As the government works with industry stakeholders to formulate detailed rules under the Digital Personal Data Protection (DPDP) Act, 2023, a new report showed today that only 9% of organisations in India obtain clear consent from data principals (individual users), showing striking gaps in compliance with the new Act.

100 Indian websites analysed

A consultation firm analysed the websites of 100 Indian enterprises for compliance with the DPDP Act and 41% of them were found to specify data principal rights (correction, access and erasure) in their website privacy policies.

However, only 9% of organisations sought consent that was free, specific and informed, as per the report. About 90% of the organisations reviewed, provide a privacy notice to data principals when collecting data through their websites. 

Since such a notice is the first step adopted by any organisation entering the digital world, the high level of compliance does not indicate the presence of a robust data privacy framework, the findings showed.

On Third-party transfers

On the aspect of third-party transfers, 43% of organisations were found lacking in providing a well-defined purpose for which personal data was shared with third-party data processors.

“For organisations in India, it is not only an opportunity to streamline their data collection and processing processes but to also build customer confidence and overall stakeholder trust, apart from enhancing their global competitiveness,” said a risk consulting partner and APAC cybersecurity and privacy leader at the consultancy firm.

“Shifting the focus from ‘privacy as an Act requirement’ to ‘privacy by design’ can help India,” he added.

What more the analysis says

Around 48% of organisations surveyed provide the option to withdraw consent. However, the process of withdrawing consent is not as easy as providing it.

Consent is obtained in multiple regional languages only by 2% of organisations, said the report.

About 16% of organisational websites display a cookie consent banner to users highlighting that their personal data will be collected and processed by the organisation.

Nearly 33% of organisations display a cookie notice informing users that the website (or any third-party service used by the website) they are navigating using cookies.

About 41% of organisations display the right of data principals (erasures, access and correction) on their website along with the mechanisms to exercise them.

“While most organisations in the information technology, hospitality, consumer and pharma sectors and super apps have processes in place to honour data subject rights, they do not provide dedicated email addresses or online forms for support,” the report noted.

Around 74% of organisations have listed contact details of a person or a team that can be contacted for queries around data processing.

About 54% of these organisations have proactively provided the contact details of their Data Protection Officer (DPO).

Entities shall fine-tune their systems: Government

The report came as the government said last month that some entities may be given a year’s time to fine-tune their systems to comply with the Digital Personal Data Protection Act, 2023.

It will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside the country, if it is for offering goods or services in India.

(Source: IANS)

-Edited for style

For more such updates and news on the go, follow us on

Instagram | YouTube | Facebook