Saturday, January 18, 2025
spot_img
More
    HomeBusiness InsightsWhat Needs to be Done to Make DPDP Act Both Comprehensive and...

    What Needs to be Done to Make DPDP Act Both Comprehensive and Practical: Preeti Singh

    The Digital Personal Data Protection (DPDP) Act 2023 marks a historical moment in India’s approach to personal data protection. With the release of its draft rules, the Ministry of Electronics and Information Technology (MeitY) has set the stage for India to join the ranks of nations with robust data protection laws. However, as with any complex regulatory framework, there are several areas where the draft rules can be further enhanced. On this note, notable industry leader Preeti Singh (Director of Information Security and GRC at OSTTRA) shares her thoughts on some key provisions of the DPDP Act and recommendations for further improvement, ensuring that the framework is both comprehensive and practical.

    Also read: Strengthening the Human Firewall Against Social Engineering Attacks – Preeti Singh, OSTTRA

    Reasonable Security Safeguards: Clarity Needed

    One of the core elements of the DPDP Act is the requirement for data fiduciaries to implement “reasonable security safeguards” to protect personal data. While the intent is clear, the term “reasonable” is too open ended and could lead to varied interpretations, depending on the resources and capabilities of the organisation.

    Also read: Strengthening the Human Firewall Against Social Engineering Attacks: Preeti Singh, OSTTRA

    To address this, I recommend replacing “reasonable” with more specific requirement, such as use of “appropriate security measures” or “industry-standard security safeguards”. A more structured approach, such as referencing established frameworks like ISO 27001 for information security or the NIST Cybersecurity Framework, would help clarify what constitutes appropriate security measures.

    Intimation of Personal Data Breach: Timely Reporting

    The draft rules mention that data fiduciaries must notify the Data Protection Board (DPB) and affected individuals in case of a data breach. However, there is no clear timeline specified within which these notifications should take place to Data Principal. This lack of specificity could lead to delays in reporting breaches and undermine the effectiveness of the notification process.

    This would not only ensure timely breach reporting but also enhance the transparency and accountability of data fiduciaries towards data principles.

    Parental Consent for Children’s Social Media Access: The Verification Challenge

    The DPDP Act includes a provision that requires children to obtain verifiable parental consent before accessing social media platforms. While the idea of protecting children’s privacy online is admirable, the practical implementation of this provision poses significant challenges. Verifying parental consent in a secure and effective way is not straightforward, especially when considering India’s diverse population.

    To ensure compliance with this provision, a robust mechanism for verifying parental consent is necessary. One potential solution could be the use of Aadhaar-based OTP authentication, which ensures that the person providing consent is the child’s parent or guardian. While Aadhaar is widely used for identity verification, using it for parental consent may raise concerns about privacy and access, especially for marginalized groups without easy access to Aadhaar or digital infrastructure.

    Additionally, the rules should address the implementation for international social media platforms operating in India, as these platforms may face unique challenges in complying with local regulations.

    Compensation for Data Principal: Clarifying Financial Repercussions

    The draft rules specify penalties for non-compliance, including fines for significant data breaches. However, the issue of compensation for data Principals in the event of a breach or misuse of data remains unaddressed.

    It would be beneficial for the DPDP Act to clarify how compensation for data owners will be handled in such cases. By doing so, the Act would provide a more balanced approach to data protection, ensuring that businesses are not unfairly penalized while still holding them accountable for breaches.

    Clearly defined compensation mechanisms would also encourage data fiduciaries to invest in stronger data protection measures, knowing that there is a fair and transparent process in place to address the financial fallout of a breach.

    Cross-Border Data Transfers: Ensuring Adequate Protection

    The DPDP Act permits cross-border data transfers but does not specify clear criteria for determining whether a recipient country provides adequate protection for personal data. As data flows across borders, ensuring that it is adequately protected in recipient countries is crucial to safeguarding individuals’ privacy.

    To address this gap, I recommend that the DPDP rules define the criteria for assessing adequacy of protection in recipient countries. The establishment of a whitelist of countries deemed to provide adequate protection would offer clarity to businesses and data fiduciaries on which countries are considered compliant with India’s data protection standards.

    Additionally, the rules should mandate the use of Standard Contractual Clauses, which are widely used in international data transfers to ensure that personal data is adequately protected.

    Enhancing Data Principal Rights and Grievance Redress Mechanisms

    The draft rules outline several important rights for data principals, such as the right to access, correct, and erase their personal data. However, these rights need to be operationalized more clearly. For example, the right to data portability is mentioned, but the exact procedure for exercising this right is not well-defined. Similarly, the right to be forgotten should be further elaborated to specify any exemptions and the process for individuals to request the removal of their data.

    Moreover, the grievance redress framework in the draft rules lacks sufficient detail. While data fiduciaries are required to appoint Grievance Redress Officers, the rules should define the exact timeline within which grievances should be addressed (for instance, within 60 days). Additionally, it is important that the grievance mechanisms are available in regional languages to ensure that individuals across India can 

    By providing more clarity on issues like security safeguards, breach notification timelines, parental consent verification, and cross-border data transfers, the DPDP rules could become more practical, transparent, and aligned with international standards.

    The article has been written by Preeti Singh, Director of Information Security and GRC at OSTTRA

    Author

    RELATED ARTICLES

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    Most Popular

    spot_img
    spot_img