PwC India has come up with a new report on how compliant Indian companies are with the Digital Personal Data Protection Act, which came into effect on 11 August. The report highlights that only 41 of the 100 websites of Indian enterprises PwC India analysed for it study mentioned data principals’ (users’) rights to access, correct and erase their personal data, while only 9 sought consent from users that was free, specific and informed.
The report stated 90 percent of the organisations showed users a privacy notice when collecting data through their websites, but since such a notice is the first step for any organisation entering the digital world, the high level of compliance did not indicate the presence of a robust data privacy framework. 43 percent of organisations did not provide a clear reason for which personal data was shared with third-party data processors.
Sivarama Krishnan, partner and leader – risk consulting, PwC India, and leader, APAC cybersecurity and privacy, PwC, said, “The impact of the DPDP Act 2023 will be all-pervasive and far-reaching for us as individuals, for businesses, and for the overall economy. For organisations in India, it is not only an opportunity to streamline their data collection and processing processes but to also build customer confidence and stakeholder trust, and enhance their global competitiveness… Investing now to become compliant will stand organisations in good stead in the future.”
Key takeaways from the report:
Consent: Only 9 percent of organisations collect consent that can be considered ‘free, specific and informed’. In such cases, consent is often bundled (i.e. single consent is obtained for multiple purposes). The study revealed that while 48 percent of organisations provide the option to withdraw consent, the actual process of doing so isn’t easy. It also found that only 2 percent of organisations obtain consent in multiple regional languages.
Children’s personal data: Only one in ten schools provided a customised privacy notice for children and executed age verification to confirm users’ age. Such schools state that they process children’s data only after taking content from a parent or guardian. Online services and product providers do not show age-appropriate notices or check if the user is a minor, the study said.
Cookies: PwC India found that 16 percent of company websites display a cookie consent banner to users, highlighting that their personal data will be collected and processed. It said 33 percent of organisations display a cookie notice informing users that the website (or any third-party service used by the website) they are navigating uses cookies. The information technology, hospitality and aviation sectors are leaders in terms of obtaining cookie consent and giving users control over their online experiences as these enterprises have a global presence and are compliant with data protection regulations around the world.
Privacy notices: 90 percent of organisations display a privacy notice to users when collecting data through their websites, while 80 percent mention what personal data is collected in their privacy notice. Just over half (54 percent) of organisations that display a privacy notice mention the period for which personal data will be retained. And only 2 percent of organisations provide privacy policies or notices in multiple languages.
User rights: 41 percent of organisations display the data rights of users (erasure, access and correction) on their website and explain how to exercise these rights. While most organisations in the information technology, hospitality, consumer and pharma sectors, in addition to super apps – have processes in place to honour users’ data rights, they do not provide dedicated email addresses or online forms for support, the study found.
Breach notification: Only 4 percent of organisations studied have published a mechanism for notifying breaches on their website, the study found. Organisations from the IT and fintech sectors were found to have breach notifications in place as they have a presence in countries with stringent data privacy laws.
Data protection officer: Around 74 percent of organisations have posted the details of a person or a team that can be contacted for queries about data processing. Of these, 54 prcent have proactively provided the contact details of their data protection officer (DPO). These organisations are likely to have a privacy framework in place and may have a head start in their compliance journey, PwC India said.
Data retention: The study found 54 percent of organisations state their data retention periods on their websites. These companies are predominantly in sectors such as fintech, e-commerce, IT, banking, insurance and aviation, while organisations in the consumer, retail, realty and manufacturing sectors are lagging on this.