Any platform processing personal data of users, whether a private or government entity, must immediately notify the Data Protection Board (DPB) of any data breach upon becoming aware, according to an unreleased version of the draft Digital Personal Data Protection (DPDP) rules.
The DPB is an adjudicating body set up under the DPDP Act.
The details that a platform will need to communicate to the DPB, on a best-effort basis, should include a description of the breach, the date and time when the platform became aware of the breach, the location of the breach, its extent, and potential impact.
These details are included in a version of the draft DPDP rules currently circulating internally among various sectors of industry and governance. The rules will define the DPDP Act’s parameters.
Moneycontrol has seen a copy of the draft. However, the publication could not independently confirm its authenticity. The publication has reached out to the Ministry of Electronics and Information Technology (MeitY) regarding the matter, and the article will be updated when a response is received.
Within 72 hours of the data breach, a platform will also have to inform the DPB more details regarding the incident, which includes, broad facts related to the breach, circumstances and reasons which led to the security incident, and so on, the draft added.
These reporting mechanism will be digital in nature, and a platform can submit such details through the DPB’s website.
It is important to note that platforms already report data breaches or any kind of cybersecurity incident to the Indian Computer Emergency Response Team (CERT-In). According to the CERT-In Directions of 2022, platforms will have to report a data breach within 6 hours of noticing such incidents.
Last week, MeitY held a consultation meeting with the industry on the draft DPDP rules.
During the meeting the government conveyed to the industry that it intends to release the rules soon and, after a brief consultation period, notify it by January 2024.
Minister for State for Electronics and Information Technology Rajeev Chandrasekhar chaired the meeting and it was attended by representatives of social media companies such as Meta, Google, Snap, representatives of IT companies and lawyers.