When asked about the potential reduction of compliance timelines for large tech companies under the data protection framework, Krishnan stated that the government is in consultation with industry stakeholders to evaluate their readiness.
He emphasized that due to the complexity of the issue and its impacts on various levels of the digital ecosystem, the government aims to avoid any disruption.
Also Read: Data Protection Rules: Industry highlights concerns regarding data localisation and parental consent.
“We’ve commenced the process of establishing criteria for identifying members and calling for nominations to fill the positions required for the board… We are currently working on that as approval is needed,” Krishnan told PTI in an interview.
The government has the software ready for an entirely online office for the Data Protection Board.
“So, the work is ongoing,” the IT secretary added.
Regarding whether large companies have expressed opposition to the shortening of compliance timelines during their discussions with the IT Ministry, Krishnan noted they hadn’t indicated any particular discomfort.
“We’ve asked them to inform us when they will be prepared and to focus on specific details…. It’s important to understand the complexity involved,” he stated.
The DPDP Act outlines the manner in which entities should collect and process users’ data, with the establishment of the Data Protection Board of India aimed at overseeing compliance, investigating breaches, and imposing penalties, along with mandating remedial measures in case of data breaches.
This board operates as an independent entity and is set to play a critical role in enforcing the rights established under the Act and ensuring trust within the system.
According to the recently issued DPDP Rules, the central government will form a search-cum-selection committee, led by the Cabinet Secretary, which will include the Law Secretary, the IT Secretary, and two domain experts to recommend individuals for the position of chairperson of the Data Protection Board.
Another search-cum-selection panel will be chaired by the IT Secretary, consisting of the Law Secretary and two domain experts, to propose names for board member appointments.
“The central government shall appoint the Chairperson or other members after evaluating the suitability of individuals recommended by the search-cum-selection committee,” the DPDP rules state.
Krishnan mentioned that the Data Protection Board is expected to be operational “in the coming months,” though he did not specify a timeline.
The Digital Personal Data Protection Act is designed to create a framework for processing digital personal data that acknowledges both individuals’ rights to protect their information and the necessity of using that data for lawful purposes.
This Act outlines the responsibilities of Data Fiduciaries (individuals, companies, and government entities that process data) concerning data processing (collection, storage, or any operation involving personal data); the rights and obligations of Data Principals (individuals to whom the data pertains); and penalties for violations of these rights, duties, and obligations.
The Act clearly defines the responsibilities of Data Fiduciaries to secure personal data and ensure accountability for its use. Moreover, it grants Data Principals the right to be informed about how their data is managed.
Also Read: Government notifies DPDP rules, establishes an 18-month roadmap for the data protection regime.
The DPDP Act imposes severe financial penalties for non-compliance, with the highest penalty of up to Rs 250 crore applicable to Data Fiduciaries that fail to maintain adequate security measures.
Failing to notify the Board or affected individuals of a personal data breach, as well as breaching obligations related to minors, can each incur penalties up to Rs 200 crore. Any other breach of the Act or Rules by a Data Fiduciary may result in penalties reaching up to Rs 50 crore.
