 "Personal Data Protection Bill")
A report has shed light on the compliance of Indian enterprises with the Digital Personal Data Protection (DPDP) Act, 2023. After analysing 100 websites, the study found that 41 per cent of the websites reviewed specified data principal rights, such as correction, access, and erasure, in their online privacy policies.
The report, titled “Readiness of India Inc. for the Digital Personal Data Protection Act, 2023: A PwC Analysis,” revealed that a mere 9 per cent of organisations obtained consent in a manner that was free, specific, and informed. While 48 per cent of the organisations gave an option to retract consent, the procedure to do so was not as straightforward as giving it.
Furthermore, only 2 out of the 100 analysed websites provided consent in multiple regional languages.
Sivarama Krishnan, Partner and Leader - Risk Consulting, PwC India and Leader, APAC Cybersecurity and Privacy, PwC, commented, "The DPDP Act 2023 will have a profound and widespread impact on individuals, businesses, and the broader economy. Emphasising 'privacy by design' can significantly boost the growth of the digital India initiative. The Act is progressive and flexible, adapting to evolving times without undue complexities. Organisations investing in compliance now will reap benefits in the upcoming years."
The PwC analysis highlighted that organisations handling children's data show a lack of adherence to the privacy act. Only one in ten schools offer a child-specific privacy notice and conduct age verifications. Moreover, many digital service providers fail to deliver age-appropriate notifications in a clear, visual format and often do not gather age data, a critical criterion, from their users.
The findings also indicated that 90 per cent of the organisations under scrutiny have a privacy notice for data principals on their websites. However, when it comes to third-party transfers, 43 per cent did not adequately define the purpose of sharing personal data with third-party data processors.
In terms of appointing Data Protection Officers (DPO) – a key provision of the DPDP Act – 74 out of 100 companies have provided contact information for data processing queries. Out of these, 54 per cent have specifically listed the contact details of their DPO.
