Training, sensitisation, and gap analysis will help organisations adapt to data protection law easily: Khaitan & Co
Supratim Chakraborty and Rajiv Khaitan from the law firm Khaitan & Co’s break down the finer details of India’s new data protection law and what startups and small businesses can do to make the adaptation process easier, at TechSparks 2023 in New Delhi.
The Ministry of Electronics and Information Technology (MeitY) is set to announce the accompanying rules of the Digital Personal Data Protection Law—which will replace the incumbent Information Technology (IT) Act—latest by January 2024.
Successful adoption of the data protection law and the accompanying rules hinges on adequate awareness and sensitisation, said executives from law firm Khaitan & Co.
Training, sensitisation and gap analysis could help individuals and organisations adapt to the new provisions easily and quickly, said Supratim Chakraborty, Partner at law firm Khaitan & Co.
“If every person is not aware of their role, the adoption will never be a success,” noted Chakraborty, during a fireside chat at TechSparks 2023 held in New Delhi recently.
He urged the top management of organisations (startup founders and senior executives) to set up a 45-minute session with experts, to familiarise themselves with the provisions of the law, and mid-level management executives, who will oversee the privacy programme, to opt for a two-hour session.
On the other hand, legal and compliance teams that will be "dotting the Is and crossing the Ts" would require a day-long workshop to "get their hands dirty" and understand how a document or contract should be redrafted, he added.
Preparing for the law
For gap analysis, organisations must identify areas where processes are already in place and those that need to be overhauled. It’s important to plug the gaps to ensure full compliance, pointed out Chakraborty.
Emphasising the need for adequate time for the ecosystem to gear up for the law, he said, “GDPR (General Data Protection Regulation) experience has shown us that two years were not sufficient for organisations in the European Union. They already had a law, and it was just one step up. For us, it will be a quantum leap. From almost nothing to a GDPR-equivalent law, our ecosystem needs enough time to gear up for it."
Rajiv Khaitan, Senior Partner at Khaitan & Co, said organisations will need to take consent from all the data principals the day the law comes into force within a reasonable time.
Khaitan suggested that every organisation must start the process by segregating the types of data it holds, identify anonymised data, and see if the architecture needs to be tweaked.
Compliance with the law
Chakraborty noted that while there certainly are apprehensions regarding the new law, the government is very clear that entrepreneurship, innovation, and ease of doing business cannot be hampered while trying to protect personal data.
Startups can take advantage of the various incentive schemes, said the executives from Khaitan & Co.
The rollout of the new law is also likely to be done in a staggered manner depending on the type of entity—state and government agencies that are low on digitisation will get maximum time to prepare for the law, while early-stage startups and micro, small and medium enterprises (MSMEs) will receive sufficient time to comply with the law.
“The most important thing to remember is that you must show that you are actively working on the ground towards compliance. While startups may be given a long leeway, the government will give everyone a five-year window to ensure full compliance,” Khaitan said, adding that the new law is designed for businesses to be able to use with ease.
Edited by Swetha Kannan