 "Avg data breach cost hit Rs 19 cr in 2024; 16% Indians know privacy rights")
India saw the average cost of a data breach reach an all-time high of Rs 19.5 crore in the first half of 2024. However, a recent survey by PwC India found that only 16% of Indians were aware of their rights regarding personal data.
The PwC Survey on Data Privacy, which gathered responses from 3,233 consumers and 186 organisations, revealed significant gaps in understanding the Digital Personal Data Protection Act (DPDPA).
According to the report, consumers are worried about data breaches but only 16% of Indian consumers were aware of their rights under the DPDPA. The survey further pointed out that 56% of consumers were unaware of their rights related to personal data, and 69% did not know they could withdraw consent regarding the use of their data. Additionally, when it came to minors’ personal data, 72% of respondents were unaware that parental or guardian consent was required.
For businesses, the picture was similarly concerning. While 40% of organisations claimed to understand the act, only 9% had a comprehensive understanding. Despite these gaps, many organisations were not planning to invest in educating consumers about their data rights. Nearly half of the organisations surveyed had yet to begin implementing the DPDPA.
Key highlights
Only 16% of consumers in India were aware of their data privacy rights.
More From This Section
44% of consumers were willing to pay more for better data protection.
42% of consumers were unsure if they would continue using a service after a breach.
The average cost of a data breach in India reached Rs 19.5 crore in 2024.
Eroding consumer trust
The lack of awareness and slow uptake of privacy measures by companies was eroding consumer trust. According to the survey, 32% of consumers did not believe organisations took consent-related matters seriously. Moreover, 69% of respondents expressed concerns about the safety of their data with companies, with this figure rising to 37% in Tier-3 cities.
“The DPDP Act 2023 is crucial as India’s digital economy continues to grow. However, the reality on the ground is complex, with gaps in both digital and privacy literacy,” said Sivarama Krishnan, Partner & Leader at PwC India.
Krishnan also noted that businesses in sectors such as BFSI and pharmaceuticals were leading the way, with over 60% of organisations in these sectors recognising the need to build consumer trust around privacy. Yet, many businesses still lagged behind.
Consumers willing to pay more for data protection
Many consumers were willing to take action if their data was compromised. The survey revealed that 44% of respondents were willing to pay more for services if it ensured their data was protected. Additionally, 42% of consumers were uncertain about continuing to use a company’s services after a data breach. This uncertainty was even higher in Tier-1 cities, where 46% of consumers were unsure whether they would remain loyal post-breach.
“Despite efforts to raise awareness, there is a significant trust deficit among consumers when it comes to data handling by organisations,” said Anirban Sengupta, Leader and Partner at PwC India.
How did employees feel about data sharing?
Around 20% of employees expressed discomfort with the idea. Organisations, meanwhile, have been slow to address this issue, with 64% admitting they had no initiatives in place to reassure their own employees about data privacy.
This lack of awareness was particularly concerning for blue-collar workers, retirees, and homemakers, who were often less familiar with data privacy rights and the potential consequences of breaches.
While many businesses acknowledged the importance of the DPDPA, 80% of organisations expected challenges in complying with the act. Regulated sectors like BFSI and telecoms fared better, but the manufacturing sector struggled the most. Even though 52% of organisations planned to enhance security controls, many still lacked the necessary processes and skilled workforce to ensure compliance.
Data breach incidents rising
India saw several data breaches in 2024. In September, millions of personal records, including medical details of Star Health Insurance customers, were leaked online. A UK-based researcher first reported the breach, with claims that a hacker named xenZen had accessed the data.
In July, personal information of around 7.9 million customers from Mumbai-based stockbroking firm Angel One was leaked, exposing sensitive details such as bank account numbers. Earlier, in January, a massive breach exposed 750 million individuals' personal data, including Aadhaar information, with the data being sold by threat actors online.
Consequences of data breaches
The consequences of data breaches were severe. Saurabh Gupta, CEO of VeriSmart AI, explained, “Hackers use techniques like phishing and malware to steal personal data for malicious purposes.” These stolen details could be used for identity theft, financial fraud, and extortion.
Businesses also faced legal consequences and reputational damage. “Companies that fail to protect data may face penalties, and the damage to their reputation can be difficult to recover from,” Gangesh Varma, Principal Associate at Saraf and Partners told Business Standard.
Cost of data breaches
India saw the average cost of a data breach reach an all-time high of Rs 19.5 crore in the first half of 2024, according to a report by tech major IBM published in July. This marked a 9% increase from the previous year and a staggering 39% rise since 2020.
These costs were not just financial but extended to operational disruptions as well. Globally, 70% of breached organisations reported facing significant disruptions due to data breaches.
What rights does DPDPA give to consumers?
The Digital Personal Data Protection Act, 2023 (DPDPA) grants consumers several key rights regarding their personal data.
"Under the DPDPA, consumers, referred to as Data Principals, have five key rights that strengthen their control over personal data," said Akshayy S Nanda, Partner at Saraf and Partners.
He explains the five key rights:
Right to access information: This allows individuals to request details about the processing of their personal data, including what data is being processed, the purposes of processing, and a list of third parties with whom their data has been shared.
Right to correction: This right enables individuals to request the correction of inaccuracies or incomplete information in their personal data.
Right to erasure: Consumers can demand the deletion of their personal data if it is no longer necessary for the purposes for which it was collected, or if they have withdrawn consent.
Right of grievance redressal: This ensures that consumers can file complaints with companies and receive timely resolutions on privacy-related issues.
Right to nominate: Individuals can appoint someone to exercise their data protection rights on their behalf in case of death or incapacity.
"These rights collectively strengthen the protection and management of consumers' personal data under the DPDPA. Additionally, individuals have the right to receive privacy notices in simple and plain language, available in 23 Indian languages. These notices will outline the personal data being collected and the purposes of processing, enabling individuals to make a genuine choice on whether they consent to the processing of their data," he added.