Now that DPDPA 2023 has been gazetted with the Presidential Assent professionals in the industry are wondering what they should do now?
Should they expect that the Government will now sleep over it and the date of applicability may not be announced for the time being and they can relax and go back to what they were doing earlier?
With Mr Rajeev Chandrashekar driving the Act, it may not be wise to think the Government will forget DPDPA and move on. Probably by this time the Government has shortlisted the members of the Data Protection Board and would soon come up with the names of the members of the DPB and the Chairman so that they can take charge at the earliest. If DPB is set up in Delhi or Bangalore, or any other place, the selected members need to move into their destination and set up their preliminary office.
The DPB will then have to get a few members of their technical team to get ready and open a website and backend server to maintain whatever data they need to maintain.
Then the Government (MeitY) and the DPB will be working on the different notifications that would be required starting with the laundry list in Section 40.
Section 46 lists 26 different rules that needs to be made as per the law. Several more sub rules and clarificatory notifications will also be issued from time to time.
The rules include the “Manner of appointment of the Chairperson and the Members of the Board” [Sec 40(r)]. This notification has to be released before the constitution of the DPB is announced. Along with it the details of salaries and allowances and conditions of services of the Chairperson and the members of the Board need to be announced [Sec40(s)]. Then the terms and conditions of appointment and service of officers and employees of the Board [Sec40(u)] and the manner of authentication of orders, directions and instruments [Sec40(t)] need to be notified. The technolegal measures to be adopted by the Board [Sec 40(v)] and other matters related to DPB [Sec 40(w)] also have to follow.
These should be the first set of rules to be released.
However, for the industry it is immaterial how the DPB is going to be constituted or who will be the members of the DPB. They need to presume that sooner or later the DPDPA will become effective and non compliance could lead to penalties.
Hence the organizations need to start looking at what they should do now. The very first step that any responsible Corporate entity should do is to take note of DPDPA having been passed and start analysing its business impact.
Hence Corporate Managements need to include in their next Board Meeting a resolution that the Board takes note of the passing of DPDPA and develops a “Business Impact Report” to be submitted to the Board or a sub committee of the Board probably the Audit Committee within a short time.
The Independent Directors need to take the lead in this respect.
Next: Who should the Board ask for the Business Impact Assessment?