Moneycontrol PRO
HomeNewsTechnologyNew DPDP rules may mandate immediate reporting of data breaches to Data Protection Board

New DPDP rules may mandate immediate reporting of data breaches to Data Protection Board

The details that a platform will need to communicate to the DPB, on a best-effort basis, should include a description of the breach, the date and time when the platform became aware of the breach, the location of the breach, its extent, and potential impact.

December 27, 2023 / 11:34 IST
The Digital Personal Data Protection (DPDP) Act was passed in both the houses of Parliament in August 2023

The Digital Personal Data Protection (DPDP) Act was passed in both the houses of Parliament in August 2023

Any platform processing personal data of users, whether a private or government entity, must immediately notify the Data Protection Board (DPB) of any data breach upon becoming aware, according to an unreleased version of the draft Digital Personal Data Protection (DPDP) rules.

The DPB is an adjudicating body set up under the DPDP Act.

The details that a platform will need to communicate to the DPB, on a best-effort basis, should include a description of the breach, the date and time when the platform became aware of the breach, the location of the breach, its extent, and potential impact.

These details are included in a version of the draft DPDP rules currently circulating internally among various sectors of industry and governance. The rules will define the DPDP Act's parameters.

Moneycontrol has seen a copy of the draft. However, the publication could not independently confirm its authenticity. The publication has reached out to the Ministry of Electronics and Information Technology (MeitY) regarding the matter, and the article will be updated when a response is received.

Within 72 hours of the data breach, a platform will also have to inform the DPB more details regarding the incident, which includes, broad facts related to the breach, circumstances and reasons which led to the security incident, and so on, the draft added.

These reporting mechanism will be digital in nature, and a platform can submit such details through the DPB's website.

It is important to note that platforms already report data breaches or any kind of cybersecurity incident to the Indian Computer Emergency Response Team (CERT-In). According to the CERT-In Directions of 2022, platforms will have to report a data breach within 6 hours of noticing such incidents.

Last week, MeitY held a consultation meeting with the industry on the draft DPDP rules.

During the meeting the government conveyed to the industry that it intends to release the rules soon and, after a brief consultation period, notify it by January 2024.

Minister for State for Electronics and Information Technology Rajeev Chandrasekhar chaired the meeting and it was attended by representatives of social media companies such as Meta, Google, Snap, representatives of IT companies and lawyers.

Invite your friends and family to sign up for MC Tech 3, our daily newsletter that breaks down the biggest tech and startup stories of the day

Aihik Sur covers tech policy, drones, space tech among other beats at Moneycontrol
first published: Dec 27, 2023 11:28 am

Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!

Advisory Alert: It has come to our attention that certain individuals are representing themselves as affiliates of Moneycontrol and soliciting funds on the false promise of assured returns on their investments. We wish to reiterate that Moneycontrol does not solicit funds from investors and neither does it promise any assured returns. In case you are approached by anyone making such claims, please write to us at grievanceofficer@nw18.com or call on 02268882347