In the wake of the Indian government’s passage of the Digital Personal Data Protection (DPDP) Act 2023, a recent report by consulting firm EY highlights that nearly half of Indian organizations, spanning enterprises and startups, are grappling with a lack of requisite skill sets to effectively implement the DPDP Act 2023. The DPDP law transitioned into an Act after receiving the President’s assent on August 12; however, it has not yet come into full effect.
EY’s report, titled “The India Data Protection Readiness Report,” reveals that 32% of these organizations anticipate technical hurdles in implementing the DPDP Act, while a staggering 50% are still in the process of acquiring the necessary expertise, with many contemplating outsourcing data privacy responsibilities.
As per the report, only 36% of organizations currently have Data Protection Officers (DPOs) based in India. This dearth of local DPOs could hinder their capacity to manage consent and conform to the stipulations of the DPDP Act.
The report also highlighted additional challenges, including a widespread lack of awareness regarding regulatory guidelines, limitations in resources for achieving compliance, and a reluctance within organizations to embrace change. These challenges collectively pose significant obstacles to implementing the required changes within these organizations.
Another important finding was that for approximately 76% of the respondents, an organization’s commitment to data privacy and transparency would influence their purchasing decisions. This underscores a growing recognition among consumers regarding data privacy matters and their willingness to support companies that prioritize data protection. Considering these findings, companies must focus on transparency, privacy, and clear communication as they strive to build trust with their customer base.
Lalit Kalra, Cybersecurity Consulting Partner at EY India, underscored the significance of establishing a robust technological infrastructure to ensure data security and accountability. He emphasized the importance of cultivating a skilled workforce capable of comprehending the legal and ethical aspects of data processing and efficiently managing data breaches.
The DPDP Act is designed to set norms for the management of the personal data of Indian residents, requiring explicit consent from individuals whose data is collected and used. It also outlines practices for entities collecting personal data, specifying how the data should be stored and processed to prevent any breaches.
Another report, titled “Readiness of India Inc. for the Digital Personal Data Protection Act, 2023: A PwC Analysis,” analyzed 100 companies and revealed that just 9% of organizations collected consent which can be considered free, specific and informed. In case of a breach, only 4% published a breach notification on their website.
The dearth of essential skill sets, coupled with challenges related to regulatory awareness, resource constraints, and organizational adaptability, underscore the pressing need for concerted efforts in preparing for the Act’s enforcement. Ultimately, a proactive approach in bolstering technological infrastructure, cultivating a skilled workforce, and adhering to compliance measures will be instrumental in ensuring the safeguarding of personal data and upholding the principles of the DPDP Act 2023.