 "data protection bill")
Only 9 per cent of Indian organisations collect consent that can be considered free, specific, and informed from the users who visit their websites, according to a report by PwC India released on Wednesday. In most cases, the report said, consent was collected in a bundled form, wherein a single consent is obtained for multiple purposes.
The report, titled "Readiness of India Inc. for the Digital Personal Data Protection Act, 2023: A PwC Analysis," was based on an analysis of the websites of 100 companies. PwC India further stated that 48 per cent of organisations in India provide the option to withdraw consent. "However, the process of withdrawing consent is not as easy as providing it," the report noted.
Moreover, only 2 per cent of organisations obtain consent in multiple regional languages.
On the subject of third-party transfers, 43 per cent of organisations were found to be lacking in providing a well-defined purpose for which personal data was shared with third-party data processors.
The Digital Personal Data Protection Act (DPDP Act) has recommended the appointment of a data protection officer (DPO) by companies. The DPO will oversee the data protection strategy and implementation to ensure compliance with regulatory requirements.
Also Read
The PwC report discovered that around 74 per cent of organisations have listed contact details of a person or a team that can be contacted for queries around data processing. Of these, 54 per cent have "proactively" provided the contact details of their DPO.
"These organisations are likely to have a privacy framework in place, and they may have a head start in their compliance journey with the DPDP Act," the report said.
Seventeen per cent of the 100 organisations have listed the email IDs of customer care or other functions for queries with respect to data protection. Although these organisations may have customised their privacy notices, they do not have a supporting framework in place, PwC said.
Furthermore, the report indicated that only 4 per cent of Indian organisations analysed have proactively published a breach notification mechanism on their website.
"Organisations from the information technology and FinTech sectors were found to have breach notifications in place as they have a presence in countries with stringent data privacy laws and are already compliant with them," the report added.
"The impact of the DPDP Act 2023 will be all-pervasive and considerably far-reaching for us as individuals, for businesses, and for the overall economy. For organisations in India, it is not only an opportunity to streamline their data collection and processing processes but also to build customer confidence and overall stakeholder trust, apart from enhancing their global competitiveness," said Sivarama Krishnan, partner and leader of Risk Consulting at PwC India and leader of APAC Cybersecurity and Privacy at PwC.
"Shifting the focus from 'privacy as an Act requirement' to 'privacy by design' can help India Inc. contribute significantly to the growing digital Bharat," he concluded.
