By Tarun Kaura
The long-awaited moment has finally arrived. On August 3rd, 2023, the Indian Parliament tabled the much-anticipated Digital Personal Data Protection Bill, 2023. This landmark legislation, once enacted, will fundamentally transform the way personal digital data is managed, processed, and protected, not only within India but also by enterprises based outside India, serving Indian individuals.
The bill is a significant step forward in the realm of data privacy, as it empowers individuals, referred to as ‘Data Principals’, to govern their own personal digital data. This means that individuals will have the right to access, update, and erase their personal data, thereby gaining more control over their digital footprint. This is a significant shift from the current scenario, where individuals often have little control over their personal data and how it is processed.
The bill also mandates enterprises, referred to as ‘Data Fiduciaries’, to process personal data of individuals in a lawful manner and for specific purposes only. This implies that enterprises will need to be transparent about why they are collecting data and how they intend to use it. They will also need to ensure that they have the necessary permission (i.e., consent) in place before they can process personal data, unless an explicit consent is not required as per the provisions of the bill One of the most notable aspects of the bill is its geographical coverage. This means that even enterprises based outside India, but serving individuals in India, will be expected to adhere to the provisions of this bill once enacted. This is a significant development, as it extends the reach of Indian data protection laws beyond its borders, thereby ensuring that data of individuals in India is protected, irrespective of where it is processed.
However, the bill also brings with it a set of obligations that enterprises must adhere to. These include reviewing their current ways of working, especially with regards to personal data, and ensuring that they are in compliance with the new regulation. Non-adherence to these obligations may attract sanctions and commercial penalties as high as INR 250Cr, thereby underscoring the seriousness with which the Indian government is treating data privacy.
Given the far-reaching implications of the bill, it is highly recommended that enterprises do not wait for the bill to be enacted before they start their readiness journey. This journey begins with the fundamental step of data hygiene, which involves understanding where the data within the enterprise is, who accesses it, who processes it, and how data flows from one function to another.
Enterprises will also need to invest in the right processes, tools, and solutions to ensure compliance with the new regulations. This includes setting up robust data governance frameworks, establishing clear lines of accountability, and raising awareness about data privacy amongst employees.
But perhaps most importantly, enterprises should view the enactment of the bill not just as a compliance exercise, but as an opportunity to establish and operate in a privacy-enabled environment. In an era where data breaches and privacy violations are increasingly becoming common, enterprises that prioritise data privacy will not only be in compliance with the law, but will also gain the trust of their customers, employees, and stakeholders.
As we await further guidance on the bill, one thing is clear: the enactment of the Digital Personal Data Protection Bill, 2023, will mark the beginning of a new era in data privacy in India. It is a transformative piece of legislation that will change the way we think about and handle personal digital data. The Digital Personal Data Protection Bill, 2023 is a testament to India’s commitment to protecting the digital rights of its citizens and a call to action for enterprises to prioritise data privacy. As we await its enactment, the onus is on enterprises to start their readiness journey and embrace the transformation that is imminent.
The author is Partner and Leader, Cyber Advisory, Deloitte India
Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.
