On 11 August 2023, the world witnessed the landmark enactment of the Digital Personal Data Protection Act (DPDPA). The legislation establishes a framework for collecting, processing, sharing, storing or deleting digital personal data in India.
The DPDPA has come at an apt time; according to a report by Ernst and Young, India ranked eighth in the world in cumulative reported data breaches from 2004 to 2023.
There are various reasons for this. Notably, during and after the Covid-19 pandemic, the number of reported data breaches went up, in part due to the acceleration of digital transformation and insufficiency of stringent controls to safeguard data.
Post the enactment of the DPDPA, companies are gearing up for regulatory compliance. While all sectors are expected to comply, heavier investment in compliance is expected from those that handle large amounts of personal data, such as banking, healthcare, insurance, and technology.
Prior to the DPDPA, there was no standalone law in India on data protection. The usage of personal data was regulated under the Information Technology (IT) Act, 2000.
The regulatory landscape for data protection often failed to address the complexities of modern data processing activities. Furthermore, the lack of comprehensive legislation left large gaps in privacy protection.
Individuals had limited control over their personal information, including personally identifiable information (name, email ID, mobile number, etc.) and sensitive personal information (religion, political views, images, etc.). There was, additionally, little recourse in the event of misuse or breaches. This left greater room for a negative impact on the individual.
In August 2017, the Supreme Court of India declared that the right to privacy is a part of the right to life and personal liberty as per Article 21 of the Constitution. On 18 November 2022, the Digital Personal Data Protection Bill was released. Subsequently, it was passed by the Lok Sabha on 7 August 2023, and by the Rajya Sabha on 9 August 2023.
There are certain key terminologies that are commonly used throughout the DPDPA, including but not limited to:
Personal Data: Any data about an individual who is identifiable by or in relation to that data.
Data Principal: The individual to whom the personal data relates. If the individual is a child, the definition includes the parents or lawful guardian of the child. Furthermore, if the individual has a disability, it includes their lawful guardian, acting on their behalf.
Data Fiduciary: A person who, alone or jointly with other persons, decides the purpose and means of processing personal data.
In certain cases, the Indian government might classify some data fiduciaries as significant data fiduciaries. This is based on factors such as the volume of personal data processed, the security of the state, and the potential impact on India’s sovereignty.
Data Processor: A person who processes personal data on behalf of a data fiduciary.
Data Protection Officer (DPO): A DPO is an individual who is appointed by a significant data fiduciary. The DPO reports to the board of directors and acts as a point of contact for grievance redressal. She is required to be based in India.
Note that “regular” data fiduciaries are also required to appoint an individual to manage enquiries from data principals about their personal data.
The following rights are granted to data principals under the Act:
Grievance redressal: The right to a means of grievance redressal provided by a consent manager or data fiduciary.
Correction and erasure: The right to correction, updation, completion or erasure of personal data for which consent was previously given.
Nomination: The right to nominate another individual who may exercise the data principal’s rights, in the event of incapacity or death of the data principal.
Information access: The right to request and obtain information on their personal data from the data fiduciary, including a summary of the data and processing activities, identities of all data processors and fiduciaries with whom personal data has been shared, and other information.
Consent withdrawal: The right to withdraw consent at any time, where consent is given to process personal data.
Data fiduciaries have several obligations under the new data privacy regulation. Some significant ones include:
Notice: Data fiduciaries must provide a notice to the data principal, describing the personal data and the purpose for which it is being processed, the ways in which she can exercise her rights, and how she can raise a complaint to the Data Protection Board (DPB).
Consent: The data principal’s consent must be unambiguous, unconditional, informed, free and specific.
Data breach notification: In case of a personal data breach, the concerned data principals as well as the DPB must be notified.
Compliance: Regardless of whether a data principal fulfils the duties outlined in the Act, the data fiduciary shall be responsible for maintaining compliance with the Act.
Appointing a DPO: A significant data fiduciary is required to appoint a DPO.
Retaining personal data: Personal data shall not be retained in case the purpose for which it was collected is no longer served by its retention.
No conditional services: A contract between the data principal and data fiduciary to deliver a product cannot be contingent upon consenting to processing any personal data.
The DPDPA applies to:
However, there are certain exemptions, including but not limited to:
The enforcement and management of the DPDPA will rest on the shoulders of the Data Protection Board, whom the central government will appoint. The chairperson and board members will be appointed for two-year terms and be eligible for re-appointment.
For determining penalties and penalty amounts, the DPB will consider various factors, including but not limited to:
The fines for non-compliance with the data privacy law vary widely. For organizations, fines can range from INR 50 crores to 250 crores. For data principals, in case of suppressing material information, falsifying information, impersonation, or false grievances or complaints, fines can reach up to INR 10,000.
The Digital Personal Data Protection Act is expected to enhance data security, reduce cybercrime, and increase accountability, thus fostering a culture of privacy.
However, it also may pose certain challenges, particularly operational complexity, especially for global organizations, for whom compliance can be both complicated and resource-intensive. While this article may act as a stepping stone towards understanding the Act, it is not a substitute for a professional advisory.
That’s where Silverse steps in. We help organizations stay compliant and reap the benefits therein. Our DPDPA compliance services include advisory, implementation, and managed operations for an end-to-end solution. contact us now to get started.
Please fill the details below. A representative will contact you shortly after receiving your request.
