Specials

Complying with DPDP 2023

By Diwakar Dayal

Since 2017, India has worked on developing its own laws on the right to privacy. The Digital Personal Data Protection Act 2023, India’s version of Europe’s GDPR, gives Indian citizens the right to protect their own data. In August of this year, both the lower and upper houses of the Parliament of India passed the bill. On August 11, the President of India gave assent to the bill, which makes it officially the Digital Personal Data Protection Act, 2023.

This act, which will be in force once the Indian government publishes a notification in the Official Gazette, is a landmark piece of legislation that gives Indian citizens similar rights to privacy as those enjoyed by European residents.

Like other data privacy laws, DPDP 2023 places a number of demands on organisations to allow them to collect and process data. Companies must be aware of these new requirements or risk onerous penalties and breaking trust with their customers.

Recognizing a Personal Data Breach

DPDP 2023 does more than just protect the way data is used. It also places high expectations on companies to protect the data from threat actors.

DPDP 2023 clearly defines a personal data breach. Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that comprises the confidentiality, integrity, or availability of personal data falls under personal data breach.

Data Breach Reporting

The bill requires organisations to report any personal data breaches to the Data Protection Authority within 72 hours of awareness. This fast turnaround time will put significant pressure on the CISO and security teams to identify breaches, the nature of the incursion, and the volume of data that has been exfiltrated from the system.

Complying with this demanding timeframe will require investment by organisations into advanced cybersecurity solutions. The shortage of cybersecurity professionals adds to the pressure faced by these organisations. They will need to deploy automated solutions that can handle rapid breach detection, investigation, and reporting. Artificial intelligence (AI) based solutions are ideal in this situation, as they are capable of high-speed monitoring and detection.

The Cost of Breaches

The legislation created multiple layers of financial penalties for organisations that fail to comply with DPDP 2023. Failure to notify the board or the data principal about a breach can lead to fines that are as high as Rs. 200 crores. Companies that don’t fulfil their obligations related to children’s data will also find themselves facing penalties as high as Rs. 200 crores. Organisations that don’t take reasonable security safeguards to prevent personal data breaches can be fined up to 4% or Rs. 250 crores of worldwide turnover.

In addition to financial penalties, companies that fail to protect their customer data will find themselves on the wrong side of the headlines. These breaches can be devastating to organisations, as they break public trust with customers and partners. Rebuilding that trust is costly and can take years to do fully.

Strengthening a company’s security posture is crucial to avoid repercussions. Any company that wants to steer clear of risk should upgrade its existing legacy cybersecurity solutions and move toward AI and autonomous cybersecurity solutions.

A Better Day for India Privacy

When DPDP 2023 goes into effect, Indian citizens can expect improvements in their security. Organisations must start preparing their cybersecurity efforts so that they are not only compliant with how they manage and handle customer data, but how they secure the data as well. With today’s shortage of cybersecurity professionals, advanced, automated solutions that rely on artificial intelligence will be required to get the job done.

 

(The author is Managing Director & Country Manager at SentinelOne, and the views expressed in this article are his own)