Alert first, act fast: Diktat on data breaches soon

livemint.com:

₹250 crore in case of a data breach. For the average user, the rules put in place rights to access their information by any entity, withdrawal of consent, and enable mechanisms to correct or erase personal data and mechanisms of redressal in cases of breach. Legal experts pointed out that proposed rules may increase compliance burden, since companies already have to report breaches to the Indian Computer Emergency Response Team (Cert-In), the government agency that coordinates cybersecurity efforts, within six hours.

“Organizations will have to do triple reporting of cybersecurity incidents. Such a regulatory situation increases the burden heavily on a company, wherein the companies, on a bad day, should ideally put in all their efforts towards the breach itself. Instead, compliance itself will take up too much effort," said a senior partner at a law firm, who did not want to be named.

The consent mechanism needs to be simplified for the average user, a second lawyer said, adding that a linkage would be required in situations where data is willingly given by users, for instance, while doing physical transactions. “When entering user details in a restaurant, there’s no consent contract being agreed upon. But the user has the right to deny data permission.

When consent is given through a transactional manner, it needs to have a simplified linkage mechanism for data consent. But in its absence, this may pose challenges," the lawyer said. The rules may also propose to develop a mechanism for verifiable consent from a parent or legal guardian for processing data of people under 18 years of age.