PwC India’s recent survey report, titled, “How aware and prepared are Indian consumers and businesses to navigate the new era of digital privacy? A survey of India’s data privacy landscape” , explores the prevailing perceptions about privacy, trust and concerns about free data sharing and its potential misuse by many organisations. The survey underlines the pressing need for building a privacy respecting and privacy-aware culture in India and having a privacy-first approach in organisations.
Sivarama Krishnan, Partner & Leader – Risk Consulting, PwC India and Leader of APAC Cyber Security & Privacy, PwC commented, “The DPDP Act 2023 will play a critical role as India transitions to a high-growth digital economy. While its introduction mirrors in many ways the strong precedents set by some other economies with their own set of data privacy laws, the on-ground reality in India is complex and diverse. Among the many factors to be considered here is the aspect of digital divide- despite the increased proliferation of internet users, digital literacy continues to be an area of concern in India. This aspect of digital literacy is closely intertwined with the aspect of privacy literacy. Our engagement with over 3,000 consumers across the country and with around 200 corporates reveals a significant gap in the understanding of the basic tenets of privacy among all. From a consumer standpoint, while lack of awareness about certain privacy-related processes, protocols, rights or responsibilities may not come as a surprise, there is a pronounced lack of trust in business on matters related to privacy.”
The survey reveals that only 16% of consumers are aware of the DPDP Act across diverse geographies, age groups, occupational backgrounds and urban-rural divides. The survey also states that 56% of consumers are not aware of their rights related to personal data and 69% of consumers are not aware of their rights to take back their consent. Whenever a minor’s personal data is involved, 72% of respondents are not aware that handling a minor’s personal data requires a parent/guardian consent.
A significant awareness gap exists not only among consumers but also among organisations. Only 40% of organisations surveyed claim to understand the act. Among these, only 9% of organisations report a comprehensive understanding. Despite the gap, many organisations do not plan to invest in creating consumer rights awareness. While organisations are stepping up, nearly half of those surveyed are yet to start implementation of the DPDP Act. Only 42% of organisations say they understand/appreciate that compliance with the act is an opportunity to build and enhance consumer trust. Only, the BFSI and pharma sectors are leading the way (>60%) in acknowledging the need of building trust as a competitive advantage. This is the need of the hour considering that 32% of consumers do not think organisations take consent-related clauses with seriousness. Over 69% of consumers feel that their data may not be safe with companies. Of these, 37% of respondents are from Tier-3 cities.
Anirban Sengupta. Leader and Partner, Business and Technology Risk, PwC India said: “In India, sectors that are regulated and direct-to-consumer show maturity in privacy mechanisms yet, express concerns about data privacy laws and enforcement. Despite initial strides in raising privacy awareness amidst the diverse population, there’s a significant trust deficit among consumers regarding data handling by organisations. The need of the hour is a cultural shift towards prioritising data privacy, necessitating active participation from both businesses and consumers to foster a privacy-conscious environment.”
The survey goes on to show that consumers are worried about data breaches, and 44% are willing to pay higher if their data is protected. 42% of consumers are not sure if they will continue using the services of a company post a data breach. This rate is higher in Tier-1 cities at 46%. Although 52% of organisations are planning additional security controls around personal data, technology alone won’t solve the compliance issue. It’s a combination of technology, people skills, and processes that will ensure organisations meet the requirements of the DPDP Act.
Coming to the workforce, 20% of employees surveyed are not comfortable with sharing their personal data with employers. This resonates with the organisation survey outcome, where 64% of organisations have not planned any initiatives to reassure their own employees regarding their personal data. Particularly vulnerable are blue-collared workers, retirees and homemakers, who are often unaware of their rights and the implications of data breaches. When asked how comfortable consumers feel about navigating and complying with the DPDP Act, 49% consumers are unsure how to handle personal data queries, 44% find privacy notices too lengthy to understand, and an equal number don’t read them before agreeing and 84% of them are not aware of DPDPA. Similarly, 80% of organisations anticipate challenges with the act – while regulated BFSI and TMT sectors find it easier, the manufacturing sector faces the most difficulty.
The survey also throws light on the urgent need for the e-commerce, social media and technology sector to focus on educating the age group of 18-30 years on digital privacy, consent management, protection of personal information and consequences of data sharing without thought.
“The BFSI sector should focus on educating homemakers and blue-collar job people on data rights, managing consent, protecting financial and personal data, safe online practices, and managing digital privacy for family members. For the healthcare sector as well as the BFSI sector, there needs to be a concerted effort in educating retired and senior citizens on safe online behaviour, identifying phishing and scams, understanding privacy settings, and protecting personal and financial information,” added Sengupta.
Based on the survey results, it is evident that there is a growing intent among both organisations and consumers to prioritise data privacy. However, the journey towards becoming a privacy-conscious society is still in its early stages and requires accelerated efforts. The DPDP Act has sparked a positive shift in awareness, but significant work remains to be done. While the intent is there, faster and more concerted efforts are essential.
“The insights from this survey can serve as a guidance in identifying the gaps that need to be bridged so that the objectives of the DPDP Act may be achieved, by all stakeholders, for all stakeholders- regulators, businesses and individuals. This understanding is also critical for the realisation of India’s digital dreams and to enhance India’s competitiveness in an increasingly privacy-conscious global digital business ecosystem,” added Krishnan.
