Data Protection Newsletter (August Issue)

August 22, 2024

Nachiketa Singh

Founders Office

Summary

  • DPDP Rules Available for Public Consultation Within a Month
  • NBFC Account Aggregators Faces Cyberthreat, Home Ministry Steps In
  • US Sues TikTok over ‘Privacy Violations’ of Kids Under 13
  • Fintechs Should Work with Banks to Develop Regulatory Compliant Solutions- Financial Services Secretary
  • DPDP Compliance for B2B2C Companies
  • Grounds for Processing Under the DPDP Act
  • How will the Data Protection Act impact Telemarketing?
  • Provide for Consent Management
  • Institute robust access controls and employee authentication mechanisms to limit access to personal data

Headlines of the Week

DPDP Rules Available for Public Consultation in a Month

The detailed rules for Digital Personal Data Protection Act 2023 will be made available for public review within a month. Minister Ashwini Vaishnaw confirmed that the framework of DPDP Act is now complete, with the workflow including how to file complaints, taking up appeals and other details. Once the rules are notified, a public consultation period shall follow, which shall last for about 45 days followed by establishment of a Data Protection Board. Notably, the DPDP Act completed its first year on August 12th.

Source: Moneycontrol

NBFC Account Aggregators Faces Cyberthreat, Home Ministry Steps In

The Account Aggregator (AA) system is facing the threat of Cybercriminals. Fraudsters have developed ways to access customer data and details of their bank accounts. Even large AAs like Perfios, Finvu, Cams Finserv and NeSL Asset Data Limited have shut down certain features like balance enquiries and details of customer profile. ReBIT has put in a strong technical framework for AA to provide secure and consented flows.

Source: Economic Times

US Sues TikTok over ‘Privacy Violations’ of Kids Under 13

The US Justice Department has sued TikTok and ByteDance, alleging failure to protect children’s privacy. The lawsuit alleges that TikTok collected user data for kids under 13 years of age without parental consent. The penalties can run into billions of dollars, if the allegations are proved. Notably, children's consent is the primary reason for delay in notification of DPDP rules in India.

Source: Economic Times

Fintechs Should Work with Banks to Develop Regulatory Compliant Solutions- Financial Services Secretary

Financial Services Secretary Vivek Joshi urged for increased cooperation between banks and fintech firms. He noted the need to create scalable, regulatory compliant solutions. Addressing the FICCI-IBA PICUP Fintech Conference, Joshi highlighted the need for fintechs to focus on regulatory compliance, governance and cybersecurity. He also noted that innovation innovation shall not outpace the necessary safeguards, such as cyber security, data privacy, identity theft, digital financial fraud and financial literacy are other areas which require our attention.

Source: Economic Times

Insights of the Week

DPDP Compliance for B2B2C Companies

Read our blog to understand about the compliance with the DPDP Act for B2B2C companies. A B2B2C model employs another business to offer products and services to end customers. In a B2B2C model, businesses can act as either Data Fiduciaries or Processors, depending on their control over data processing activities. Compliance obligations primarily rest on Data Fiduciaries. Under the new regime, B2B2C companies should navigate complex roles and responsibilities and ensure clear agreement with partners covering data breaches and ensuring transparency for end users.

Read the Full Article

Grounds for Processing Under the DPDP Act

Read our blog to understand the grounds for processing under the DPDP Act. DPDP Act provides for processing of personal data for lawful purposes only. Under the new regime, consent is placed at the forefront of data processing activities. Businesses are now required to give detailed consent notices and maintain verifiable records of consent. The law also provides for certain exemptions where consent can be overlooked for legitimate use. Indian businesses need to necessarily understand and comply with the grounds for processing considering severe penalties upto Rs. 250 Crore.

Read the Full Article

How will the Data Protection Act impact Telemarketing?

The DPDP Act, 2023 provides for a framework for data protection in India. Despite existing TRAI and RBI regulations on Unsolicited Commercial Communication (UCC), telemarketing activities went unchecked due to regulatory loopholes and weak enforcement. The DPDP Act is the first authoritative Indian law to strictly prohibit telemarketing without user consent. The DPDP Act holds businesses responsible for any non-compliant telemarketing activities. Penalties of up to ₹50 Crores may apply per instance of violation of the DPDP Act. Indian businesses are now required to provide for granular consents for telemarketing, provide valid notice for data collected before the DPDP Act, and offer user rights over data.

Read the Full Article

Compliance Tip of the Week

Provide for Consent Management

Companies should review data maps to identify which processing activities rely on consent. The need of the hour is to implement a DPDP compliant consent process across all touchpoints where personal data is collected. Indian businesses can simply plug in Leegality Consent Manager to better manage end-user consents. 

Institute Robust Access Controls and Employee Authentication Mechanisms to Limit Personal Data Access

Implement comprehensive training programs for employees and contractors on data protection and privacy. Integrate policy acknowledgment into employee onboarding and periodic training programs. Ensure these policies are easily accessible to all stakeholders, including employees, customers, and partners. Identify key employees with whom the personal data must be shared for an activity. Share personal data of users with the employees identified as essential only.

Explore Leegality Consent Manager

Discover how our Leegality Consent Manager can streamline your data protection processes and ensure compliance with the DPDP Act. Our Consent Manager offers:

  • Compliant consent notices across all customer touchpoints
  • Storage of verifiable and auditable records of each consent
  • Dashboard for customers to change consent preferences and exercise data rights
  • Oversight over the data practices of your third parties

Explore Leegality Consent Manager for your Business

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.