.svg)
.avif)
Headlines of the Week
DPDP Rules Available for Public Consultation in a Month
The detailed rules for Digital Personal Data Protection Act 2023 will be made available for public review within a month. Minister Ashwini Vaishnaw confirmed that the framework of DPDP Act is now complete, with the workflow including how to file complaints, taking up appeals and other details. Once the rules are notified, a public consultation period shall follow, which shall last for about 45 days followed by establishment of a Data Protection Board. Notably, the DPDP Act completed its first year on August 12th.
Source: Moneycontrol
NBFC Account Aggregators Faces Cyberthreat, Home Ministry Steps In
The Account Aggregator (AA) system is facing the threat of Cybercriminals. Fraudsters have developed ways to access customer data and details of their bank accounts. Even large AAs like Perfios, Finvu, Cams Finserv and NeSL Asset Data Limited have shut down certain features like balance enquiries and details of customer profile. ReBIT has put in a strong technical framework for AA to provide secure and consented flows.
Source: Economic Times
US Sues TikTok over ‘Privacy Violations’ of Kids Under 13
The US Justice Department has sued TikTok and ByteDance, alleging failure to protect children’s privacy. The lawsuit alleges that TikTok collected user data for kids under 13 years of age without parental consent. The penalties can run into billions of dollars, if the allegations are proved. Notably, children's consent is the primary reason for delay in notification of DPDP rules in India.
Source: Economic Times
Fintechs Should Work with Banks to Develop Regulatory Compliant Solutions- Financial Services Secretary
Financial Services Secretary Vivek Joshi urged for increased cooperation between banks and fintech firms. He noted the need to create scalable, regulatory compliant solutions. Addressing the FICCI-IBA PICUP Fintech Conference, Joshi highlighted the need for fintechs to focus on regulatory compliance, governance and cybersecurity. He also noted that innovation innovation shall not outpace the necessary safeguards, such as cyber security, data privacy, identity theft, digital financial fraud and financial literacy are other areas which require our attention.
Source: Economic Times
Insights of the Week
DPDP Compliance for B2B2C Companies
Read our blog to understand about the compliance with the DPDP Act for B2B2C companies. A B2B2C model employs another business to offer products and services to end customers. In a B2B2C model, businesses can act as either Data Fiduciaries or Processors, depending on their control over data processing activities. Compliance obligations primarily rest on Data Fiduciaries. Under the new regime, B2B2C companies should navigate complex roles and responsibilities and ensure clear agreement with partners covering data breaches and ensuring transparency for end users.
Grounds for Processing Under the DPDP Act
Read our blog to understand the grounds for processing under the DPDP Act. DPDP Act provides for processing of personal data for lawful purposes only. Under the new regime, consent is placed at the forefront of data processing activities. Businesses are now required to give detailed consent notices and maintain verifiable records of consent. The law also provides for certain exemptions where consent can be overlooked for legitimate use. Indian businesses need to necessarily understand and comply with the grounds for processing considering severe penalties upto Rs. 250 Crore.
How will the Data Protection Act impact Telemarketing?
The DPDP Act, 2023 provides for a framework for data protection in India. Despite existing TRAI and RBI regulations on Unsolicited Commercial Communication (UCC), telemarketing activities went unchecked due to regulatory loopholes and weak enforcement. The DPDP Act is the first authoritative Indian law to strictly prohibit telemarketing without user consent. The DPDP Act holds businesses responsible for any non-compliant telemarketing activities. Penalties of up to ₹50 Crores may apply per instance of violation of the DPDP Act. Indian businesses are now required to provide for granular consents for telemarketing, provide valid notice for data collected before the DPDP Act, and offer user rights over data.
Compliance Tip of the Week
Provide for Consent Management
Companies should review data maps to identify which processing activities rely on consent. The need of the hour is to implement a DPDP compliant consent process across all touchpoints where personal data is collected. Indian businesses can simply plug in Leegality Consent Manager to better manage end-user consents.
Institute Robust Access Controls and Employee Authentication Mechanisms to Limit Personal Data Access
Implement comprehensive training programs for employees and contractors on data protection and privacy. Integrate policy acknowledgment into employee onboarding and periodic training programs. Ensure these policies are easily accessible to all stakeholders, including employees, customers, and partners. Identify key employees with whom the personal data must be shared for an activity. Share personal data of users with the employees identified as essential only.
Explore Leegality Consent Manager
Discover how our Leegality Consent Manager can streamline your data protection processes and ensure compliance with the DPDP Act. Our Consent Manager offers:
- Compliant consent notices across all customer touchpoints
- Storage of verifiable and auditable records of each consent
- Dashboard for customers to change consent preferences and exercise data rights
- Oversight over the data practices of your third parties