After a year of the passage of India’s privacy regulation—the Digital Personal Data Protection (DPDP) Act—the perception of data practices followed by corporates in India is deemed problematic by citizens.
In a recent survey conducted jointly by CII and Protiviti, 61 per cent of the respondents felt that companies in India were taking part in activities such as excessive data collection and secondary processing without consent, which are not in line with the DPDP Act and are considered problematic from a user privacy point of view.
Further, according to the report, around 82 per cent of the mid, senior, and entry-level employees who participated also said that they perceived companies in India to be less transparent or not transparent at all about the use, processing, and sharing of personal data.
Sandeep Gupta, managing director, Protiviti—the joint research firm for the report—in an interaction with Business Standard, attributed the lack of transparency around data processing to the delayed notification of detailed rules for the DPDP Act, 2023.
“The survey covers a wide spectrum of industries and typically clients or organisations, and I would say organisations are waiting for the rules to be enacted. Otherwise, traditionally, India has been doing business in a particular way, and privacy laws were not taken for granted. Now with this Act coming in, the rules getting formed, I think the transparency levels will go up,” said Gupta, managing director, Protiviti India member firm.
The survey gathered responses from over 240 organisations across various industries in India, encompassing senior management, middle management, and operational staff.
On a positive note, it said that around 56 per cent of the participants were confident in the efficacy of the DPDP Act, 2023 to address privacy risks.
On data breaches, the study found that more than half of the organisations (52 per cent) were victims of a data breach in the last five years.
Among key concerns, consent and data principal access request management, visibility of personal data, data retention and disposal, breach response, and cross-border transfer of data were some of the main issues that participants identified.
On cross-border transfer of data, which was one of the main issues during the DPDP consultations, Protiviti experts said that firms, especially in the IT and technology domain, were complying with the requirement of the DPDP Act through legal arrangements, while others were still waiting for some clarity from the rules.
“What we are seeing is a good 35 per cent of the organisations are enforcing the cross-border transfer-related requirements normally through legal agreements with the customer because it is driven by the customer, while a lot of organisations which are India-based, currently they are looking towards localising the information itself,” said Vaibhav Koul, managing director, Cyber Security & Privacy, Protiviti.
The report also highlighted that more than 50 per cent of the organisations in India were investing in a privacy programme because of the regulatory and contractual requirements.
Further, large organisations (above Rs 1,000 crore in revenues) were investing more in privacy setups than smaller ones with below Rs 1,000 crore revenues.
It said that around 37 per cent of the large organisations had a dedicated data privacy office to comply with the requirements under the DPDP Act, whereas a mere 11 per cent of smaller organisations had such a mechanism.
“These organisations are sitting on the fence and might take cognisance once the full rules are there and it’s in play. As of now, they have not allocated those budgets. Otherwise, and typically, I think the investments should go up,” Gupta explained.
First Published: Aug 30 2024 | 8:43 PM IST