Business Impact Assessment for DPDPA

Now that Digital Personal Data Protection Act 2023 (DPDPA) is here, in India, all organizations which are either collecting any form of personal data in India or providing goods and services to individuals in India need to be Compliant to the new law namely the DPDPA. The Act has been passed but detailed notifications are yet to be released and should happen in the next 3 months.

To understand their liability under the Act, organizations should first assess their status as a Data Fiduciary or Data Processor. They may even be a Significant Data Fiduciary with greater responsibilities.

There is a need for Data Inventory to be created with a segregation of data related to GDPR and DPDPA. There is a need to identify different activity centers or Process Centers where the entity may hold different status such as being a Data Fiduciary in one instance and Data Processor in another instance.

Considering the need to properly understand and assimilate the nuances of the Indian law in the midst of our current understanding of other laws like GDPR, we need to appoint and/or designate a DPO or a DPDPA Compliance Officer to ensure that the legal liability does not unknowingly hit the CEO.

If the CEO/Board feels that internal expertise in DPDPA is not adequate, it is better to invite a suitable external consultant to guide them.

Every organization that is likely to have some business relationship with Indian public are likely to face the impact of this law which could lead to heavy penalties.

In this context, FDPPI's "Leadership Initiative for DPDPA Consciousness" (LID) as a top management awareness movement needs to be explored by all potntially affected organizations.

Naavi