.svg)
.jpg)
Headlines of the Week
Government Cracking Down on PAN Access by Companies as DPDP Rollout Starts
The Indian Government is cracking down on unauthorized access to citizen’s personal data by fintech and consumer tech companies. The Union Government has reportedly called for a halt to the practices which involve retrieving personal information. The move comes as the government prepares to implement the DPDP Act. The practice, while not a data leak, represented unauthorized access to the Income Tax Department’s backend systems managed by technology and service providers. While the crackdown may cause temporary disruptions, industry participants acknowledge it will standardise data protection practices ahead of DPDP Act implementation.
Source: Economic Times
Telcos Flag New Cybersecurity Rules
India’s telecommunications regulator has rolled out rules designed to protect the country’s critical infrastructure networks from cyberthreats. However, experts warn that the new guidelines have inadequate safeguards for users' fundamental privacy rights. India's new cybersecurity rules mandate telcos to report incidents within six hours, potentially increasing compliance costs and impacting mobile service prices. Ambiguity around "traffic data" and its storage duration raises privacy concerns, with experts citing discrepancies with global norms.
Source: Economic Times
Insight of the Week
India’s Data Breach Crisis Explained
Read our blog to understand about India's Data Breach crisis. India has a serious problem with data breaches, with over 100 million records leaked in recent years, exposing sensitive information like Aadhaar numbers, financial details, and medical history. The DPDP Act aims to combat this with strict data protection laws and penalties up to ₹250 Crores for non-compliance with data breach prevention measures. A data breach under the DPDP Act includes unauthorized access, accidental disclosure, data loss, or alteration that compromises personal data. Organizations must adopt security measures such as encryption, data minimization, and regular audits to prevent breaches. Immediate breach notifications to both the Data Protection Board (DPB) and affected users are mandatory under the DPDP Act, with strict guidelines for content and timing. Third-party oversight is crucial under the DPDP Act, data processors must be contractually bound to the same security standards as the data fiduciaries.
Significant Stakes: DPDP Compliances for Large Enterprises
Read our blog to learn more about the DPDP Compliance for Large Enterprises. The DPDP Act 2023 introduces stringent data protection laws with penalties up to ₹250 Crore. Organizations processing sensitive data at scale like banks, or health tech companies, can be classified as Significant Data Fiduciaries (SDFs). SDFs face tougher compliance challenges, including appointing a Data Protection Officer, conducting annual DPIAs, and regular audits. The government's classification considers data volume, risk to individuals, and national impact. SDFs must build robust data governance, employ strong security measures, and maintain immaculate consent management. Continuous monitoring of regulatory changes and proactive compliance are crucial to avoid penalties.
Compliance Tip of the Week
Provide Explicit Consent Check-boxes
Businesses are advised to provide explicit consent check-boxes against the relevant purposes during data collection. This will help in better storage and retrieval of specific personal information.
Provide for Customer Portal
Indian businesses are required to provide a portal for customers to manage their consent. This portal shall also enable the customers to make exercise of rights requests with ease.
Explore Leegality Consent Manager
We are pleased to invite and extend access to Leegality Consent Manager Sandbox. Discover how our Leegality Consent Manager can streamline your data protection processes and ensure compliance with the DPDP Act. Our Consent Manager offers:
- Compliant consent notices across all customer touchpoints
- Storage of verifiable and auditable records of each consent
- Dashboard for customers to change consent preferences and exercise data rights
- Oversight over the data practices of your third parties