Enforcements and Technological Implementation: The costly mistakes hidden in compliance

Data Protection Board in India is the primary body responsible to oversee the enforcement an oversight of DPDP Act, 2023. Being and independent quasi-judicial body, it is responsible to ensure compliance, adjudicate complaints of personal data breaches, and penalise organisations which violate law. It can,

1. Issue/Impose fines against organisations

2. Halt or restrict data processing

3. Order rectification, restriction or erasure of data

4. Suspend cross-border transfers.

Till now, there are no recorded cases where DPB has imposed huge fines on organisations, as the DPDP rules recently came into force, and as of now every organisation is under transition period, hence Full, absolute accountability for all provisions under the DPDP Act and Rules would began only on and after may 13 2027.

However there are various examples under GDPR, where several organisations have faced hefty penalties. Some examples are:

1. In January 2020, the Italian regulatory authority imposed a fine of €27.9 million on telecommunications operator TIM for failing to obtain data subjects’ valid consent, aggressive marketing strategies, and personal data breaches. 

   
   

2. In April 2020, the Dutch regulatory authority imposed a fine of €725,000 to an unknown company for using employees’ fingerprint scans unlawfully. 

   
   

3. In December 2020, the Spanish regulatory authority imposed a fine of €75,000 against EDP Comercializadora SA for failing to obtain data subjects’ consent before processing personal data. 

   
   

4. In December 2020, the French regulatory authority imposed a fine of €2,250,000 against Carrefour France for failing to obtain data subjects’ consent before the installation of cookies.

   
   

5. In March 2021, the Canadian Radio Television and Telecommunications Commissioner imposed a penalty of $75,000 for sending 670,000 marketing emails to individuals without their consent. 

   
   

Failure to comply imposes huge amount of penalties on organizations, which can cause humongous financial loss to them. So to overcome that, one and only option for them is compliance.

Privacy risks do not only arise form data breach, they may also arise form excessive collection, unclear retention, unnecessary access, weak auditability or data sharing arrangements that are not sufficiently toed to a defined public purpose. This makes privacy-by-design particularly important in government technology, because the architecture of system often determines how citizens' data will be accessed, shared, retained, and protected in practice.

A weak privacy practices, would expose sensitive records, affect legal entitlements and undermine trust in the organisation. There are certain principle of Privacy by design, which has to be implemented by every organisation processing digital data. The principles are:

1. Privacy must be proactive: Organisations must identify privacy risks before system is launched, not after complaints, breaches or audits arise.

   
   

2. privacy should be default setting: No one should take extra steps to avoid unnecessary collection, disclosure, or retention of personal data. Design itself should be architectured so as to collect and display only what is necessary for service.

3. End-to-end security: Across the data lifecycle, data should be protected at all stages of collection, usage, storage, sharing, and deletion.

   
   

4. Visibility and Transparency: There should be clear information as to why data is collected, the purpose, storage, deletion and also with whom it is shared.

5. User-centric: The approach is always that any information before collection should get clear, specific, informed consent from data principal, and informing them how their data will be used, stored, shared, and deleted.

Apart from following all these principles, it is important for privacy by design to be complementary with security by design, and ensure they are mutually reinforcing.

Viewed that way, privacy by design is not just a phrase, it is ensuring digital governance remains lawful, proportionate, and worthy of public trust.