Decoding the Digital Personal Data Protection Act, Part 2

Ever since India's Digital Personal Data Protection (DPDP) Act has been passed, businesses have been growing more apprehensive about understanding the provisions of the act and the potential repercussions of non-compliance. Any organization that collects and stores the personal data of Indian citizens will be significantly impacted. As compliance to the laws drafted in the act has now become a reality, it is high time for businesses to understand the provisions of the DPDP Act and how to meet its requirements.

In part one, we explored the DPDP Act, its provisions, and how it benefits the data subjects, i.e., the citizens of India. Read on to know more about the implications of the act on businesses and the consequences of non-compliance.

How does the DPDP Act affect businesses?

Imagine that a major financial institution has suffered a significant data breach. A bank, as we all know, stores a vast amount of customer data, including personal and financial information. Let's assume that the data breach has occurred due to inadequate data protection measures, resulting in theft of customer data. The following illustrates the consequences faced by the bank in this data breach case.

1. Data breach notification: As per legal obligations in the DPDP Act, the bank notifies both the Data Protection Board of India (DPBI) and the affected customers about the data breach promptly. However, if the bank fails to fulfil this obligation, the breach remains undisclosed.

2. Inadequate security measures: Once the DPBI gets wind of the breach, it investigates the breach incident and discover that the bank had not implemented adequate security measures to protect customer data.

3. Investigation: Upon further investigation into the bank's data processing practices, the DPBI uncovers additional violations, such as lack of proper consent practices, data retention policies, and failure to appoint a Data Protection Officer (DPO) as required for significant data fiduciaries.

4. Enforcement and penalties: The DPBI imposes penalties on the bank for its non-compliance with various provisions of the DPDP Act. As a result, the breach and the subsequent penalties cause reputational damage and loss of customer trust in the bank.

5. Remedial actions and compliance: Post the DPBI enforcement, the bank takes remedial measures to address the data breach and strengthen its data protection practices. It appoints a DPO and revise their consent mechanisms to align with the DPDP Act's requirements.

This scenario illustrates how businesses can face serious scrutiny and consequences for non-compliance with the DPDP Act, particularly in the event of a data breach.

It emphasizes the importance of implementing robust data protection measures, including deploying a SIEM solution like ManageEngine Log360, to promptly address breaches and align practices with the requirements of the legislation.

A data breach in itself can cause significant damage to an organization, including financial, legal, and reputational losses. Now, with the adoption of the act, the bank will face additional significant consequences, including hefty fines, that can erode consumer trust and damage long-term client relationships. This can result in enhanced scrutiny and monitoring from regulatory authorities to ensure ongoing compliance with the DPDP Act's provisions and data protection regulations.

What are the penalties drafted under the DPDP Act?

Under the DPDP Act, businesses can face penalties for non-compliance with the provisions of the act. Listed below are the violations and their penalties:

1. If a business fails to implement necessary security measures to prevent a data breach, it can be penalized with a fine of up to ₹250 crore.

2. If a business faces a data breach, but fails to notify the Data Protection Board and the affected data principals in a timely manner, it can be fined up to ₹200 crore.

3. If a business processes personal data of children and fails to fulfil additional obligations specific to the processing of such data, it can face a penalty of up to ₹200 crore.

4. If a business fails to fulfil the additional obligations specified for data fiduciaries as determined under the DPDP Act, it can result in a penalty of up to ₹150 crore.

5. If a business violates any other provisions of the act not covered by the specific penalties mentioned above, it can face penalties of up to ₹50 crore.

It is important to note that the Data Protection Board has the authority to determine the penalties and the actual amount of the fine based on various factors, including the severity of the violation, its impact on data subjects, and the measures taken to address the issue.

With the implementation of the DPDP Act, the Indian Ministry of Electronics and Information Technology aims to provide a framework for the protection and regulation of personal data in the digital sphere. While the DPDP Act will benefit the citizens of India, it will also help businesses operating in India to reassess their current data processing practices and prioritize the privacy rights of individuals.

By adhering to the obligations and provisions outlined in the act, businesses can enhance transparency, avoid scrutiny from regulatory boards, escape the hassles of financial and legal obligations, and thereby, build a trusted relationship with their customers.

Want to know more about the DPDP Act? Check out our minisite!