During its representation to the government, Nasscom, the leading industry body in the sector, suggested that the Ministry of Electronics and Information Technology need to consider different deadlines for compliance with the upcoming rules on data protection and protection of personal information.
As a result of discussions with the industry, Nasscom stated that organizations that do not have any prior experience with data security, including governments, logistics companies, professionals, offline retailers, research institutes, and schools, would need to start from scratch if they wish to implement a compliance program. These will be the most time-consuming and time-consuming tasks as they will be the most necessary.
According to industry organizations NASSCOM and the Data Security Council of India (DSCI), there needs to be a minimum compliance period of 24 months from the date of notification of any obligation, standard, code of practice or rule.
As part of their submissions to the Joint Parliamentary Committee on the Personal Data Protection Bill, both organizations pointed out that such a period will be required.
It was reported that Nasscom has partnered with companies in the e-commerce, financial, healthcare, and other industry sectors. The report explained that the compliance programmes would need to be adapted to account for the new obligations (e.g., rights as to personal data) that will apply to all types of digital personal data.
As the Ministry of Electronics and Information Technology (MeitY) said on Friday, it is likely that organisations without any experience in privacy-related legislation, such as the Digital Personal Data Protection Act (DPDPA), will have the most difficulty complying with the new law.
The observation made by Nasscom came as a part of a representation made to MeitY describing how the DPDPA can be effectively implemented. There were questions about the full scope of the Act, and the agency requested clarification and guidance on it.
The Data Protection Authority (DPA) will also need to be formed within a set period that must also be defined in the legislation. There must be additional time given to those companies that are handling the data of foreign nationals so that they may renegotiate their international contracts when the bill is passed. To clarify the extent to which the proposal could be applied extraterritorially, examples must be provided.
A very important aspect of the Indian regulatory landscape is NASSCOM, one of the key industry groups. A data protection body called the DSCI has been set up in India to focus on the protection of data.
Ashwini Vaishnaw, the IT minister of India, has recently stated that the government does not intend to allow companies to comply with the Act within 12-18 months. Is it reasonable to expect the protection of personal data to take so much time? Since the introduction of the GDPR and the Singapore Data Protection Act, the entire industry is already accustomed to it as a result of [the European Union’s] GDPR and others. In effect, since they were enacted,” he said.
He also mentioned that regarding the 25 sets of rules to be adopted to implement the DPDP Act, they would be released in one shot and everyone would be notified at the same time.
Vaishnaw had also commented that the draft rules would be made public for 45 days for public consultation.
In their request, Nasscom pointed out that generally, 30 days are allotted for the public to comment on each set of rules. As a result, Nasscom requested MeitY to give a period that is sufficiently long for the public to comment.
The idea, as mentioned by Nasscom, is not merely to indirectly create new rules, but rather to provide comprehensive clarification on how the central government is interpreting these sections. This clarification aims to identify the best practices and international reference points that can confidently be applied to the Indian context.
By doing so, it will not only avoid redefining statutory provisions or constraining the (Data Protection) Board or the Telecom Disputes Settlement and Appellate Tribunal, but also ensure that the interpretation of key terms and concepts, such as “purposes of employment”, “voluntary provision of personal data”, “technical and organisational measures”, “security safeguards”, “detrimental effect on the well-being of a child”, and “erasure” under the Act, are clearly defined and understood. This guidance will enable stakeholders to navigate the complexities of data protection with greater clarity and confidence.