By Srinath Sridharan and Nanaiah Kalengada

In an era of heightened privacy concerns, personal information is an invaluable asset. Yet, most individuals and institutions remain vulnerable to the misuse of the data that they are custodians of—at times, without their knowledge. Organisations must wake up to India’s pioneering data-protection law.

The Digital Personal Data Protection Bill will govern the handling of digital personal data, encompassing data collected online or offline and subsequently digitised. Its remit extends beyond Indian borders when processing occurs for the provision of goods or services within the country. This outlines the expected compliance standards for data fiduciaries, individuals, or entities that collect and digitally process data in relation to their data principals—the individuals to whom the data belongs.

With this law, businesses—big, medium or nano—face the daunting task of aligning their existing data policies and data stock with the law. The unambiguous delineation of responsibilities and penalties (upto Rs 250 crore) underscores this urgency. Yet, most businesses are oblivious to the challenges and the implications of non-adherence even if unintended.

The challenge of discovering the multitude of locations where personal data resides within an organisation is a daunting task. The sheer data volume and diversity of sources and forms will complicate identification. There is danger from missing blind spots and ignoring locations that seem insignificant—the law does not give any such allowance.

The existence of “dark data” and unstructured data will further exacerbate this. Inadvertent oversights and potential blind spots can leave organisations vulnerable to compliance lapses. The dichotomy of compliance preparation and ongoing adherence is intense. Initiating compliance readiness involves evaluating the current status, identifying data locations, including dark data, and categorising personal data for nuanced protection. Strategic assessments of processes, systems, and applications become necessary. Organisations must navigate the challenge of retrofitting consent mechanisms into established workflows. The evaluation encompasses technological adaptations and procedural adjustments alike.

Striking a balance between regulatory requirements, cost of compliance, and operational efficiency is paramount, necessitating a meticulous examination of each process and system to ascertain the extent of modifications required. Something that most legacy entities are struggling with is designing their processes with a digital focus. Smarter organisations would use this exercise to redesign their entire business processes to be digitally-native and privacy-centric.

Categorising personal data emerges as a critical step in navigating this entire journey. By systematically classifying the types of personal data in their possession, businesses can delineate what requires increased protection. If certain personal data is not required the purpose for which it is being requested, it is best avoided so that cost of maintenance of the data is lower. The mindset that ‘let’s collect whatever data can be collected’ because ‘it might be useful someday’ needs to go. The challenge lies in creating a nuanced taxonomy that aligns with evolving regulatory standards and reflects the diverse nature of personal data. This is further complicated for businesses that deal with data-regulations across multiple countries.

Businesses utilising data will need to invest in contemporary software tools and review processes, conduct employee training and potentially hire data protection officers. Managing consent on a broad scale and adherence to data localisation norms adds another layer of complexity that businesses must navigate.

Addressing compliance readiness usually prompts queries—cost implications, time investments, requisite organisational structures, primary accountability, and governance protocols. Implementing the requisite technical measures to safeguard users’ data presents another layer of complexity. This involves addressing intricate aspects such as data security, classification, consent management, and establishing mechanisms for data portability and erasure. The cumulative effect is a multifaceted challenge for businesses seeking to align with the upcoming legislation, particularly for smaller entities with constrained resources.

Simultaneously, the impending legislation requires board-level considerations. Transparent communication and continuous updates are imperative. Boards must understand that only a balance between legal comprehension, operational adaptation, and strategic foresight will define their organisations’ resilience in the face of evolving data protection requirements.

The establishment of a regulatory body—the Data Protection Board of India—inevitably introduces a layer of clarity, prompting industries to evaluate the potential impacts on their existing frameworks. Questions regarding the regulatory authority, enforcement mechanisms, and the agility of businesses to adapt to evolving standards are key elements contributing to the industry’s reservations.

This law mandates data fiduciaries to adopt reasonable security precautions against breaches. However, it lacks clarity on the definition of “reasonable”. Considering the onerous penalties, we could see legal disputes, at least initially. Much of the debate will be on “breach” identification, and the burden of proof would be keenly contested. The necessity for precise proof of infractions and the test of fairness and absolute independence in such inquiries by the regulatory body will be needed to mitigate unwarranted legal challenges and to keep data-predators at bay.

Srinath Sridharan and Nanaiah Kalengada are policy researcher and corporate advisor, and data-tech consultant, respectively.

X: @ssmumbai , @coorgteam1

Views are personal