With the passage of the Digital Personal Data Protection (DPDP) Act by the government, companies, both startups and enterprises, have a tall task ahead of them in terms of complying with the law. Although the DPDP Act has been passed, it is not yet in force.
Experts told Moneycontrol that companies need to create an inventory of their datasets, figure out where the datasets are, who has access to them, and so on. They also need to conduct privacy impact assessments and gap assessments to evaluate their "readiness" with the law.
"In our ongoing engagements with Indian enterprises, we've identified they face two significant challenges. Firstly, there is proliferation of personally identifiable information (PII) across various systems, which increases the risk of potential data breaches," Deepak Annamalai, Head of Skyflow APAC told Moneycontrol.
Palo Alto-based Skyflow provides solutions that aim to help startups and enterprises comply with data protection laws in various countries, such as the EU's General Data Protection Regulation (GDPR), India's Data Protection Act (DPDP), and so on.
"Secondly, organisations are also grappling with exerting control on data access. For example, on how to grant customer support teams access only to the last four digits of an Aadhaar number, and ensuring they see only what's necessary, not the entirety of the information,” Annamalai added.
In this regard, Kanishk Gaur, the founder, and CEO of India Future Foundation, a Delhi-based tech think tank, has urged companies to undertake privacy impact assessments.
"Companies have to undertake privacy impact assessments to understand where they are with respect to the DPDP Act. Privacy impact assessment will identify the kind of data is moving within the organisation. They can either do it internally or engage with a law firm or a consulting firm to do that," Gaur said.
"Companies need to understand what datasets they are holding. If they are holding personal information of consumers, where is that information stored? Is that information going to a third party? What kind of controls would you have to bring in to safeguard this data? What kind of processing are you doing with the data? That's the journey these companies need to undertake," Gaur added.
Consulting firm Deloitte has also recommended a list of measures for companies in view of the new law, including conducting a "gap assessment to evaluate readiness."
Deloitte has also advised companies to take up data inventory using data discovery techniques; develop mechanisms to provide notices to data principals for personal data collected previously and going
forward; implement a consent management mechanism to collect, maintain, track, and update consent from individuals.
The firm also urged bodies to prepare and deploy mechanisms that will respond to a user's data-related requests; ensure valid contracts are maintained with data processors and lastly, monitor changes or updates to data protection laws and regulations.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
