New data privacy act puts Indian companies on high alert

Posted on by

Most enterprises continue to struggle to implement consent-management frameworks that ensure consent is freely given, specific, informed, unconditional, and unambiguous, as mandated by the Act. The ability to allow consent management, including withdrawal and changes in consent, may also require significant technology changes. “Consent management is big hurdle. Sectors like e-commerce are adopting granular consent tools, but traditional industries still use broad, non-compliant policies,” said Amit Jaju, senior managing director at Ankura Consulting Group (India).

While the new rules are rooted in protecting citizens’ digital rights, the responsibility for enforcement lies heavily with enterprises. Organizations will have to overhaul their data handling practices.

Another critical obligation under the draft rules will be mandatory reporting of personal data breaches within 72 hours to the Data Protection Board, along with immediate notification to affected individuals. Breach response readiness is low: only 4% of firms have proactive notification systems, said Jaju.