The DPDP Act and Managing Personal Data

About the New Act

The regulatory compliance landscape in India took a new turn after the official announcement of the Digital Personal Data Protection (DPDP) Act, August 2023. The new act adopts a more improved, and advanced approach to data protection and data privacy. It is bound to make an impact on industries as well. Whether it is leisure (hospitality industry), finance, health, education or even official government work, this new law is going to enforce and entrust data fiduciary across every industry for better data protection practices. 

After the announcement of the new Data Protection Bill, Microsoft Vice Chairperson and President Mr. Brad Smith said in one of the recent interviews, “It was smart to focus on personal data and not all kinds of data. Everyone will now focus on what comes next, which is the implementing regulations and with all there are a lot of details to come.”

It is the extra emphasis on “strong protection” of personal data that is drawing attention of the global cybersecurity communities and leadership. As per the new law, a single breach or violation of the rule could push the organizations towards a lawsuit of up to 250 crores. Here are some of the major highlights that the law expects every organization to follow diligently:

• DPDP Act, 2023, is strictly and mandatorily applicable to every personal data collected online or offline
• This act offers a provision for voluntary undertaking when organizations fail to comply with its provisions
• It imposes financial penalties of up to INR 250 crore per instance of non-compliance
• It eases the cross-border data transfers rules that must be done with the knowledge of the Central Government
• DPDP Act takes a holistic approach towards data protection without differentiating between personal data and highly sensitive personal data – hence, safeguarding all data at the same level

How does the DPDP Act impact different industries?

Healthcare Industry

The Healthcare industry deals with a plethora of sensitive patient data that includes medical reports, treatment history and generic information such as name, contact information, address, social security number and so on. After the DPDP Act became effective, every organization from the healthcare industry mandatorily needs to take consent from the patient before using/ processing/ accessing/ storing their personal data for any official purpose. The medical service providers/ hospitals/ mobile medical units – every organization will have to implement robust data encryption and secure access control to ensure confidentiality of the patient data. 

So, what is the risk of the organization? Violation of the rules or mandates mentioned in the Act would result in –

• Non-compliance penalties
• Defamation of the name/ reputation
• Facing show-cause or legal lawsuits from the Government bodies (sometimes from the victim as well)

The benefits of DPDP Act in the Healthcare industry are –

• Intense security of personal data
• Maintain patients’ privacy of digital identity
• Secure data transfer during telemedical consultations
• Data privacy even during cross-border data sharing (many people might opt for treatment outside India)
• Worry-free digital empowerment of the patients

Hospitality Industry

The Hospitality industry in a similar line, especially the organizations that conduct package tours nationally or internationally, face maximum impact or pressure of following the DPDP mandates. These organizations access every specific information for the traveler to book hotels, flights, apply for VISA etc. As a result, the travelers’ information is accessed multiple times in multiple places triggering security concerns. Moreover, hotel authorities also use and access personal details while checking in. 

DPDP Act helps every individual to ensure that their personal data privacy and security is maintained because the organization needs to mandatorily take consent of the traveler before using their personal details. This stringency of the mandates helps in –

• Maintaining security of the travelers’ personal data
• Building secure paperless check-ins and reservations
• Preventing repeated/ unnecessary access to travelers’ personal data
• Maintaining unwanted cross-selling & upselling of data
• Experiencing worry-free digital practices (Visa/ Passport/ Immigration etc.)

Significance of Identity Access Management in complying with DPDP Act

As DPDP Act demands more trust building, transparency and resilience in data management, the role of well-defined and strong Identity Access Management (IAM) practice will be significant to comply with the act. Indeed, the number of digital identities is proliferating in every IT setup, and hence the access challenges and access ambiguity surmount day by day, leading to data privacy risks. 

To enforce role-wise and time-wise access to the critical systems and applications, organizations will have to reinforce their IAM framework that authorizes and authenticates every user before allowing critical access. Since DPDP Act emphasizes strong data protection measures, a feature rich IAM solution such as ARCON | Converged Identity Platform will be the perfect solution to manage the lifecycle of digital identities (both human & non-human) and thereby build a secure perimeter around every access and across every layer of IT infrastructure.

The Bottom-line:

As non-compliance risks surmount in every industry, the announcement of DPDP Act, 2023, is expected to enhance better personal data security practices across the vertical markets.