About 50 per cent of the organisations are yet to acquire the required skill sets to implement the Digital Personal Data Protection (DPDP) Act, 2023, a new report showed on Sunday.

According to ‘The India Data Protection Readiness Report’ by EY India, only 36 per cent of organisations have Data Protection Officers (DPOs) based in India, impacting their ability to manage consent and comply with the provisions of the DPDP Act. 

Other challenges identified include inadequate awareness of regulatory guidelines, resource constraints in their compliance journey, and organisational resistance to change -- which may create obstacles in implementing the necessary changes within the organisation.

"Compliance with this legislation necessitates the establishment of a robust technological infrastructure to guarantee data security and accountability," said Lalit Kalra, Cybersecurity Consulting Partner, EY India.

"Moreover, organisations must cultivate a proficient workforce capable of comprehending the legal and ethical dimensions of data processing and adeptly managing data breaches," he added.

About 76 per cent expressed that an organisation's commitment to data privacy and transparency would indeed influence their buying preferences.

This indicates an increasing awareness among consumers regarding data privacy matters and a readiness to support companies that make privacy a priority, the report said.

"The establishment of a transparent data protection ecosystem is imperative. It not only fosters trust but also empowers consumers to make informed choices, ensuring the preservation of their privacy and security," said Mini Gupta, Cybersecurity Consulting Partner, EY India.

The DPDP Act specifies norms on the management of the personal data of residents in India and requires explicit consent from people whose data is collected and used. It also outlines practices for entities that collect personal data, how that data should be stored and processed to ensure there is no breach.

It also provides certain additional rights to the Data Principals such as the right to correct, delete, update and erase data under Section 12.

Section 14 of the DPDP Act provides a right to nominate another individual in case of death or incapacity of the Data Principal.