The draft rules have mentioned the process of suspending or cancelling registration of consent manager in case of repeated violation, but there is no mention of penalties that were approved under the DPDP Act, 2023.The Act has the provision to impose a penalty of up to Rs 250 crore on data fiduciaries.IndusLaw Partner Shreya Suri said that there was an anticipation of introducing thresholds for data breach reporting, where minor breaches could have had fewer compliance obligations.”However, the current draft treats all breaches uniformly, requiring the same level of reporting and notification to the Data Protection Board and affected data principals, without granting any discretion whatsoever to data fiduciaries. Additionally, while the rules outline certain considerations for reasonable security practices, the lack of detailed guidance leaves room for varied interpretations,” Suri said.The draft rules, which have been published for public consultations, will be taken into consideration for making the final rule after February 18.The draft is available on MyGov website for the public comments.Mayuran Palanisamy, Partner at Deloitte India, said the draft rules are quite detailed and give much needed direction to the businesses in India by expounding upon compliance to be carried out by them, such as obligations measures for Significant Data Fiduciaries, registration and obligations of Consent Managers, the establishment and functioning of the Data Protection Board, including specifics of data breach intimation to Data Principles and the Board, process for the Principals to exercise their rights and timelines for Data Fiduciaries to respond to grievances.”We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms,” Palanisamy said.Further, organizations will need to invest in both technical infrastructure and processes to meet the requirements effectively.This includes relooking into data collection practices, implementing consent management systems, establishing clear data lifecycle protocols and actually percolating down these practices at an implementation level, Palanisamy added.
Source link
