In a significant stride toward safeguarding individual privacy in the digital age, the India Digital Personal Data Protection Act (DPDPA) 2023 emerges as a groundbreaking legislation, marking India's first comprehensive legal framework dedicated to data protection. Applicable to businesses operating within India and those reaching out to Indian customers, the DPDPA delineates its ambit with precision. It extends its coverage to the processing of personal data within the Indian territory, encompassing data collected in digital form or transformed from non-digital to digital.
Despite its official publication in the Official Gazette on August 11, 2023, the government has yet to disclose the precise date when the DPDPA will be enforced in early 2024. The act addresses crucial aspects of data protection, emphasizing its significance in an increasingly digital and interconnected landscape. As businesses and individuals await the implementation details, the DPDPA is poised to shape and regulate the handling of personal data within the Indian context.
Some of the examples for business that are likely to subject to the DPDPA which include Indian users and customers such as Government Agencies, banking, financial institutions, Healthcare Providers, E-commerce Companies, Telecom Companies, Educational Institutions, Technology and IT Companies, Social Media Platforms, E-commerce Companies, Data Analytics and Marketing Firms, Third-party Data Processors.
The DPDPA primary objectives
Ensure individuals’ control over the collection and use of their personal data, thereby safeguarding digital privacy.
Emphasize the significance of data security, compelling business entities to implement stringent measures preventing breaches and unauthorized access to highly sensitive financial information.
Promote transparency by mandating organizations to inform individuals about data processing purposes, simultaneously holding responsible person accountable for adhering to data protection principles.
Grant users (data principals) specific rights, including access to their data, rectification of inaccuracies, and the ability to request erasure, empowering them with greater control over their personal information.
Enforce criteria for data consent, ensuring it is freely given, specific, informed, unconditional, and unequivocal.
The DPDPA is part of a global trend towards strengthening digital data security. Worldwide, countries are recognizing the importance of regulating data handling in the digital age. Laws like the General Data Protection Regulation (GDPR) in the European Union (EU) and the California Consumer Privacy Act (CCPA) in the United States have set examples for data protection.
The DPDP Act applies to the processing of digital personal data in India, and outside India if such processing is in connection with offering goods or services to data subjects who reside in India. Under the Act, the Indian Government may restrict the transfer of personal data by a data fiduciary for processing outside of India.
Personal data definition
The DPDP Act defines personal data (means any data about an individual who is identifiable by or in relation to such data) as any information that can directly or indirectly identify an individual. It includes names, email address, photos, or even bank statements.
Key Stake holders
Data Principal, Data Fiduciary and Data Processor
Data Principal is the person to whom the personal data is related. This is also known as Data Subject in the GDPR of EU. When this person is a child, it also encompasses their parents or legal guardian, or a person with a disability, it includes their lawful guardian who acts on their behalf. A concept of a significant data fiduciary is also introduced which is likely to refer to big companies processing vast amounts of personal data.
Data Fiduciary refers to an individual or, in collaboration with others, someone who establishes both the purpose and methods for processing personal data. This is also known as a data controller in other parts of the world.
Data processor: Refers to any individual who carries out the processing of personal data on behalf of a Data Fiduciary.
Data Protection Officer and Board
Data Protection Officer denotes an individual designated by the Significant Data Fiduciary as per clause (a) of sub-section (2) of section 10 under DPDPA.
Board means the Data Protection Board of India (DPBI) established by the Central Government under section 18 under DPDPA. If someone disagrees with a decision from the DPBI, they can appeal to the High Court within sixty days of the decision.
Rights of Data Principals
To be notified about the processing of their personal data.
To access their personal data.
To have their personal data corrected, updated, erased.
To submit a grievance to the Data Fiduciary.
To nominate another person to exercise their data privacy rights, in the event of death or incapacity of the Data Principal.
Duties of Data Fiduciary
Data fiduciaries have duties as per DPDPA such as:
Must let the Data Principal choose whether they want to see the information in the notice in English or any language mentioned in the Eighth Schedule to the Constitution of India.
Utilizing personal information solely for the intended purpose of its collection.
Personal data collected and about the processing, the privacy rights, and the appeal process must be notified to the data principal.
If someone decides they don't want their personal information used anymore, Data Fiduciary must cease it, along with anyone else they asked to use it.
Limit the transfer of personal data for processing to the specific country or territory outside India as officially notified.
Honoring data principal requests to exercise their rights.
Process children’s data on consent of guardian wherever applicable.
Must not track or monitor the behavior of children or target advertising towards the children.
On instruction, the data processor processes the data on written instruction and removes the data.
Obligations in case of a Data Breach
Under the DPDPA, organizations are required to promptly report data breaches to the DPA and affected individuals. The reporting timeline is typically stringent, with organizations obligated to inform authorities and individuals within a specific timeframe after becoming aware of a breach. Monetary penalties for violations and non-compliance are up to the amount 2.5 billion rupees, or $30 million. The Act sets clear consequences for organizations that fail to meet their data protection obligations, incentivizing compliance.
Differences from GDPR
The GDPR is comparatively more prescriptive, whereas the DPDP Act outlines certain fundamental principles and leaves numerous implementation-related aspects to be addressed through upcoming legislations. While these laws have similarities, there are also some key differences between the two, including:
The GDPR applies to all organizations that process personal data of individuals located in the EU, regardless of whether the organization is in the EU or not. The DPDPA applies to all organizations that process personal data of individuals located in India, regardless of whether the organization is in India or not.
The GDPR includes special categories of personal data that can only be processed for specified reasons. The DPDPA applies uniformly to all types of digital personal data. There are no additional controls on processing sensitive personal data or critical personal data.
The GDPR has stricter requirements for the transfer of personal data outside of the EU. The DPDPA has less strict requirements for the transfer of personal data outside of India.
Prepare for DPDP Act
Our view is that the organizations should not wait for legislation to come to force or wait for the implementation practices from the Government of India. You can start preparing now for compliance with the duties as a fiduciary and support data principal's rights.
Step 1. Update Organization's Data Protection Controls
Review and update organization's common control framework. This means ensuring that privacy controls around transparency, consent, purpose, data minimization and auditing exist as part of the framework.
Step 2. Establish Data Governance and Processing Practices
Understand and document where personal data is collected, processed, and stored within your organization. Also review and track the data shared and transferred. Data governance practices including data inventory, classification and flow maps are key to building a defensible data protection and compliance program.
Step 3. Establish Consent Management Practices
Review the inventory and maps defined above to identify the processes that require consent. Use that information to build policies, procedures, employee training and systems to support Data Principal's rights mentioned above. These includes processes for collecting, managing and withdrawing consent.
Step 4. Identify Data Fiduciaries and Processors
Identify and assign the role of data fiduciaries and data processors within the organization.
Step 5. Appoint a Data Protection Officer (DPO)
Appoint a Data Protection Officer to oversee compliance with the DPDPA and act as a point of contact for data protection matters.
Step 6. Technical Security Measures
Assess and enhance data security measures to meet the DPDPA's emphasis on safeguarding personal data. Implement robust technical security protocols to prevent data exfiltration, breaches and unauthorized access.
Step 7. Data Protection Impact Assessment (DPIA)
Implement to identify and mitigate data protection risks. This include assessing the rights of users and management of risks related to their personal data. While only significant data fiduciaries are required to conduct this assessment, it is a good practice for all organizations to improve customer data protection.