New Draft Digital Personal Data Protection Rules Mandate Enhanced Data Security Measures for Companies
In a significant move to bolster data privacy in India, businesses are now required to adopt stringent data security protocols in response to the recently unveiled draft Digital Personal Data Protection (DPDP) rules. Key measures such as encryption, obfuscation, and the use of virtual tokens for personal data are emphasized as vital strategies to mitigate the risks of data breaches.
Initiated for public consultation on January 3, these measures fall under the framework of the Digital Personal Protection Act, 2023. This upcoming legislation aims to lay down robust operational guidelines reinforcing India’s commitment to safeguarding personal data. The framework delineates specific obligations for companies to follow in the event of a data breach, seeking to enhance overall accountability in data protection.
According to the draft rules, a personal data breach is defined as any unauthorized processing or accidental exposure of personal data that jeopardizes confidentiality, integrity, or availability. As per the legal stipulations, companies will face significant repercussions if they fail to notify the Data Protection Board and affected individuals following a breach, which could result in penalties reaching up to Rs. 200 crore for non-compliance. This aligns with the regulatory framework highlighted by former Minister of State for IT Rajeev Chandrasekhar, who clarified at the 2023 Digital India Dialogue that the board’s jurisdiction extends to breaches occurring even before its establishment.
Following a data breach incident, companies are mandated to report the circumstances surrounding the breach and the steps taken to mitigate potential risks. Additionally, companies must communicate the breach to affected individuals promptly and clearly through their registered accounts or contact information. For instance, a customer of an e-commerce platform like Myntra would be informed through their account or via registered email or SMS, emphasizing the clarity and urgency required in these notifications.
Furthermore, the rules instruct businesses to maintain detailed logs of personal data access for at least one year to facilitate investigations into unauthorized access events. Organizations must ensure robust access controls and adequate monitoring mechanisms while preserving backups to enable the continuation of service in the event of a breach.
Amid these regulations, concerns have surfaced regarding the specificity of reporting timelines, with stakeholders questioning whether companies can gather sufficient information on countermeasures within a 72-hour notice period. Industry experts advocate for a proportionate approach to penalties based on company size and the severity of the breach, suggesting that a risk-based framework could lead to more equitable enforcement and compliance.
Tensions over jurisdictional overlaps are also notable, as both the Data Protection Board and the Computer Emergency Response Team (CERT-In) oversee breach reporting. With each entity imposing distinct requirements, businesses may face confusion regarding their reporting obligations. Minister Chandrasekhar has confirmed that companies must inform both organizations, emphasizing the dual-track reporting scenario that could complicate compliance for affected entities.
As these developments unfold, organizations across sectors would benefit from proactive measures to bolster their data protection protocols in anticipation of the finalization of the DPDP rules. These new directives present an opportunity for businesses to reassess their cybersecurity strategies and align them with regulatory expectations, thereby enhancing their resilience against potential data breaches and the associated repercussions.
