India's Privacy Law: Companies Walk A Tightrope Between Compliance And Innovation

Technology Written by
India's Privacy Law: Companies Walk A Tightrope Between Compliance And Innovation

India's Privacy Law: Companies Walk A Tightrope Between Compliance And Innovation

India”s Digital Personal Data Protection (DPDP) Act of 2023 was anticipated to be a transformative piece of legislation for the country”s tech landscape. However, two months after the law”s enactment, companies are grappling with its complex provisions, leading to more questions than answers.

Companies across various sectors, from FMCG giants to small startups, and from banks to tech firms, are facing challenges in understanding how to implement the DPDP Act. The government”s recent announcement of different compliance deadlines for large companies and smaller entities has created confusion and chaos, adding to the complexity.

Lawyers specialising in technology, media, and communication are seeing a surge in inquiries from companies seeking guidance on how to navigate and implement the new law. The DPDP Act has introduced strict rules on data protection and privacy, and companies need to adapt to ensure compliance. Implementing the Act involves various steps, including conducting gap assessments and internal audits of data collection, storage, and sharing practices. Sending notices to users for consent is also a time-consuming process.

Large companies like Tata Communications have initiated the gap assessment process to align with the Act”s requirements but have requested a reasonable transition period for full compliance. Companies that already comply with data laws from other countries, such as the EU”s GDPR, are advised to perform a gap analysis.

However, some companies, particularly banks, are finding the timeline of six months for compliance to be insufficient. Banks in India possess extensive personal data and must appoint consent managers, establish personal data management policies, and hire data protection officers and independent data auditors. For banks, this transition process may take at least a year.

The government has indicated that transition periods will vary based on factors like digitisation levels and data protection compliance maturity. Entities with lower levels of digitisation, government bodies, early-stage startups, micro, small, and medium enterprises, as well as specific healthcare institutions, are expected to receive extended timelines.

In the middle of these challenges, the DPDP Act”s implementation is a complex journey for companies in India. They must navigate a maze of regulations and compliance requirements while ensuring the protection of personal data and privacy.