DPDP Rules must clarify consent mechanisms and data breach reporting, ET LegalWorld
The Digital Personal Data Protection rules are set to be released at the end of end month.
The DPDP Act provided for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. “Although the Digital Personal Data Protection (DPDP) Act was enacted in August 2023, its implementation remains stalled due to the absence of supporting rules,” said Navaneeta Kanjilal, Independent Legal Consultant.
The “Board” means the Data Protection Board of India established by the Central Government under section 18, which shall be empowered with substantial power within the Act such as: registration of the Consent Manager.
“The forthcoming rules are expected to address several crucial aspects, such as procedures for lodging complaints with the Data Protection Board of India (DPBI), protocols for reporting personal data breaches to both data principals and the DPBI, operational guidelines for consent managers, and criteria for designating entities as Significant Data Fiduciaries,” Navaneeta added.
Need for clarification
“First, clarification is required on the implementation of the consent mechanism for organizations,” said Rashmi Deshpande, Founder, Fountainhead Legal.
The DPDP introduces a new paradigm for consent management in India.
It mandates that organizations, known as Data Fiduciaries, must obtain explicit, informed, and unambiguous consent from individuals (Data Principals) before processing their personal data. “This includes details to be provided in the notice and the role and obligations of the Consent Manager. Further, the rules need to define the criteria for designating a data fiduciary as a ‘Significant Data Fiduciary’ to help organizations understand their compliance obligations,” said Rashmi Deshpande
The DPDP Act mandates that data fiduciaries report any data breach to the Board and the affected data principal in a manner to be prescribed. The rules must outline the specific process, timelines, and requirements for such reporting. Rashmi Deshpande, Founder, Fountainhead Legal.
Ekta Rai, Advocate, Delhi High Court highlights three key areas where clarity is crucial. First, the consent framework—how users can provide, track, and withdraw their consent—needs robust mechanisms to prevent misuse.
The release of the Digital Personal Data Protection (DPDP) rules is highly anticipated.
These rules are expected to address critical aspects like consent mechanisms, data breach reporting, and the role of consent managers.
While the DPDP Act provides a strong foundation, clear guidelines are essential for organizations to navigate the complex landscape of data privacy and protection in India.
