The Digital Personal Data Protection (DPDP) Act, which was passed by Parliament in August this year, will see the beginning of implementation next year once the government frames rules regarding it. While companies — also called data fiduciaries —across sectors are waiting for the rules to be discussed and subsequently notified, experts said even after this process is over, compliance is expected to be slow.
This is because many companies are currently struggling to streamline the processes in terms of managing consent flow, implementing a system to notify users about the existing data they possess and take consent accordingly, seeking clarity on framework to manage children’s data through verifiable parental consent, and mechanism to deal with data processors that also hold personal data on behalf of companies, among other things.
“As of now, none of the sectors have gone live in terms of full compliance with the DPDP Act. In general, companies are confused on how to go about compliance as a lot of them are currently struggling in terms of taking consent for the existing data they are sitting on,” said Ashok Hariharan, CEO and co-founder of IDfy, an identity verification, biometric and risk assessment company.
“Based on our interactions with companies across sectors, the compliance of the DPDP Act will happen in two phases. In the first phase, the focus will be to at least get compliant with consent-driven data management approach on new onboardings,” Hariharan said, adding that signs of DPDP Act implementation can be seen after March next year, once the rules are notified.
A recent report by PwC India showed that only nine out of the 100 companies surveyed currently seek free, specific and informed consent from users before collecting their data.
“The year 2024 will mark the start of the implementation of the DPDP Act. It will take 18-24 months for a complete rollout with its associated rules and regulations,” said Rishi Agrawal, CEO and co-founder of TeamLease RegTech, a compliance management software company.
Currently, sectors such as banking, financial services and insurance are seen in a slightly better position to respond to DPDP Act requirements as companies in these sectors have historically been following guidelines of the sectoral regulators.
According to Agrawal, digital native sectors such as e-commerce and enterprise software-as-a-service (SaaS) companies, foodtech and ride-hailing firms are also doing better in terms of readiness for compliance as they have also traditionally focused on data privacy. However, traditional manufacturing-based companies which have largely remained dependent on physical compliance processes will find it difficult to comply with the norms.
Anupam Shukla, partner at Pioneer Legal, said: “Larger companies are already working on ensuring compliance. The trickle-down to mid-tier and smaller companies will take some time.”
According to Shukla, social media companies, healthcare, insurance, finance and education are some of the sectors that can anticipate a heavy level of compliance, considering the quantum and type of data collected by these companies.
Even if banking, e-commerce and other sectors are seen at the forefront in terms of compliance,
a difficult task for e-commerce and majority of sectors will be how
to identify children using their platforms and deal with their data accordingly based on verifiable consent.
With regard to compliance with age-gating provisions, public policy firm The Quantum Hub (TQH) has proposed that the government should allow a diverse age assurance mechanisms to be used by platforms. “The age assurance mechanism in use should correspond to the nature of the data processed, purposes it is processed for, risks associated with it such that the chosen mechanism causes the least detrimental impact to the child in terms of access, equity and safety on the internet,” the policy group said in a note.
In the context of banking companies, the challenge will be to manage different consent journeys for different products and services, managing third-party agencies who are part of customer onboarding processes in case of products like loans, credit cards, etc. For example, companies will have to define the purpose for which data will be used and take consent accordingly. In that process, in the absence of a governance platform, it will be difficult for companies to separate databases of customers who have consented to marketing messages or not.
“We may see another 4-6 months within which companies will be expected to comply….DPDP Act compliance does not mean mere checking boxes,” said Ronodeep Dutta, counsel at AQUILAW, a full service law firm.
The Act also mandates companies to specify the time period up to which it will retain the data collected. According to PwC, 54% of organisations analysed predominantly from sectors such as fintech, e-commerce and information technology, and other regulated sectors (banking, insurance and aviation), state the data retention period on their websites.