As the government works with industry stakeholders to formulate detailed rules under the Digital Personal Data Protection (DPDP) Act, 2023, a new report showed on Wednesday that only 9 per cent of organisations in India obtain clear consent from data principals (individual users), showing striking gaps in compliance with new Act.
PwC India analysed the websites of 100 Indian enterprises for compliance with the DPDP Act and found that 41 per cent of websites of enterprises analysed were found to specify data principal rights (correction, access and erasure) in their website privacy policies.
However, only 9 per cent of organisations sought consent that was free, specific and informed, as per the report. About 90 per cent of organisations reviewed provide a privacy notice to data principals when collecting data through their websites. Since such a notice is the first step adopted by any organisation entering the digital world, the high level of compliance does not indicate the presence of a robust data privacy framework, the findings showed.
On the aspect of third-party transfers, 43 per cent of organisations were found lacking in providing a well-defined purpose for which personal data was shared with third-party data processors.
“For organisations in India, it is not only an opportunity to streamline their data collection and processing processes but to also build customer confidence and overall stakeholder trust, apart from enhancing their global competitiveness,” said Sivarama Krishnan, Partner and Leader – Risk Consulting, PwC India and Leader, APAC Cybersecurity and Privacy, PwC.
Shifting the focus from ‘privacy as an Act requirement’ to ‘privacy by design’ can help India Inc. contribute significantly to the growing digital Bharat, he added.
Around 48 per cent of organisations surveyed provide the option to withdraw consent. However, the process of withdrawing consent is not as easy as providing it. Consent is obtained in multiple regional languages only by 2 per cent of organizations, said the report.
About 16 per cent of organisational websites display a cookie consent banner to users highlighting that their personal data will be collected and processed by the organisation. Nearly 33 per cent of organisations display a cookie notice informing users that the website (or any third-party service used by the website) they are navigating using cookies.
About 41 per cent of organisations display the right of data principals (erasures, access and correction) on their website along with the mechanisms to exercise them.
“While most organisations in the information technology, hospitality, consumer and pharma sectors and super apps have processes in place to honour data subject rights, they do not provide dedicated email addresses or online forms for support,” the report noted.
Around 74 per cent of organisations have listed contact details of a person or a team that can be contacted for queries around data processing. About 54 per cent of these organisations have proactively provided the contact details of their Data Protection Officer (DPO).
The report came as the government said last month that some entities may be given a year’s time to fine-tune their systems to comply with the Digital Personal Data Protection Act, 2023.
It will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside the country, if it is for offering goods or services in India.