Nasscom’s observation was part of a representation made to MeitY on enabling effective implementation of DPDPA. It sought clarification and guidance on the full scope of the Act.
The examples the industry body cited included government organisations, logistics companies, professionals, offline retailers, research institutes, schools, etc. These will be building compliance programmes from scratch, Nasscom said.
The tech body said there are many big and small organisations in India which will not have exposure to horizontally applicable foreign data protection laws (like the General Data Protection Regulation), but will have limited compliance programmes in place today (mainly to comply with the Sensitive Personal Data Information Rules or sectoral regulations).
Nasscom said these companies are in e-commerce, financial services, healthcare industries, etc. They will need to adapt compliance programmes to apply to all types of digital personal data and to account for new obligations (e.g., data principal rights), it added.
These entities will require more time than those with exposure to foreign data protection laws, it said.
Discover the stories of your interest
Nasscom said clarity is required on certain matters under the DPDPA that are dealt with directly through notifications which are separate from the rules.The government notified the new Data Law in August and is likely to come up with detailed rules to operationalise it soon.
Nasscom also said that it is only after the rules are finalised, and these additional notifications are made clear, that organisations can estimate the time and resources required to establish and operate their DPDPA compliance programmes.
In addition, there is a need for guidance, over and above rules, to help organisations interpret terms and concepts in the DPDPA – that have no rule-making power attached to them– with confidence, Nasscom said in its representation.
The idea, Nasscom said, is not to indirectly create new rules, redefine statutory provisions, or constrain the (Data Protection) Board or the Telecom Disputes Settlement and Appellate Tribunal, but to clarify how the central government is itself interpreting these sections, and identify best practices and international reference points that can be brought to the Indian context with confidence.
Nasscom sought guidance on defining the “purposes of employment”, “voluntary provision of personal data” ground, the meaning of “technical and organisational measures”, the concept of “security safeguards”, the meaning of “detrimental effect on the well-being of a child”, and the meaning of the term “erasure” under the Act.