Companies face tall task in complying with new data protection law
Contents News/Article Date: 14th August 2023
Relating to which Act:
(1) Digital Personal Data Protection Bill 2023
(2) Information Technology Act 2000; Information Technology Amendment act 2008;
Penalty under the Act: Penalties: The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry.
Applicable to which State: Whole of India
Type: Money Control news report
Pertains to: Territorial Applicability: The Bill states while that all processing undertaken within India will be applicable to the Bill, processing outside India will also invite applicability, if the Fiduciary undertakes processing in relation to an activity related to offering of goods or services to Indian residents.
Relevance of this news: Karma Global is in the business of HR Services, Payroll, Outsourcing and Regulatory Compliances right from its inception in 2004 and since then, has brought in a lot of efficiencies and technological upgradations with experts on its roll, to ease the hassles of Payroll Processing, Temp Staffing, On-boarding, Employee Life Cycle, Statutory, Regulatory and Payroll compliances by providing customized solutions to all its elite clients.
Karma Global has set up its offices in UK, USA, UAE, Canada and South East Asia and is fully into providing solutions for workplace issues, employment law advice, immigration and negotiation, representation in employment tribunals and involvement in leading cases, addressing HR issues in line with Labour Laws, payroll, staffing and talent acquisition.
And in the current instance: With the passage of the Digital Personal Data Protection (DPDP) Act by the government, companies, both start-ups and enterprises, have a tall task ahead of them in terms of complying with the law. Although the DPDP Act has been passed, it is not yet in force.
Companies will need to create an inventory of their datasets, figure out where the datasets are, who has access to them, and so on. They also need to conduct privacy impact assessments and gap assessments to evaluate their “readiness” with the law.
Subject: Companies face tall task in complying with new data protection law
Appended is the complete news item
Companies face tall task in complying with new data protection law
With the passage of the Digital Personal Data Protection (DPDP) Act by the government, companies, both start-ups and enterprises, have a tall task ahead of them in terms of complying with the law. Although the DPDP Act has been passed, it is not yet in force.
Companies will need to create an inventory of their datasets, figure out where the datasets are, who has access to them, and so on. They also need to conduct privacy impact assessments and gap assessments to evaluate their “readiness” with the law.
“Secondly, organisations are also grappling with exerting control on data access. For example, on how to grant customer support teams access only to the last four digits of an Aadhaar number, and ensuring they see only what’s necessary, not the entirety of the information,”.
“Companies will be required to undertake privacy impact assessments to understand where they are with respect to the DPDP Act. Privacy impact assessment will identify the kind of data is moving within the organisation. They can either do it internally or engage with a law firm or a consulting firm to do that,”
“Companies need to understand what datasets they are holding. If they are holding personal information of consumers, where is that information stored? Is that information going to a third party? What kind of controls would you have to bring in to safeguard this data? What kind of processing are you doing with the data? That’s the journey these companies need to undertake,”.
Companies will also be required to to take up data inventory using data discovery techniques; develop mechanisms to provide notices to data principals for personal data collected previously and going forward; implement a consent management mechanism to collect, maintain, track, and update consent from individuals.
It will also have to prepare and deploy mechanisms that will respond to a user’s data-related requests; ensure valid contracts are maintained with data processors and lastly, monitor changes or updates to data protection laws and regulations.