One of the queries I have received on Linked in by a discerning Privacy Professional is
” As we observe, organizations have begun aligning with the Digital Personal Data Protection (DPDP) Act in India. However, several provisions remain ambiguous, awaiting further clarification through governmental rules. For instance, the practical implementation of roles like the Consent Manager is still not fully defined.
In light of these uncertainties, how can organizations proactively work towards compliance? What preliminary steps can be undertaken even before the complete regulatory framework is established?”
Let me try to provide my feedback on this.
Compliance to DPDPA is a cost that any organization have to absorb. Even conduct of a DPDPA Gap assessment will need a budget. If an organization is a Data Fiduciary of some responsibility, the costs are likely to be higher since they have to immediately take the decision to designate a new senior position of the Data Protection officer with a team of his own. Once the DPO is in place, he will demand an “Implementation Plan” which includes in house measures such as drawing up of policies which may need external consultancy of expert organizations like FDPPI which also requires investments. Then comes the bigger investment and a decision about acquisition of software for compliance which is a long term higher level investment.
The CFOs, CEOs and the Board members of any organization would naturally take their time to commit on these expenses and would like to take as many excuses as possible not to sign on the DPDPA implementation budget. However this “Judicious Contemplation” should not turn into procrastination and policy paralysis.
The first action required for any responsible corporate entity is to pass a resolution at the Board level to the effect
“The Board has taken note of the passage of DPDPA2023 and the imminent release of detailed rules and
a) has resolved to conduct and document a Business Impact Analysis on the passage of DPDPA 2023 on our organization immediately.
b) resolved that a committee of Directors consisting of …….., ….. and ….. is formed with immediate effect under the chairmanship of the independent Director ……………, to consult relevant experts and report to the Board by the next Board meeting on further actions to be taken.
c) resolved that the following shall be the terms of reference shall be addressed by the Committee
i) To determine when should the Company start a DPDPA Gap assessment program.
ii) To determine if we designate a “DPO” for our organization
iii) To determine the budget to be allocated for the next quarter and the current year for DPDPA Compliance
The above actions are necessary and can be implemented immediately by the Company Secretary who is drafting the minutes for the next Board meeting. If an organization has already passed through this stage, they may encounter the questions raised in the query above. This needs to be discussed by the committee and their views presented to the Board. In that process, they can take into account the following thoughts.
Ambiguity of provisions
DPDPA is a law and the law is by nature meant to provide broad principles which are to be interpreted in the context of its implementation.
Rules are expected to provide the procedural guidelines and cannot re-interpret the law. Rules cannot therefore be expected to provide “Legal Clarity” where the law has failed to do so.
Hence if there are any ambiguities in the law as we perceive, we need to live with it. As regards the Consent Manager the law is clear and it is the Draft rules that are creating complications. But “Consent manager” is not “mandatory” for implementation of DPDPA by an organization and hence organizations need not wait for this ambiguity on “Consent Manager” if any to be cleared.
Consultants like FDPPI and the Frameworks like DGPSI has provided a “Jurisprudential Interpretation” of all aspects of DPDPA 2023 and unless a company wants to ignore them, there is no reason to delay the start of implementation waiting for further clarification from the Government.
Government cannot provide a clarification that is not in tune with the Act and if they do so by a mistaken interpretation, there is a possibility of the law being challenged in a Court of law.
The current mood of the Supreme Court which in the past has been aggressive in taking on the executive’s role of drafting rules for the Act and adding its own interpretations to the laws is not to pass any “Stay” on the operation of the law. If therefore any “Andolan Jeevies” challenge the specific provisions of the law as “Ambiguous”, the issues will be taken up for discussion but no decision is expected immediately.
We therefore consider that it is not wise for companies to keep waiting for clarifications from the Government.
Our view on this is clear as follows:
1.DPDPA 2023 is an expansion of Section 43A of ITA 2000 and is therefore considered as “Due Diligence” under the current law which is ITA 2000.
2. DPDPA 2023 provides a detailed clarity on the concept of “Reasonable Security Practice” under Section 43A of the ITA 2000.
3. The limitation of applicability of Section 43A of ITA 2000 to “Sensitive Personal Information” has now lost the meaning since there is no specific definition of Sensitive personal information under DPDPA and it is the responsibility of all Data Fiduciaries to determine the harm likely to be caused to a Data Principal on account of their processing and take appropriate action to protect their interests.
4. Since the “Data Fiduciary” is a “Fiduciary”, he is self responsible for determining what is the harm likely to be caused and accordingly expected to develop the compliance.
5. While section 43A is limited to the provision of compensation to a data principal, it does not bar the Adjudicator under ITA 2000 to impose any penalty on the Data Fiduciary.
6. Section 43A of ITA 2000 remains in tact till Section 44 of DPDPA 2023 along with the penalty section 33 is not specifically notified. Till then, Penalty under Schedule I of DPDPA 2023 may be considered only as a “Legislative intent” and the Adjudicator under his powers to pay compensation upto Rs 5 crores can provide compensation to the affected victim and also exercise its Suo-Moto powers to impose deterrent penalties as well as recommend action under Section 43 and Section 66 of ITA 2000.
7. Ambiguity if any on the role of a “Consent Manager” may be ignored. If any organization has the intention of registering themselves as “Consent managers”, they may do so after the Data Protection Board is set up.
8. When in doubt, the Company may obtain and document an opinion from an appropriate management consultant or a legal consultant. Such opinion may be a Legal Opinion from a law firm or a Management Advise from a Management consultancy firm.
I suppose this provides a reasonable response to the query raised. Further comments are welcome.
Naavi
