The industry body also seeks standardization in reporting formats across multiple regulatory bodies in the case of cybersecurity incidents
)
Illustration: Binay Sinha
Listen to This Article
BSA, a leading advocate for the global software industry, seeks clearer guidance on the risk threshold in various cases of data breaches and a 72-hour timeline for reporting such incidents to the Data Protection Board (DPB) from the yet-to-be-released rules for the Digital Personal Data Protection Act (DPDPA).
“Cyber incidents differ from personal data breach incidents. There should be a classification of risk thresholds based on factors such as the type of system affected—whether it’s linked to critical infrastructure like government identity databases—and the severity of the breach,” said Venkatesh Krishnamoorthy, Country Manager India, BSA.
Click here to follow our WhatsApp channel
“For instance, a breach in a system tied to sensitive data like government identity numbers would warrant immediate reporting due to its higher risk compared to breaches in systems handling less critical data such as book and shopping preferences,” he added.
BSA, a global alliance of software companies, including giants like Adobe, Cisco, Microsoft, IBM, and others, with a presence in over 30 countries, actively engages with governments across the world on policy matters related to privacy, AI, cybersecurity, among others.
The industry body also seeks standardization in reporting formats across multiple regulatory bodies in the case of cybersecurity incidents.
“There are multiple regulatory bodies to which businesses have to report, and if some sort of alignment or standardization happens in those reporting formats, that would be helpful,” said Krishnamoorthy.
BSA also advocates for flexible data processing criteria and expanded grounds for personal data processing under the detailed rules.
“These are essential to ensure clarity and adequacy in addressing various purposes for data processing,” said Krishnamoorthy.
He further added that the current definition of purposes of data processing under the act was broad, and it was not clear whether some of the grounds that companies are processing data on will be permitted. “Now we have to see how the rules are framed around it,” he said.
As India’s first-ever dedicated legislation for digital privacy, the DPDP Act provides broad principles of collection and processing of personal information in digital form. The Act prescribes monetary penalties of up to Rs 250 crore for each instance of a data breach and blocking of entities in case of repeated violations.
However, the way of implementation and the exact processes will be “as may be prescribed” in the rulebook. The Act has defined 26 matters on which the government can make rules to enforce the provisions of the Act.
The rules for the act, which was notified in August last year, are expected to be put up for public consultation after the general elections this year.
aniltikotekar4sme.com 