New Delhi: A new report by PwC India on how compliant Indian companies are with the Digital Personal Data Protection Act, which came into effect on 11 August, reveals some startling facts. Only 41 of the 100 websites of Indian enterprises PwC India analysed for it study mentioned data principals’ (users’) rights to access, correct and erase their personal data, while only 9 sought consent from users that was free, specific and informed.
The report said 90% of the organisations showed users a privacy notice when collecting data through their websites, but since such a notice is the first step for any organisation entering the digital world, the high level of compliance did not indicate the presence of a robust data privacy framework. On the matter of third-party data transfers, 43% of organisations did not provide a clear reason for which personal data was shared with third-party data processors.
Sivarama Krishnan, partner and leader - risk consulting, PwC India, and leader, APAC cybersecurity and privacy, PwC, said, "The impact of the DPDP Act 2023 will be all-pervasive and far-reaching for us as individuals, for businesses, and for the overall economy. For organisations in India, it is not only an opportunity to streamline their data collection and processing processes but to also build customer confidence and stakeholder trust, and enhance their global competitiveness… Investing now to become compliant will stand organisations in good stead in the future.”
Here are the key takeaways from the report:
Consent: Only 9% of organisations collect consent that can be considered ‘free, specific and informed’. In such cases, consent is often bundled (i.e. single consent is obtained for multiple purposes). The study found that while 48% of organisations provide the option to withdraw consent, the actual process of doing so isn’t easy. It also found that only 2% of organisations obtain consent in multiple regional languages.
Cookies: PwC India found that 16% of company websites display a cookie consent banner to users, highlighting that their personal data will be collected and processed. It said 33% of organisations display a cookie notice informing users that the website (or any third-party service used by the website) they are navigating uses cookies. The information technology, hospitality and aviation sectors are leaders in terms of obtaining cookie consent and giving users control over their online experiences as these enterprises have a global presence and are compliant with data protection regulations around the world.
Privacy notices: The study found that 90% of organisations display a privacy notice to users when collecting data through their websites, while 80% mention what personal data is collected in their privacy notice. Just over half (54%) of organisations that display a privacy notice mention the period for which personal data will be retained. And only 2% of organisations provide privacy policies or notices in multiple languages.
User rights: PwC India found that 41% of organisations display the data rights of users (erasure, access and correction) on their website and explain how to exercise these rights. While most organisations in the information technology, hospitality, consumer and pharma sectors, in addition to super apps – have processes in place to honour users’ data rights, they do not provide dedicated email addresses or online forms for support, the study found.
Breach notification: Only 4% of organisations studied have published a mechanism for notifying breaches on their website, the study found. Organisations from the IT and fintech sectors were found to have breach notifications in place as they have a presence in countries with stringent data privacy laws.
Data protection officer: Around 74% of organisations have posted the details of a person or a team that can be contacted for queries about data processing. Of these, 54% have proactively provided the contact details of their data protection officer (DPO). These organisations are likely to have a privacy framework in place and may have a head start in their compliance journey, PwC India said.
Data retention: The study found 54% of organisations state their data retention periods on their websites. These companies are predominantly in sectors such as fintech, e-commerce, IT, banking, insurance and aviation, while organisations in the consumer, retail, realty and manufacturing sectors are lagging on this.
Children’s personal data: One in 10 schools provides a privacy notice customised for children verifies the user’s age to check if he or she is a minor. Such schools state that they process children’s data only after taking content from a parent or guardian. Online services and product providers do not show age-appropriate notices or check if the user is a minor, the study said.
Catch all the Business News , Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
MoreLess