“The passage of the Digital Personal Data Protection Act (DPDPA) is a timely positive milestone for India, marking its commitment to protect personal data for the most populous country in the world, during India’s G20 Presidency, no less. MeitY’s consideration of industry feedback is especially noteworthy – the eventual DPDPA does not currently restrict the transfer of personal data out of India, a significant departure from earlier drafts which initially contained data localisation obligations,” Genie Gan, Head of Government Affairs & Public Policy, APAC & META, Kaspersky. “We are optimistic about the changes that the new DPDPA will bring, but hope to highlight the challenges that small businesses will face when the same standards are expected of them, despite having fewer manpower and financial resources. This is especially if they become identified as a Significant Data Fiduciary, which would require them to appoint a Data Protection Officer, conduct periodic data audits, and perform Data Protection Impact Assessments, among others.”
Challenges for Organizations in Complying with New Law
“Small businesses might see significant challenges in compliance if the same standards are expected of them, despite having fewer manpower and less financial resources. This is especially if they become identified as a Significant Data Fiduciary under section 10 of the Bill, which would require them to appoint a Data Protection Officer, conduct periodic data audits, and perform Data Protection Impact Assessments, among others. There could be a surge in demand for training services to upskill such Data Protection Officers, which the industry might not be prepared for – this is where online training courses for incident response and data protection could prove useful to fill the gap,” said Genie Gan, Kaspersky.
