Were you hacked in 2024? India’s data protection rules require you to take action

It’s possible the government will consider rule changes if public comments raise questions before 18 February.
It’s possible the government will consider rule changes if public comments raise questions before 18 February.

Summary

  • The draft rules on digital privacy demand that data breaches from 11 August 2023 onwards be reported retrospectively to the Data Protection Board of India once it’s set up. For minor breaches, this is too burdensome.

Last year, did any of your employees use a co-worker’s computer and read files without authorization? Maybe the access was unintentional and no information was shared. But because it was viewed by an unauthorized person, the data is considered breached.

What if someone with legitimate authorization purposely accesses and/or shares data with the intent of causing you harm? This malicious insider also caused a data breach.

Did any employee lose an office device last year? It could be an unencrypted and unlocked laptop or external hard drive—anything that contained sensitive information. Again, a data breach has occurred. Finally, were you hacked?

Also read: Well-equipped data protection board a must to enforce digital privacy laws, say experts

All these constitute data breaches. It occurs when the personal data for which an organization is responsible suffers any unauthorized processing or accidental disclosure, acquisition, use, sharing, alteration, destruction or loss of access that compromises the confidentiality, integrity or availability of such data.

If you suffered a data breach last year, would you have needed to report it to an authority? ‘No’ may be your guess, since India did not have a data protection authority in place. But will you need to report such occurrences, retrospectively, once the envisaged Data Protection Board of India (DPBI) is set up?

The draft Digital Personal Data Protection Rules, 2025 (Privacy Rules), require such retrospective reporting. It covers data breaches occurring in the interim period from the notification (11 August 2023) of the Digital Personal Data Protection Act, 2023 (DPDP Act), to its full implementation sometime later this year.

The window between the two dates may not be considered a holiday or safe harbour. As the erstwhile IT minister had advised, this just means that data breaches will accumulate. The DPBI is expected to start adjudicating on cases as soon as it is able to.

Unless the privacy rules explicitly provide otherwise, which they don’t, the DPDP Act is in force for all data fiduciaries vis-a-vis their interactions with data principals.

The former need to implement appropriate technical and organizational measures to avoid possible data breaches. And if such breaches happen, then notification and other triggers may apply to them retrospectively.

Also read: Mint Explainer: The digital personal data protection Act, its rules, and roadblocks

So, what actions do data fiduciaries need to take in the interim? First, map the personal data being collected/processed. Then, implement security safeguards.

Various data security measures could be adopted, such as encryption, obfuscation and mapping personal data onto virtual tokens to secure personal data from breaches.

Should data processors be involved, ensure that the contract includes a requirement that processors implement ‘reasonable security standards’ for their processing activities.

Now, if you did suffer a data breach, who do you call? The DPBI, as soon as it is set up. In the interim, did you inform the affected data principals? This will be one of the first questions the DPBI will ask. So it should be done now.

What if you don’t inform the DPBI of a data breach you suffered in the interim period? Failing to report a data breach could lead to fines of up to 200 crore. And, just in case you didn’t put in place ‘reasonable security safeguards’ during this period, you may incur a further liability of 250 crore.

If you do decide to inform the DPBI, how much time do you have to make this call? Since nothing has been prescribed on breaches in the interim period, it may be safely assumed that it would be within 72 hours of the DPBI being able to receive reports.

If you need more time, just ask the DPBI. It may allow more than 72 hours if the data fiduciary sends in a written and well reasoned request for an extension.

Do the draft privacy rules treat all breaches uniformly? Unfortunately, all the examples listed earlier would qualify. Shouldn’t minor breaches have had fewer compliance obligations?

Would a risk-based approach be a fairer way of dealing with breach consequences? It’s possible the government will consider rule changes if public comments raise these questions before 18 February.

Also read: India’s Digital Data Protection rules: A story of hits and misses

One last point. If the data breach also involved a cybersecurity incident, the Computer Emergency Response Team (Cert-In) also needs to be informed.

Now that the much-awaited privacy rules are out in draft form, if we offer our comments, not only will we help strengthen the legal shield for digital personal data, but also address the loose threads around breach notification, especially the potential retrospective reporting requirement with its cut-off date of 11 August 2023.

The author is partner, JSA Advocates & Solicitors

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
more

topics

MINT SPECIALS