.jpg)
Jenil Jain,
Lala Lajpat Rai College of Law
Introduction
As an increase in Digital business and startups in India, Digital Personal Data Protection Act, 2023 plays an important role in the legal framework of such businesses. Every Startups dealing with personal data must understand the implication of this act. The Digital Personal Data Protection Act brings strict compliance to streamline user privacy across India.
The primary objective of this act is to establish the legal framework for processing and protection of personal data. This Act open a window of business strategy for Startups to foster a deeper trust with their client and customers. It offers unique opportunity for tech corporations, fintech companies and e-commerce platforms to strategically align their operation with Data Privacy laws.
The Digital Personal Data Protection Act,2023 shall apply to processing digital personal data within the territory of India where such personal data is being collected in digital form or through offline form. However, this act shall also apply to the collection of digital personal data outside the territory of India, if such processing is in connection with any activity of offering such goods and service to any data principle within the territory of India. Digital personal Data Protection Act not only safeguard Indian citizen but also the people living outside India providing personal data to any person in India. Any Person who wants to process Data shall first take the Consent of the Person whose data Personal is being extracted for any use. Such Consent shall be free, specific, informed and unconditional and such consent shall form an agreement between them stating that processing of such personal data is for specific purpose and it is necessary to process Data personal for such purpose.[i]
Duties Of startups
Startups shall implement Appropriate technical and organisational measures to ensure effective compliance of the provisions and rules made under DPDP act. Startups shall protect the personal data which is in its possession by taking reasonable security safeguard to prevent personal breach.
In event of any personal data breach startups shall give the board and any affected individual a notice of such breach in such form and manner as may be prescribe by the law.[ii]
Any Fintech companies’ tech corporations, e-commerce platforms or other startups involved in business of collecting large volume and sensitive Personal Data from the customer such startups shall appoint a Data Protection Officer. Such Data Protection officer shall be from India and be responsible to board of directors and governing body of such startup. The Data Protection officer shall be the point of contact for any grievance under this act.
Such startups shall also appoint an Independent Data Auditor to carry out the Data Audit of the startups and check if such startup is handling compliance in accordance with the provision of this act.[iii]
Startups shall publish the name of the data processing officer in the manner as may be prescribe or a person who is able to answer on behalf of such startup the questions if any raised by any individual about the processing of personal data. Startups shall also establish an effective redressal mechanism for any grievances from any customers.
Challenges for startups
Unlike the Large company’s startup has limited resources to invest in legal compliance in terms of finance, expertise and staff. As a startup being at the initial stage of business may faces many challenges in Legal framework of Data privacy law.
Financial Burden: As many startups doesn’t have more financial freedom and large budgets it might be very costly for the startups in invest in legal compliance for implementing DPDP Act which may require advance technology for encrypting data and keeping it safe, breach detection system, data storage systems etc. which will increase the cost of the startup.
Human resources: Many startups do not have any inhouse legal team at initial stage of business however to comply with DPDP act they will have to build an inhouse legal team to see all the necessary steps are being taken to safeguard the personal data.
Data Audit: Startup may require to data audit of the personal data which Is being processed and such may require startups with large funds which will increase the compliance cost of the startups and also require technical expertise which a startup may lack.
Data Processing: Startup shall appoint data processor to process personal data. This act also restrict business to extract only such data which is completely necessary for the purpose, excess data extraction is not allowed which will restrict startups from gaining more information from their customer for marketing purpose. As most startup rely of surveys and data extracting for targeting their right audience.
Data Storage and Security: Startups must be required to storage the personal data such storage might cost highly for startups to purchase encrypted software. Such store data must be kept safe and any breach in such safety will cost startups hefty penalties and legal compliance.
Third Party breach: As in initial stage startups generally outsource their work to a third party however the startups shall take necessary steps towards the third-party breach of such personal data. Startups shall ensure that the third party is also taking all necessary steps towards safeguarding the personal data.
Consent Management: Startups now need to obtain clear and specific consent from users to process their data. This means revising existing consent forms, privacy policies, and ensuring users understand how their data will be handled. Managing this consent effectively, especially for startups offering digital services with a large number of users, can be both complex and time-consuming.[iv]
Grievance redressal: Digital Personal Data Protection Act provide individual who have given content to extract their data right to obtain summary of personal data which is being processed by the startups, the identities of all the persons or companies with whom such personal data has been shared or any other information such person will require from the startups.
International Data Transfer Restriction: For startups which deals with international clients the DPDP Act may impose restriction on any cross-border data transaction. The law mandates that personal data should only be transferred to countries approved by the Indian government. This could disrupt business operations, especially for startups relying on global cloud services or those with international operations.
Non-Compliance penalties: Startups will face hefty penalties for any non-compliance or breach of any provision of DPDP Act. These hefty penalties will bring an unnecessary burden on startups. Following can be the penalties for subsequent breach;
1. Breach in observing the obligation of startups in taking responsible care and security safeguard to prevent personal data breach may Extend to Rs.250 Crore.
2. Breach in observing the obligation to give board or any affected person notice of personal data breach may extend to Rs. 50 Crore.
3. Breach in any of the provision of DPDP Act or provisions or rules made there under may extend to Rs. 50 Crore.[v]
Reputational damage: If in the event of any breach of the provision of the rules and regulation under DPDP act, the startup may face great reputational damages in the market which will affects its business and reduce customer loyalty and trust in the market and will give a competitive advantage to the competition.
Opportunities for Startups
As Digital Personal Data Protection Act provide safeguard to personal data of the customers it can help startups to gain trust among customers by following all the compliance under the law and building good reputation and customer loyalty. Any startups which prioritize data protection can set themselves among market which will help them build trust among investors and customers.
Any startups with good privacy policy will attract more investors as there would be less legal compliance and hindrance in the startups.
By setting good safeguard for personal data protection startups can attract more foreign clients as such clients will have more trust in such startups and can expand their business.
Maintaining data privacy will also give a great boast to Indian e-commerce, tech industry as in global market there is given a great importance to customer data privacy which will attract more foreign investors in India increasing Indian economy.
As the technology evolves more business will be online and such startups must continue to adapt with DPDP Act at the earlier stages which will help them to grow by keeping the data protected and using them in their business strategy.
Conclusion
However, the Digital Personal Data Protection Act, 2023 is still in the early stage of implementation so it is yet not clear of how it will be implemented, the Digital Personal Data Protection brings in new challenges to the startups and also brings new opportunities to build strong relations with the customer by offering personalised experience in data privacy. In addition, Consumers are being increasingly aware of the importance of data protection and are more likely to do business with companies they trust with their data. By complying with this act and taking reasonable steps to protect their customer data startups can build trust with their customers and bring long term success to their business.
References
[i] Digital Personal Data Protection Act, § 3, No. 22, Acts of Parliament, 2023 (India).
[ii] Digital Personal Data Protection Act, § 5, No. 22, Acts of Parliament, 2023 (India).
[iii] Digital Personal Data Protection Act, § 10(2), No. 22, Acts of Parliament, 2023 (India).
[iv] Digital Personal Data Protection Act, § 6, No. 22, Acts of Parliament, 2023 (India).
[v] Digital Personal Data Protection Act, § 33(1), No. 22, Acts of Parliament, 2023 (India).