The General Data Protection Regulation (GDPR) of the European Union has established a global standard for data protection laws, motivating other nations to enact comparable legislation. The adequacy decisions made by the European Commission played a pivotal role in determining whether a country’s data protection laws align with those of the EU, thus permitting seamless data transfers.
In this context, the Indian government is obliged by Chapter 4 of the DPDP Bill to inform any nations or territories outside of India to which a data fiduciary may transfer personal data. The clause further indicates that the government will later notify the public of the terms and conditions under which such a transfer will be permitted. However, this presents several challenges for businesses operating in India.
Consistency is key
The challenge lies in creating a transfer mechanism that permits data mobility while maintaining a uniform standard of protection across various legal systems. Harmonising global data protection presents a challenging conundrum due to different legislative requirements and cultural quirks established by several nations and areas.
Also, there has been a lot of criticism about the data localisation clause. Although the goal is to increase data security and safeguard the interests of Indian citizens, some claim that it may impede technological advancement and cross-border data flows. For international corporations, meeting localisation criteria may present difficulties and raise operating costs.
Impact on small businesses
The Bill’s prospective penalties and compliance requirements, according to its detractors, might unfairly harm new and small firms. Smaller businesses may be severely hampered in their ability to innovate and compete by the expense of putting data protection measures into place, conducting audits, and ensuring compliance with strict regulations. An organisation failing to follow the regulations can attract a fine of up to ₹250 crore.
To prevent new technologies and processes from making their privacy framework irrelevant and outdated, organisations and their executives must ensure that, as part of “business as usual”, they regularly analyse risks, monitor controls, and undertake upgrade programmes. In addition, they must also adhere to the rules and regulations stated in the latest data protection bill in a bid to avoid any fines. In addition, to uphold the rights of employees, customers, merchants, and vendors to access, amend, and delete their personal data, businesses will need to examine their current processes.
Larger firms may already have compliance procedures in place, but small and medium-sized enterprises may encounter difficulties in adhering to these regulations. This is where security management firms will be essential in enabling organisations to successfully negotiate data protection rules. By offering expertise, they will help firms abide by data protection laws, locate potential vulnerabilities and mitigate them and assist the companies in avoiding fines and reputational harm.
(The writer is MD of Netrika Consulting.)