Decoding DPPA: Road Ahead For Startups

After years of deliberation, India has finally passed a data privacy law known as the Digital Personal and Privacy Act (DPPA). This legislation will hold businesses accountable for breaches and misuse of consumer data. Companies are now obligated to safeguard consumer data and can face fines if they fail to do so. This law is poised to reshape how businesses collect and utilise personal information within India.

Compliance Burden or Ease of Doing Business?

Startups need to take steps to protect customer data. This includes storing data securely, complying with data protection regulations, and having robust data protection policies and procedures in place.

"In the beginning, startups might encounter challenges, but they will receive assistance in the future. It's noted that while bigger companies might already have established protocols for adhering to regulations, smaller and medium-sized businesses across the country could encounter distinct obstacles in fulfilling these mandates. As a result, there is a potential for security management firms to step in and support businesses in effectively manoeuvring through data protection rules, creating a new avenue for job opportunities.," says Kundan Shahi, CEO and Founder of Legal Pay.

Among all startups, Fintechs are anticipated to experience the most notable compliance impact. They have already been operating under stringent data regulations directed by the Reserve Bank of India. However, with the introduction of the DPPA, they must now adhere to additional compliance measures.

Nevertheless, experts suggest that these startups could face added compliance burdens under the new rules. There's a notion that fintech and cryptocurrency startups might potentially fall under the scope of Significant Data Fiduciaries.

For context, the government can designate certain organisations that handle large amounts of personal data as "Significant Data Fiduciaries." These organisations will be subject to stricter privacy regulations in order to protect the rights of users, national security and public order.

Furthermore, some experts believe that large technology companies and social media giants might only receive the classification of 'significant.' These entities currently possess vast amounts of customer data. It's possible that financial services entities will continue to be regulated by the governing body.

Customer-centric

The primary beneficiaries are consumers; the current landscape allows nearly all data processors to claim ownership of our data, with their main business model centred around processing our data for their commercial gain.

"Consumers do need safeguards against that mentality. Having said that, a sandboxed approach to using consumer data can benefit all Consumer Centric Businesses," says Abhimanyu Kumar, Partner at Flipcarbon's CHRO Services. Arguably, one of the most pivotal aspects of the Act is the requirement to notify customers impacted by a data breach.

Cross-boder Data Transfer or Increased Operation Cost?

With the introduction of DPPA, startups must allocate a substantial portion of their funds to ensure compliance. Multinational corporations and startups headquartered outside India could experience increased operational costs due to local data storage regulations imposed by regulators, even though the new data protection law allows for more straightforward cross-border data transfer and processing.

"To weather the cost, startups need to adopt cash optimization strategies in their business operations, such as effective working capital management, focused research and development, and maximising proven marketing strategies," asserts Shahi.

Echoing this sentiment, Kumar suggests, "One way to manage costs is to establish robust annual operating plans and well-thought-out budgets. Data localisation, which was a significant compliance cost element, is no longer insisted upon by the new bill."

Heavy Fine

One of the most stringent provisions of the Act pertains to fines for non-compliance. Failing to meet the responsibilities of a data fiduciary could result in a substantial fine of Rs 250 crore. Furthermore, neglecting to inform the data protection board or affected data subjects about a data breach could lead to penalties of up to Rs 200 crore.

Stakeholders flagged that such hefty penalties could disproportionately affect early-stage startups, potentially making it challenging for them to fully navigate the legal requirements outlined in the law. While legal guidance can be invaluable, young entrepreneurs dealing with personal data must consistently keep the provisions of this legislation in mind.

The act will notably benefit startups concerns with international movement of data. It has simplified many of the challenges in this domain, aiming to strike a balance between stringent data localisation demands and the unfettered flow of data.

Shahi elaborates, "Provisions encouraging the cross-border flow of data have been added as they will play a significant role in attracting foreign investment and further promoting India's global digital exports. By easing data localisation requirements, the Bill will facilitate trusted data movement, expected to bolster the domestic digital ecosystem. Relaxing data localisation norms will assist startups and SMEs in reducing costs for local storage and data processing, in addition to meeting other compliance norms."