not been framed. However, officials now say that even when the rules are framed and notified, it may take another 18-24 months to implement the same. This is because companies need to be given adequate transition time.
While some big-tech firms may have processes ready, most government-owned companies are quite unprepared, they said.
The government and its departments are the biggest data fiduciaries and therefore, for them a shorter time to comply with the Act will be difficult, officials pointed out. Even smaller private firms would need adequate time to sync their processes with the new provisions.
Sources said that some Central government ministries have also indicated their unpreparedness in formalising a system of seeking consumer consent, and have expressed the need for a longer time frame for transitioning to a new system.
“We will have to provide a reasonable time period for companies to implement the provisions once the rules are notified. The global practice has been 12-30 months. So, we may provide around 18-24 months to all data fiduciaries,” an official said.
A key reason why most segments are seeking adequate transition time is because under the Act, for every instance of data breach, the entity in-charge of the data, will have to pay a penalty of Rs 250 crore if found guilty.
Once the law comes into force, the first step for companies dealing with consumer data will be to inform their users about the data these firms have related to them. Based on that, users can intimate all digital platforms to delete their past data or give consent to the companies to use the data based on their preferences. While sharing data with any entity, consumers will have the right to ask its purpose, uses it can be put to, and by when it would be deleted.
For instance, consumers can direct banks, insurance firms, e-commerce firms, etc, with which they share their personal data to not use it for phone calls making sales pitches. Similarly, directions can be given that the data should not be shared with any other entity. The onus of any data breach as a result of theft by employees or in any other manner will lie with the company concerned. Government departments will also have to send notices on the information they have of users.
In the rules, the government will also notify the framework for the Data Protection Board, which will act as an adjudicating body for data principals and fiduciaries.
