Decoding the Digital Personal Data Protection Bill, Part 2

Ever since India's Digital Personal Data Protection (DPDP) Bill has been passed, businesses have been growing more apprehensive about understanding the provisions of the bill and the potential repercussions of non-compliance. Any organization that collects and stores the personal data of Indian citizens will be significantly impacted. As compliance to the laws drafted in the bill has now become a reality, it is high time for businesses to understand the provisions of the DPDP Bill and how to meet its requirements.

In part one, we explored the DPDP Bill, its provisions, and how it benefits the data subjects, i.e., the citizens of India. Read on to know more about the implications of the bill on businesses and the consequences of non-compliance.

How does the DPDP Bill affect businesses?

Imagine that a major financial institution has suffered a significant data breach. A bank, as we all know, stores a vast amount of customer data, including personal and financial information. Let's assume that the data breach has occurred due to inadequate data protection measures, resulting in theft of customer data. The following illustrates the consequences faced by the bank in this data breach case.

1. Data breach notification: As per legal obligations in the DPDP Bill, the bank notifies both the Data Protection Board of India (DPBI) and the affected customers about the data breach promptly. However, if the bank fails to fulfil this obligation, the breach remains undisclosed.

2. Inadequate security measures: Once the DPBI gets wind of the breach, it investigates the breach incident and discover that the bank had not implemented adequate security measures to protect customer data.

3. Investigation: Upon further investigation into the bank's data processing practices, the DPBI uncovers additional violations, such as lack of proper consent practices, data retention policies, and failure to appoint a Data Protection Officer (DPO) as required for significant data fiduciaries.

4. Enforcement and penalties: The DPBI imposes penalties on the bank for its non-compliance with various provisions of the DPDP Bill. As a result, the breach and the subsequent penalties cause reputational damage and loss of customer trust in the bank.

5. Remedial actions and compliance: Post the DPBI enforcement, the bank takes remedial measures to address the data breach and strengthen its data protection practices. It appoints a DPO and revise their consent mechanisms to align with the DPDP Bill's requirements.

This scenario illustrates how businesses can face serious scrutiny and consequences for non-compliance with the DPDP Bill, particularly in the event of a data breach.

It emphasizes the importance of implementing robust data protection measures, including deploying a SIEM solution like ManageEngine Log360, to promptly address breaches and align practices with the requirements of the legislation.

A data breach in itself can cause significant damage to an organization, including financial, legal, and reputational losses. Now, with the adoption of the bill, the bank will face additional significant consequences, including hefty fines, that can erode consumer trust and damage long-term client relationships. This can result in enhanced scrutiny and monitoring from regulatory authorities to ensure ongoing compliance with the DPDP Bill's provisions and data protection regulations.

What are the penalties drafted under the DPDP Bill?

Under the DPDP Bill, businesses can face penalties for non-compliance with the provisions of the bill. Listed below are the violations and their penalties:

1. If a business fails to implement necessary security measures to prevent a data breach, it can be penalized with a fine of up to ₹250 crore.

2. If a business faces a data breach, but fails to notify the Data Protection Board and the affected data principals in a timely manner, it can be fined up to ₹200 crore.

3. If a business processes personal data of children and fails to fulfil additional obligations specific to the processing of such data, it can face a penalty of up to ₹200 crore.

4. If a business fails to fulfil the additional obligations specified for data fiduciaries as determined under the DPDP Bill, it can result in a penalty of up to ₹150 crore.

5. If a business violates any other provisions of the bill not covered by the specific penalties mentioned above, it can face penalties of up to ₹50 crore.

It is important to note that the Data Protection Board has the authority to determine the penalties and the actual amount of the fine based on various factors, including the severity of the violation, its impact on data subjects, and the measures taken to address the issue.

With the implementation of the DPDP Bill, the Indian Ministry of Electronics and Information Technology aims to provide a framework for the protection and regulation of personal data in the digital sphere. While the DPDP Bill will benefit the citizens of India, it will also help businesses operating in India to reassess their current data processing practices and prioritize the privacy rights of individuals.

By adhering to the obligations and provisions outlined in the bill, businesses can enhance transparency, avoid scrutiny from regulatory boards, escape the hassles of financial and legal obligations, and thereby, build a trusted relationship with their customers.

Want to know more about the DPDP Bill? Check out our minisite and register for our upcoming webinar on 24 August 2023 at 11am IST!