The Digital Personal Data Protection Rules are likely to be released in the end of this month.
The 15-month delay since the act was enacted has led to widespread anticipation in the industry, considering the complexities related to the Act and the lack of clarification due to the absence of rules. “Given the nature of delegated legislation, the rules are unlikely to come with new substantive elements, but businesses can expect a fair degree of procedural clarity and detailing,” said Arya Tripathy, Partner, Cyril Amarchand Mangaldas.
The DPDP act provides processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
“The government has encouraged businesses to initiate gap assessments, and many organizations have already begun this process to better understand their compliance obligations under the DPDP Act,” said Nakul Batra, Partner, DSK Legal.
However, in the absence of finalized rules, companies face challenges in finalizing critical components such as consent mechanisms, internal policies, and operational processes.Nakul Batra, Partner, DSK Legal
The Act empowers individuals with the Right to correction and erasure of personal data. The act ensures erasure of her personal data upon receipt of such a request unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. “Details such as the prescribed format for consent notices, procedures for managing breaches, and broad guidelines on data retention periods and the handling of data subject rights are still awaited,” said Nakul.
He adds, “Once published, these details may necessitate revisiting and revising compliance documents and frameworks developed during gap assessments, thereby adding to the complexity and making current preparatory efforts incomplete.”
Time to Comply
The data fiduciaries are working on filling the legislative gap. However, the task is turned complex considering the work is not only limited to compliance with the existing laws but also to anticipate compliance. “It is expected that businesses will be provided with sufficient time to align with the law once the rules are notified,” said Nakul Batra, Partner, DSK Legal.
However, before the draft rolls out, the organisation can frame their internal policies on best global practices. “In the meantime, organizations are focusing on preliminary measures to ensure a smooth and effective implementation as the regulatory framework continues to evolve,” he added.
Arya Tripathy, Partner, Cyril Amarchand Mangaldas said, “While rules are awaited, it becomes rather imperative that entities apprise themselves with the substantive norms, the underlying principles, and undertake steps to set their house in order,” adding, “the least undertake scoping and gap assessment exercises as that would position them to swiftly comply with the new data processing norms under DPDPA and its rules.”
Clarity and Complexities
Section 18 of the DPDP Act establishes the Data Protection Board of India. However, the same shall be in effect from such date as the Central Government may, by notifies. “More specifically, rules are likely to hash out consent notices, qualifications and obligations of consent managers, data principal rights exercise mechanism and timelines, retention periods for identified cases, breach notification norms, and establishment of the Data Protection Board of India,” said Arya Tripathy, Partner, Cyril Amarchand Mangaldas.
The degree of awareness at this stage is less than expected, and it is time to acknowledge that the new privacy law’s implementation is a matter of time.Arya Tripathy, Partner, Cyril Amarchand Mangaldas
The organizations are anticipating clarity over ambiguity, and adopting measures for feasible implementation of compliance. “The clarifications in the upcoming rules could have helped mitigate these roadblocks much earlier, providing a much-needed roadmap for organizations to prepare adequately,” said Harshita Agarwal Sharma, Founder, Lexlevel Services.
Challenges due to Delay
The major challenge due to the delay is the ambiguities related to compliance requirements. “This gap has resulted in varying interpretations of compliance requirements, increased exposure to risks of non-compliance, and a reactive approach to managing data breaches, rather than a proactive one,” said Harshita Agarwal Sharma, Founder, Lexlevel Services.
Alay Razvi, Managing Partner, Accord Juris highlights that the extended timeline has left businesses in an uncertainty phase, with several provisions of the Act requiring urgent clarification.
He suggests clarifications in the following provisions:
a. The act mandates explicit and informed consent for processing personal data. However, there is ambiguity regarding the format, language and technological safeguards which will ensure that it is in compliance.
b. The Act provides reporting breaches to the Data Protection Board and affected individuals. But there is the absence of timelines and reporting format which has created uncertainty.
c. The DPDP Act provides certain relaxations for start-ups and small enterprises. However, clear criteria defining the scope and extent of these exemptions are awaited.
