A recent report has shed light on significant compliance gaps in data consent practices among Indian organizations as the government collaborates with industry stakeholders to formulate detailed regulations under the Digital Personal Data Protection (DPDP) Act of 2023. The report, released on Wednesday, indicates that a mere 9% of Indian organizations obtain explicit and informed data consent from individual users, exposing notable shortcomings in adhering to the new Act.
PwC India analyzed the websites of 100 Indian enterprises to assess their compliance with the DPDP Act. The findings revealed that 41% of these enterprises' websites incorporated information about data principal rights, encompassing aspects such as correction, access, and erasure, in their privacy policies.
However, a mere 9% of organizations were found to actively seek consent that adhered to the principles of being free, specific, and informed. While approximately 90% of the reviewed organizations provided a privacy notice to users when collecting data via their websites, this high level of compliance doesn't necessarily indicate a robust data privacy framework.
Regarding third-party data transfers, 43% of organizations were found to lack clear definitions regarding the purpose for which personal data was shared with third-party data processors.
Sivarama Krishnan, Partner and Leader of Risk Consulting at PwC India, highlighted the opportunity for organizations to streamline their data collection and processing procedures, build customer trust, and enhance global competitiveness. He emphasized the shift from regarding privacy as a regulatory requirement to integrating "privacy by design" to contribute significantly to India's digital transformation.
The report also noted that while 48% of organizations surveyed offer the option to withdraw consent, the process for doing so is not as straightforward. A mere 2% of organizations obtain consent in multiple regional languages.
While many organizations in sectors such as information technology, hospitality, consumer goods, and pharmaceuticals have processes to honour data subject rights, they often do not provide dedicated email addresses or online forms for user support.
The report coincides with the government's announcement last month that certain entities may be granted a year's grace period to fine-tune their systems for compliance with the Digital Personal Data Protection Act of 2023, which applies to the processing of digital personal data in India, both online and offline, as well as its processing abroad when offering goods or services in India.
Inputs from IANS