“We welcome the Digital Data Protection Act 2023, which arrives at a crucial juncture characterised by the extensive accumulation and usage of personal data for various business purposes. This legislation represents a significant step towards protecting consumers’ personal data in the digital age. The Digital Data Protection Act 2023 will safeguard consumer rights, granting them the ability to exert control over their digital footprint, particularly on personal data collection and erasure if they choose to do so. At the same time, the new law will complement the Information Technology Act by holding businesses more accountable for their responsibilities related to digital data collection and for implementing proper cybersecurity measures to safeguard the data. Furthermore, we applaud the inclusion of a special provision to protect children, including the prohibition of harmful online practices targeting them. Our children are more vulnerable than adults and may be less aware of the cyber risks involved,” said Parvinder Walia, President for Asia Pacific and Japan, ESET.
Challenges for Organizations in Complying with New Law
“The government's announcement to introduce the new law within a 10-month timeframe is a good move as it allows businesses in India time to acclimatise to the forthcoming changes. As with any new laws, businesses will inevitably grapple with multiple intricacies to ensure they are fully compliant. One of the challenges lies in navigating the diverse processes businesses need to implement to gain comprehensive visibility into what personal data they hold, how they are processed and stored, and with whom such data is shared. Additionally, they will need to establish mechanisms for obtaining consumers' consent and adhere to protocols for removing or correcting personal data, should consumers wish to do so,” stated Parvinder Walia, ESET.
Parvinder further added, “An even more prominent challenge lies in data security as the act mandates businesses to take ‘reasonable security safeguards to prevent personal data breach’. Implementing a comprehensive data protection strategy can be a difficult task even for large enterprises. To achieve this, businesses should use proper security tools, such as data loss prevention, advanced endpoint security with intrusion detection system, data encryption, and incident response solution, among others. However, even if a business possesses the resources to deploy robust technical solutions, operational security can still be a potential weak point. It is crucial to formulate a strong security policy and conduct cybersecurity training that ensure employees are well-versed in data security practices. The good news is that laws pertaining to personal data protection are not new. Businesses in India can learn from how companies abroad comply to similar laws, such as the General Data Protection Regulation (GDPR) in the EU and the Personal Data Protection Act (PDPA) in Singapore, to name a few.”