EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
At present, no timeline has been prescribed for implementing the grievance redressal and data principal rights.
Penalties
Another salient feature of DPDP Act is the penalty clause. There are penalties for non-compliance of the provisions by data fiduciaries up to INR250 crore. Some of these are:
- Breach in observance of duty of data principal up to INR10,000
- Failure to notify the data protection board and affected data principals in the event of a personal data breach is up to INR200 crore
- Breach in observance of additional obligation in relation to children up to INR200 crore
Exclusions
In the act, non-automated personal data, offline personal data and personal data in existence for at least 100 years have been excluded. The maximum limit of INR500 crore for penalties has been removed. At present, the provision for grievance redressal review is not included. The timeline of 72 hours within which a data breach is to be reported to authorities is excluded.
Sectors impacted
The act is expected to have an impact on the majority of organizational areas, including legal, IT, human resources, sales and marketing, procurement, finance, and information security because of the type and volume of personal data that is collected, stored, processed, retained, and disposed of in India. Hence, organizations in these and related sectors must develop a strong data privacy and protection implementation program in view of the DPDP Act, 2023.