Mumbai: India’s Digital Personal Data Protection (DPDP) Bill, is expected to be implemented over the next six to eight months in a phased manner; hefty penalties have been imposed for breach of data. This Bill will have a positive impact on companies/platforms that use first party data, whereas players using or sharing third party data (Google cookies, publisher platforms) could see a negative impact; this could potentially mean that sourcing data may become an expensive proposition for programmatic companies like Affle, as they may need to invest in enhancing their own database (first party). This Bill mirrors UK’s GDPR (General Data Protection Regulation) in terms of the major norms mentioned therein. Internet platforms like Zomato, Nykaa, Paytm etc may have relatively lesser monthly active users (MAU’s) as compared to social/search giants like YouTube, Meta, however the former has a detailed understanding of their limited customer base, with more intelligence around their purchasing/consumption patterns; e-commerce giants like Amazon, Flipkart too will have a big edge due to data protection, as they can earn ad. revenue with the help of their first party data, which will help provide better monetisation and profitability over the medium term.

Long haul for implementation of the DPDP Bill (six to eight months)

The DPDP (Digital Personal Data Protection) act, which has been highly anticipated, has been in the works for the past four to five years. Numerous drafts have been exchanged and extensive input has been gathered from the industry stakeholders. Although the Bill is set to take effect on 11 August 2023, its actual implementation has not yet occurred. Currently, the sections have not been enforced, but there are plans to assign specific dates for the phased implementation of these sections.

The scope of its applicability extends to all forms of digitised or digital personal data. Notably, the act also holds extraterritorial jurisdiction. This means that all entities, including those located outside of India, that process data to offer data services within the country, will be obligated to adhere to the provisions of the act. The Bill is anticipated to bring about a positive impact. India is undergoing rapid digital transformation, and with such swift digitization, there's a substantial amount at risk. Considering the challenges posed by data leaks, the implementation of this law is crucial. It will establish a regulatory framework that offers a cleaner environment for the transmission and processing of personal data.

Substantial penalties for non compliance/data privacy breach

The entirety of the act's liability is placed upon the data fiduciary. The responsibility for implementing safeguards to ensure data protection also falls solely on the data fiduciary. Implementing the requirements should not pose a significant challenge for data fiduciaries, provided they approach it with seriousness and a willingness to comply. The Bill makes it obligatory to report breaches of the principles, regardless of whether the breach is categorized as a high-security breach or not. Entities will undoubtedly feel apprehensive about the substantial penalties, given their magnitude. Data fiduciaries have a responsibility to uphold reasonable security measures for personal data when processing such information. Failure to inform both the board and the principle in case of a data breach can lead to significant fines being imposed. Rather than waiting for the possibility of never being reported and taking on the associated risks, companies could proactively reach out to a wider customer base about the data leak. This approach would involve enhancing compliance efforts and demonstrating a commitment to addressing the issue.

Contents of the DPDP Act have been drawn heavily from EU’s GDPR

The Indian legislation has drawn significant inspiration from the EU's General Data Protection Regulation (GDPR) and is built upon its framework. The authorities have analysed the real-world challenges that arose with GDPR and incorporated those insights into the crafting of this Bill. The primary objective is to ensure the responsible processing of personal data and establish robust data privacy rights for individuals. Both regulations emphasize the handling of personal data through consent, although there are specific scenarios where consent might not be obligatory. The Government has skilfully navigated the task by avoiding excessive amendments and appropriately identifying areas of overlap with other laws.

Ad-tech players could face challenges in accessing third-party data

It is believed that targeted advertising technology companies operating in this domain and relying on third-party data for tailored advertisements will encounter additional challenges. Since they don't directly gather the data, using third-party data will demand heightened attention. Employing third-party data should make you more cautious, vigilant, and well-informed about the methods of data collection. Ensuring the integrity of the data used for crafting targeted advertisements becomes imperative to prevent any form of contamination. Well-established players involved in collecting, distributing, or selling data would undoubtedly need to swiftly adapt to the provisions of this new act. These programmatic ads. tech players could resort to either 1) Investing into their own database or 2) Recover the higher the costs from clients via higher pricing.

Broad based implementation - across small and large enterprises

Small businesses, lacking substantial resources to engage established players, are focusing on diligently ensuring proper compliance. They recognize that firsthand data collection is significantly preferable to relying on third-party data access. Bigger technology companies might be required to establish compliance requirements slightly ahead of smaller players and startups. The law takes a somewhat more lenient stance toward startups. It's anticipated that there will be a window of around six to ten months before full implementation is expected.

Safety of consumers/children an added benefit apart from privacy

Companies operating multiple businesses might find common ground internally, where data exchange occurs among their various segments or units by following proper compliance. This aspect should be regarded as a protective measure for sharing information securely. In the case of large tech giants, they will have to adhere to the supplementary data requirements. These companies heavily rely on technology, so many of the obligations are likely already integrated into their operations. The introduction of this regulation could bring about a positive impact, leading to an enhanced safety net. Regarding children's data, obtaining verifiable parental consent is a requisite. The act has established a mechanism for addressing grievances within its provisions. The composition of the board is explicitly outlined in the act.

The credit of this article goes to Elara Capital senior vice president- research analyst Karan Taurani.