This Blog is authored by Rishabh Raj , a 4th Year BA LLB student at MPLC Aurangabad.
Introduction
Companies require individuals’ data as a part of their business conduct. This give-and- take relationship between companies and individuals made the lawmakers re-think the vulnerability of the individual’s data and the risks that are associated with their violations. While this relationship may seem simple, it comes with several challenges from both sides. To relieve and address the same, the Digital Personal Data Protection Act, 2023 (DPDPA) has been brought to fill the gap between people’s personal data and the accountability of companies. This article explores how the DPDPA is going to affect responsibilities of companies and highlights the key legal duties and reforms companies need to make to succeed under these laws.
Understanding the Digital Personal Data Protection Act, 2023
The DPDPA brings personal data in line with the Right to Privacy (Article 21), a fundamental right under Indian Constitution. The law contains stricter rules for handling, storing, and transferring data within and outside India. The companies are now required to collect and process personal data lawfully as stated in Section 7 (consent of the data principal). It also gives people more control over their data, including the right to delete and to correct it (Section 12).
The law is applicable to both the public and private sector and puts a significantly higher responsibility on the companies of both sectors. Moreover, the law creates a difference between general personal data and sensitive personal data, like financial details, health records, and biometrics, and applies more stringent requirements on processing such data.
Corporate Accountability: Legal Obligations under the DPDPA
Though the respective legislation comes with several aims, at the centre of them lies corporate accountability. The Act makes it compulsory for the corporations to develop clear and transparent policies regarding data processing activities (Section 8: Duties of Data Fiduciary), ensuring that data collection, use, and storage practices align with the reforms like purpose limitation, data minimisation (Section 6(1)), and lawfulness. Companies should also implement technical and organisational measures to secure personal data and prevent data breaches (Section 8(4)).
Companies that handle a lot of personal data can appoint a Data Protection Officer (DPO) under Section 10(2) to make sure they follow the DPDPA rules. The DPO monitors how data is handled, addresses complaints, and ensures quick action on data breaches. The DPO and the company work together by doing regular audits, submitting reports, and ensuring they follow the law (Section 21). The DPO also connects the company with authorities who oversee the law.
Companies need to hire a Data Protection Officer (DPO) because they can face huge fines for data breaches or repeated rule-breaking, which can be between ₹50 crore and ₹250 crore as per the schedule of the Act. As a result, following privacy rules becomes a crucial part of how they run their business and manage their responsibilities.
Consent and Data Management: Shifting Corporate Practices
The DPDPA lays emphasis on the importance of informed consent as a base for collection and lawful processing of data. Corporations must make sure that consent is freely given, specific, informed, free from ambiguity, and obtained through opt-in mechanisms, as outlined in Section 7. Moreover, the individuals whose data have been processed have the right to withdraw consent at any time, which requires companies to have a robust consent-obtaining management system.
This change means that companies need to look at how they manage data again. Data minimisation (Section 6(1)) says that companies should only collect the data they really need for a specific reason. This should be a main part of how they handle data. Companies also need to improve how long they keep personal data. They should keep it only as long as necessary (Section 8(7)) for its purpose, and then safely delete it afterward.
Corporations will have to invest in automation tools and data management platforms so as to streamline consent collection and withdrawal processes and to ensure that personal data is processed transparently. These changes place an additional compliance burden on businesses but also offer an opportunity to build greater trust with consumers by respecting their privacy rights.
Cross-Border Data Transfers: Impact on Indian Multinationals
Cross-border data transfers are like the life-blood for international companies in the super connected world. The DPDPA lays down some tough rules about these transfers. As per Section 17 of the Act, companies can only share personal data with countries that have their act together on data protection. This rule is on par with big-time global standards such as Europe’s GDPR.
Particularly in countries where the laws aren’t so rigorous, Indian MNCs definitely need to keep a close check on how their data is transferred. Furthermore, it is essential to cross-verify such contracts and ensure that everything conforms with India’s DPDPA guidelines on keeping data local for those businesses employing cloud services or outside support for data processing.
This change in legislation might push companies, mostly those handling massive consumer data from other countries, to completely rethink how they handle data.
Data Breaches and Corporate Liability
Since the organisations will lose reputation and money when they are hacked, it is high time for one to take preventative measures. The DPDPA offers clear guidelines to manage such incidents. According to Section 8(6) of the DPDPA, if there is a data breach, companies must inform the Data Protection Board of India (DPBI) as well as the people concerned within a specified time period. This should set forth exactly what occurred and in what sequence, what is involved with current risks, and what steps are being taken by the company to correct it.
Businesses are obligated to comply with the industry standards for breach notification and provide reasonable data protection. It’s now also the case for all enterprises to make plans for how they will protect their systems and networks, keep a strong defence against cyberattacks, and prepare to deal with the result if such an attack should ever be successful. They can furthermore employ encryption methods, multi-factor identification tools, or other sophisticated technologies to protect sensitive information.
Among these practices are the following: First and most importantly, they must be recorded as a record of all instances that resulted from where the company lost its information. In other words, it means that they must record how and when any of the private information went missing. Furthermore, such systems should frequently be checked to see if there is any vulnerability they may be exposed to, but have not yet experienced the attack. It is similar to looking for holes which hackers can exploit and cause data to leak, no different really than poking around in an attic with one’s eyes shut. Among the techniques that they use is penetration testing, where they virtually become attackers in an effort to identify vulnerabilities in their systems before actual hackers discover them.
Corporate Governance and the Role of Boards
Top management and the Board of Directors assist to ensure businesses apply DPDPA policies. Section 8(5) mandates that under their risk management, companies include data privacy. They must so regularly review their data security rules, ensure that privacy is a first-class citizen, and provide enough funds and resources towards privacy initiatives. The goal is to include data privacy into the everyday operations of business and strategies.
The board members have to be thoroughly informed of DPDPA’s criteria and make sure the company’s compliance plan complements the other general objectives of corporate governance. Ignoring this might result in direct personal culpability under S. 27, particularly in cases where gross carelessness can be linked.
According to the rules of DPDPA, companies will need to establish a data privacy committee. This group will report directly to the board so that with greater regularity it is possible to check for and take care of privacy risks. The person-in-charge of handling data will guarantee that the company puts sufficient money and focus into privacy and cybersecurity duties, which will have a big effect on how precious resources are utilized in this crucial area.
Conclusion and Suggestions
DPDPA compliance is a legal requirement and therefore it should be seen in this light. In a digital economy based on trust and transparency, companies which can show that they have sound measures for protecting data will have an advantage over rivals. Companies desirous of achieving this, must concentrate on collecting no more than required data for particular business objectives, and avoid any form of unnecessary data accumulation that adds to their regulatory liabilities. The corporate culture incorporates robust data encryption approaches in order to guard sensitive information from unauthorised access and takes data protection as a matter of course.
Furthermore, regular investments in extra required technological controls will simplify compliance process and guarantee that a delicate balance with regard to DPDPA is maintained; their proactive attitude will help to develop greater consumer confidence.
*