MEITY : nasscom representation on enabling a robust implementation of the DPDPA

Terms of use

Terms of Use

The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.

All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.

Disclaimer

The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.

For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.

New

See all

No notification found.

MEITY : nasscom representation on enabling a robust implementation of the DPDPA

Varun Sen Bahl

@varunsenbahl1

November 17, 2023

Public Policy Data Privacy

412

In November, nasscom made a representation to the Ministry of Electronics and Information Technology on enabling a robust implementation of the Digital Personal Data Protection Act of 2023 (DPDPA). Our representation, which was developed based on a series of discussions with a heterogenous group of entities in the technology sector and webinars with experts, included the following observations and suggestions.

Current industry readiness

Based on our conversations with the industry, organisations, to be ready for the rules, have been:

building internal awareness and identifying required organisational posts and governance requirements;
identifying contracts, technical systems, and organisational practices which may require review;
assessing how they can leverage technology to improve data protection; and most importantly,
trying to understand where all and what all personal data sits in their organisations.

These are important steps in the compliance journey.

Relevance of notifications other than the rules

To practically determine the precise range of required compliance measures and operational aspects, organisations require, in addition to the finalised rules, clarity on certain matters under the DPDPA that are dealt with directly through notifications that are separate from the rules envisioned under section 40. These are:

Notifications identifying significant data fiduciaries (SDFs) under section 10(1). Organisations need to know if they will be SDFs or not, as this determines whether the obligations under section 10(2) will apply to them.
Notifications identifying qualifying organisations (or processing activities) under sections 17(3), 9(4) or 9(5). Organisations need to know if they are eligible for such exceptions.

It is only after the rules are finalised, and these additional notifications are made clear, that organisations can estimate the time and resources required to establish and operate their DPDPA compliance programs.

Need for guidance

In addition, there is a need for guidance, over and above rules, to help organisations interpret terms and concepts in the DPDPA – that have no rule-making power attached to them - with confidence.

The idea is not to indirectly create new rules, redefine statutory provisions, or constrain the Board or the TDSAT, but to clarify how the Central Government is itself interpreting these sections, and identify best practices and international reference points that can be brought to the Indian context with confidence.

We identified the following areas meriting guidance:

The “purposes of employment” under section 7(i).
The “voluntary provision of personal data” ground under section 7(a).
The meaning of “technical and organisational measures”.
The concept of “security safeguards”.
The meaning of ‘detrimental effect on the well-being of a child’.
The meaning of the term “erasure” under the Act.

The Government can explore multiple different avenues to issue guidance, including establishing an inter-sectoral committee for cross-sectoral harmonisation; issuing best practices for government data fiduciaries; and setting up a multi-stakeholder working group.

Considerations for compliance timeframes

Basis the work done so far, and the current state of compliance, it is clear that, in terms of the time required to be ready for enforcement, organisations must be appreciated as follows:

Organisations with no prior data protection experience: the organisations that will require the most amount of time will be those with no prior personal data protection experience (either with the SPDI Rules, sectoral regulations, or foreign laws). Examples include government organisations, logistics companies, professionals, offline retailers, research institutes, schools, etc. These will be building compliance programs from scratch.
Organisations with limited data protection experience: there are many big and small organisations in India who will not have exposure to horizontally applicable foreign data protection laws (like the GDPR) but will have limited compliance programs in place today (mainly to comply with the Sensitive Personal Data Information Rules or sectoral regulations). Examples include those in e-commerce, financial services, healthcare industries, etc. These will need to adapt compliance programs to apply to all types of digital personal data and to account for new obligations (e.g., data principal rights). They will require more time than those with exposure to foreign data protection laws.
Organisations with prior foreign data protection experience: There are organisations in India, covered by the DPDPA, who are GDPR compliant, and are best placed (relative to the above two sets) to become DPDPA compliant. However, they will also still require time to build their individual DPDPA compliance programs due to certain India-specific elements in the DPDPA, such as:

The need to map legal grounds for processing activities afresh, as the available grounds for processing under the DPDPA are different from those under foreign laws. Remapping legal grounds takes time and is complex.
The need to map processing activities to different data principals afresh. This is because, unlike in foreign laws where a Data Principal is a single individual, under the DPDPA, a Data Principal can also be a group of individuals (such as parents and children, or persons with disabilities and their legal guardians). This requires new methodologies and systems to be built for the DPDPA specifically.
The DPDPA also states that the withdrawal of consent triggers the erasure of personal data, which is a novel requirement and not specifically mandated under foreign laws. This requires new technical measures to be deployed, which will take time to develop and test before deployment can happen at scale.
The DPDPA introduces new specific protections for the processing of personal data of children and of persons with disabilities, that are comparatively novel, and will require India-specific measures, systems, and applications to be built.
Providing notices and consent requests in multiple languages will, at first, require some time, as suitable vendors are identified and legal reviews across multiple languages are conducted.

General feedback for rulemaking

As per news reports, the Central Government may release all rules at once for public consultation. Given that this is (in theory) 26 sets of rules being released at once, we requested that adequate and proportionate time be given to receive public comments (the default practice is to give 30 days for one set of rules).

We also identified certain desired clarities and outcomes that may be reflected in rules before they are put up for public consultation. These include:

Any rules on notices should avoid prescribing templates, media types, or formats, and instead aim to clarify the desired outcomes from notices that tie in with the standards of valid consent under section 6 of the Act.
Any rules on consent managers should not just be limited to the existing Account Aggregator model and should create adequate space for a wide range of functionalities and business models to emerge and thrive.
Any rules on verifiable consent should take a proportionate approach, where the level of verifiability desired should be calibrated vis-à-vis the level of risk posed by the processing activity. Instead of defining specific methods, these rules should define minimum criteria. Any solution meeting these should be acceptable.
Any rules on personal data breach reporting should reflect the difference in intent and design vis-à-vis the extant regime for security incident reporting regime, and refrain from a one-size-fits-all approach. We offered the Singaporean Data Breach Reporting Regime as a useful case study from this perspective.

For any queries or concerns regarding this submission, please write to varun@nasscom.in and priyanshi@nasscom.in.

#DPDPA #data-protection #Public-Policy #IndianDataProtectionAct

Disclaimer

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.

Varun Sen Bahl

Manager - Public Policy

Reach out to me for all things about data regulation, cybersecurity policy, and internet governance.

AI-driven vulnerability scanning: A...

Opcito Technologies

Cyber Security ..

17 Sep 2024

Suggestions to the RBI on the draft...

moncourt.ananya831

Public Policy

16 Sep 2024

Nasscom Public Policy Highlights | ...

moncourt.ananya831

Public Policy

12 Sep 2024

GST Update: Summary of decisions ta...

Tejasvi

Public Policy

10 Sep 2024

DPDP Bill vs. Global Laws: A Compar...

Sneha Sharma

Cyber Security ..

09 Sep 2024

How to choose the right vulnerabili...

Opcito Technologies

Cyber Security ..

09 Sep 2024

What are the Security Best Practice...

Kovair Software

Cyber Security ..

03 Sep 2024

nasscom’s Counter Comments on Telec...

Vertika Misra

Public Policy

02 Sep 2024

nasscom’s feedback on the Telecommu...

Vertika Misra

Public Policy

02 Sep 2024

Request for Inputs for Pre-Budget M...

Tejasvi

Public Policy

02 Sep 2024

DGFT issues draft Modalities for Pi...

Swapnil

100

Public Policy

01 Sep 2024

Nasscom's feedback to RBI on t...

moncourt.ananya831

Public Policy

30 Aug 2024

Nasscom Public Policy Highlights | Volume 6, Issue 8 | August 2024

Vertika Misra

@vertika@nasscom.in

08 Aug 2024

Public Policy Monthly Newsletters

Click Here if you are not able to view this mailer properly…

Post Budget Memorandum 2024-25

Tejasvi

@tejasvi

07 Aug 2024

Public Policy

Nasscom welcomes a growth-oriented Union Budget 2024-25 (Budget 2024) that lays a robust foundation for India's long-term growth, with a clear focus on job creation and skill development. It is particularly encouraging to see the continued emphasis…

Navigating the AI Horizon: Regulatory Considerations for Banking in India

moncourt.anan..

@moncourt.ananya831

07 Aug 2024

Public Policy

The banking sector in India has long been at the forefront of technological advancements, leveraging data and innovation to enhance customer experiences and streamline internal processes. In recent years, the emergence of Generative Artificial…

GST Update: GST Appellate Tribunal Benches notified

Tejasvi

@tejasvi

06 Aug 2024

Public Policy

The Ministry of Finance has issued a new notification dated 31 July 2024 superseding previous notifications to constitute the GST Appellate Tribunal (GSTAT) with effect from September 1, 2023. The Principal Bench of the GSTAT would be at New Delhi…

Call for Inputs: RBI's Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions

moncourt.anan..

@moncourt.ananya831

02 Aug 2024

Public Policy

On July 31st 2024, The Reserve Bank of India (RBI) released a draft “Framework on Alternative Authentication Mechanisms for Digital Payment Transactions”. Currently, there is a requirement for an Additional factor of authentication (AFA) for all…

Amendment to General Financial Rules, 2017

Swapnil

@swapnilyadavsy

31 Jul 2024

Public Policy

General Financial Rules (GFRs) are a compilation of rules and orders of Government of India to be followed by all while dealing with matters involving public finances. These rules and orders are treated as executive instructions to be observed by…

New

MEITY : nasscom representation on enabling a robust implementation of the DPDPA

Varun Sen Bahl

Varun Sen Bahl

Manager - Public Policy

Nasscom Public Policy Highlights | Volume 6, Issue 8 | August 2024

Vertika Misra

Post Budget Memorandum 2024-25

Tejasvi

Navigating the AI Horizon: Regulatory Considerations for Banking in India

moncourt.anan..

GST Update: GST Appellate Tribunal Benches notified

Tejasvi

Call for Inputs: RBI's Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions

moncourt.anan..

Amendment to General Financial Rules, 2017

Swapnil

About Us

Knowledge Center

In the News

Topics In Demand

Notification

New

MEITY : nasscom representation on enabling a robust implementation of the DPDPA

Manager - Public Policy

Share this blog

Related blogs

Opcito Technologies

17 Sep 2024

moncourt.ananya831

16 Sep 2024

moncourt.ananya831

12 Sep 2024

Tejasvi

10 Sep 2024

Sneha Sharma

09 Sep 2024

Opcito Technologies

09 Sep 2024

Kovair Software

03 Sep 2024

Vertika Misra

02 Sep 2024

Vertika Misra

02 Sep 2024

Tejasvi

02 Sep 2024

Swapnil

01 Sep 2024

moncourt.ananya831

30 Aug 2024

About Us

Knowledge Center

In the News

Newsletter