The explosion of entrepreneurial spirit resulted in a start-up revolution backed by advancements in digital public infrastructure (DPI). Data has emerged as the lifeblood of the new digital economy and data-centred products and services.
The combination of increased accessibility, DPI and purchasing power has provided a fertile ground for entrepreneurs to innovate, create new markets, and disrupt existing markets. The JAM (Jan Dhan, Aadhaar, Mobile) trinity has become the backbone of innovative digital products and services delivered within minutes.
From reservations for travel and accommodation to movie tickets to shopping and groceries to credits and loans, every service and good can now be accessed and purchased online. Every minute, an astronomical amount of data is generated and shared across the digital space.
Safety On Digital Fingertips
Sensitive personal data such as Personal Identifiable Information (PII) and financial information is being collected, processed, shared, and stored by these enterprises to facilitate the delivery of their services/ goods. Whether it is an online movie ticket or bill payment, the service provider can access the end user's data, rendering her vulnerable.
DigiLocker, an Indian Government initiative, has over 187 million registered users and has issued over 6.27 billion digital documents. It stores 631 types of documents issued by 1,684 government institutions.
Considering nearly 900 million people are connected to the internet, the magnitude of personal data businesses have access to is unfathomable. The status quo necessitated comprehensive plumbing to ensure data security while transmitting, storing, and processing sensitive personal data.
This is where the Digital Personal Data Protection Act, 2023 (Act) comes into play. It establishes the rights of ‘Data Principals’ (users/ customers), to whom the data belongs, and the obligations and liabilities of ‘Data Fiduciaries’ (businesses/ enterprises/start-ups), who collect, store, and process the data.
Taking Action
Data Fiduciaries who fail to take appropriate measures to ensure the safety of the user’s data become liable to harsh penalties going into hundreds of crores. The Act lays down several obligations on businesses while handling personal data.
For instance, enterprises must issue a notice of request for consent to the user to process specified personal data. They must also inform the data principal of the procedure to withdraw consent, the ease of which must be similar to that of giving consent.
Once the user withdraws its consent, the business must cease processing the user's personal data as soon as possible and ensure that its data processor (third-party vendor/ contractor) does the same. They should recognise that consent managers must be registered with the data protection board.
Fiduciaries must protect the data in their possession/ control by taking suitable security measures to prevent a personal data breach. The breach must be intimated to the board and the affected user in the event of a data breach.
Enterprises must erase the user's personal data once the user withdraws consent or the purpose is fulfilled unless required otherwise by any other law.
The Right Step
Corporations designated as ‘significant data fiduciaries’ are required to appoint a data protection officer based in India and is accountable to the organisation's board of directors/ governing body. They also need to assign an independent data auditor responsible for evaluating the compliance of the Significant Data Fiduciary.
Companies also need to undertake periodic data protection impact assessments and periodic audits. They must also remain mindful of the rights of the users recognised under the Act.
These include the right to obtain a summary of personal data that is being processed by a fiduciary and the processing activities related to that data; the right to obtain the identities of all other data fiduciaries and data processors with whom the enterprise has shared the personal data and the description of the shared data; and the right to correct, complete, update, and erase their personal data for which consent was given, among others.
Compliance with the Act will become a tall task for startups as only some incorporate data protection measures into the service framework of their apps. Enterprises have been able to quickly get their apps up and running without worrying about data privacy, and the end-user pays the price.
Malicious actors have been actively selling personal information to the highest bidder and even data breaches. With data becoming the modern equivalent of crude oil, businesses use their unfettered access and discretion to create consumer profiles, display targeted ads, and spam users.
Emboldened By The Act
Young entrepreneurs with fresh and new ideas have been able to charge ahead and disrupt markets without worrying about the need and implications of data security. The Act has applied brakes and introduced responsibility into the ecosystem.
Start-ups must now be more aware of their obligations and more sensitive to compliance processes, systems and regulations. These obligations raise the cost of operations for these enterprises as well.
Technology development costs will increase because additional security controls must be built into the application, including data masking and encryption. It will also increase the cost of hosting as other controls, such as firewalls and network security, will have to be deployed.
Businesses will have to conduct penetration testing and get certified by appropriate certification agencies, significantly raising the cost of maintenance.
Additionally, third-party and external consultants will become necessary to understand the applicability of requirements promulgated by the Act. They will need to understand their liabilities and the reporting mechanism during a data breach.
The Act has increased checks and balances around data protection and privacy, which must now be adhered to before startups launch their products and services. For a startup with limited resources, staying compliant with every microscopic compliance in the regulatory universe is an immense challenge.
The DPDP Act adds another layer of complexity to this regulatory framework; however, it is necessary to create a strong foundation for the future of a digital economy.
It adds guardrails for startups to be mindful of with additional technical requirements. While these requirements will increase the development costs, they also call for entrepreneurs to take on the responsibility of ensuring the safety of consumers’ data.
For a digital economy to succeed, the gravity of a secure and protected data ecosystem cannot be understated. This Act has laid the foundation for creating a responsible, accountable, and resilient data protection regime.
- Rishi Agrawal, CEO and Co-Founder, Teamlease RegTech
