data law: Provide guidance on new data law: Nasscom

Organisations that have no experience with personal data protection will potentially need the most time to comply with the Digital Personal Data Protection Act (DPDPA), tech industry body Nasscom told the ministry of electronics and information technology (MeitY) on Friday.

Nasscom’s observation was part of a representation made to MeitY on enabling effective implementation of DPDPA. It sought clarification and guidance on the full scope of the Act.

Elevate Your Tech Prowess with High-Value Skill Courses

Offering College Course Website
IIT Delhi IITD Certificate Programme in Data Science & Machine Learning Visit
Indian School of Business ISB Product Management Visit
IIM Kozhikode IIMK Senior Management Programme Visit

The examples the industry body cited included government organisations, logistics companies, professionals, offline retailers, research institutes, schools, etc. These will be building compliance programmes from scratch, Nasscom said.

The tech body said there are many big and small organisations in India which will not have exposure to horizontally applicable foreign data protection laws (like the General Data Protection Regulation), but will have limited compliance programmes in place today (mainly to comply with the Sensitive Personal Data Information Rules or sectoral regulations).

Nasscom said these companies are in e-commerce, financial services, healthcare industries, etc. They will need to adapt compliance programmes to apply to all types of digital personal data and to account for new obligations (e.g., data principal rights), it added.

These entities will require more time than those with exposure to foreign data protection laws, it said.

Discover the stories of your interest

Nasscom said clarity is required on certain matters under the DPDPA that are dealt with directly through notifications which are separate from the rules.The government notified the new Data Law in August and is likely to come up with detailed rules to operationalise it soon.

Nasscom also said that it is only after the rules are finalised, and these additional notifications are made clear, that organisations can estimate the time and resources required to establish and operate their DPDPA compliance programmes.

In addition, there is a need for guidance, over and above rules, to help organisations interpret terms and concepts in the DPDPA – that have no rule-making power attached to them– with confidence, Nasscom said in its representation.

The idea, Nasscom said, is not to indirectly create new rules, redefine statutory provisions, or constrain the (Data Protection) Board or the Telecom Disputes Settlement and Appellate Tribunal, but to clarify how the central government is itself interpreting these sections, and identify best practices and international reference points that can be brought to the Indian context with confidence.

Nasscom sought guidance on defining the “purposes of employment”, “voluntary provision of personal data” ground, the meaning of “technical and organisational measures”, the concept of “security safeguards”, the meaning of “detrimental effect on the well-being of a child”, and the meaning of the term “erasure” under the Act.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.