Background
The Digital Personal Data Protection (DPDP) Act is a landmark legislation enacted in India on 11 August 2023, designed to regulate the processing of personal data of individuals, while ensuring their privacy and safeguarding their rights. Passed in 2023, the DPDP Act aims to establish a robust framework for data protection, focusing on principles such as lawful processing, transparency, purpose limitation, and data minimization. It outlines the obligations of data fiduciaries—entities that collect and process personal data—and grants significant rights to individuals, including the right to access, correct, and erase their data. The Act also establishes a Data Protection Board to oversee compliance and handle grievances, thereby reinforcing accountability and enforcement in the digital ecosystem. The DPDP Act represents a critical step towards aligning India's data protection standards with global norms, fostering trust in the digital economy.
The Act applies to a wide range of entities, including individuals, businesses, and government organizations, that collect, store, or process digital personal data within India. The DPDP Act empowers individuals with several rights and protections, such as having the right to access, correct or delete their personal data held by organizations, requiring organizations to obtain explicit and informed consent before collecting and processing personal data, and limiting the purposes for which data can be collected and processed, etc. While in case of a data breach, the organizations are obligated to notify affected individuals and the Data Protection Authority, additionally, Individuals can also file complaints with the Data Protection Authority for any violations of the Act. By granting these rights and protections, the DPDP Act aims to enhance individual privacy, build trust in the digital ecosystem, and foster responsible data handling practices. On the other hand, particularly speaking about the business areas, the implications of this Act are also extensive and complex for companies and auditors, requiring careful consideration from both perspectives.
From a company’s standpoint, the DPDP Act introduces several critical compliance obligations. The company is identified as a Data Fiduciary, making it responsible for the proper collection, storage, and processing of personal data in line with the principles of the Act, such as obtaining informed consent and ensuring data security. This necessitates a thorough reassessment of data handling procedures to comply with the new law, including the implementation of data protection measures like encryption, anonymization, and regular audits. The Act also affects various business processes, requiring scrutiny of every touchpoint where personal data is involved, whether during customer registration, employee onboarding, or vendor management. Companies must establish processes for managing consent and enabling data subjects to exercise their rights, such as access, correction, or erasure of data.
Legally, companies must review and possibly renegotiate existing contracts with customers, employees, and third-party vendors to ensure compliance with the DPDP Act. This could mean updating privacy policies, consent forms, data-sharing agreements, etc. The penalties for such non-compliance are substantial, with fines reaching up to Rs. 250 crores depending on the breach's severity. Therefore, companies must not only ensure compliance but also consider insurance against potential data breaches. Additionally, the Act mandates the appointment of “Data Protection Officers (DPOs)” for certain categories of Data Fiduciaries, who will oversee compliance and act as the point of contact for data subjects and the Data Protection Board. Regular data protection impact assessments and audits are also required to identify risks and ensure ongoing compliance, including evaluating security measures to prevent breaches.
On the technology front, companies need to enhance their cybersecurity measures, investing in advanced infrastructure to prevent data breaches through access controls, regular security audits, and employee training. They must also develop comprehensive Incident Response Plans, Incident Response Plan, Backup Plan, etc., like the Act.
However, these compliances are likely to increase operational costs, particularly in technology upgrades, legal compliance, and staff training. These may also result in capital expenditure. However, adhering to these stringent data protection standards could serve as a competitive advantage, especially in industries where data security is a significant concern, such as finance, healthcare, and e-commerce.
From the perspective of auditors, the DPDP Act significantly expands the scope of the audit and related audit procedures. Auditors must now verify the company’s compliance with the Act by reviewing data protection policies, procedures, and controls. They also need to assess the risks associated with the company’s data processing activities, particularly regarding potential breaches and the adequacy of the company’s response mechanisms. Any non-compliance identified during the audit must be reported in the report, especially if it could result in significant penalties or affect the company’s financial statements. This includes issues such as inadequate data protection measures, failure to obtain proper consent or insufficient breach notification procedures.
The Act’s impact on financial statements is also notable, as auditors must ensure that companies have adequately provisioned for potential liabilities, such as fines, in their financial statements. They must also ensure that the required disclosures, particularly in the notes to accounts related to contingent liabilities and compliance with laws and regulations, are complete and accurate. Evaluating the company’s IT controls, particularly those related to data protection and cybersecurity, is another key audit aspect. Auditors must assess whether these controls are sufficient to prevent unauthorized access, and data breaches, and ensure data integrity. Testing the effectiveness of the company’s compliance mechanisms, including consent management and breach response, is also crucial.
Moreover, auditors may play an advisory role, providing guidance on best practices for data governance, cybersecurity, and compliance with the DPDP Act. This could involve recommending improvements to data protection practices and helping the company enhance its compliance culture through training and awareness initiatives for the board and staff.
In conclusion, the DPDP Act imposes substantial obligations on companies in terms of compliance, governance, and cybersecurity. For auditors, this law introduces new dimensions to the auditing process and procedure, requiring a thorough assessment of the company’s data protection practices and their impact on financial reporting. Collaboration between companies and auditors is essential to ensure that the company not only meets its legal obligations under the Act but also leverages compliance as a strategic advantage in a data-driven world.
Uploaded On: 
Author: 
