On August 11, 2023, the President of India gave his assent to the Digital Personal Data Protection Act, 2023 (DPDP Act). India, as a tech-savvy nation with a booming digital economy, recognized the need for a structured data protection framework. It shall come into force on such date as the Central Government may notify in the Official Gazette. The DPDP Act is India’s first comprehensive piece of legislation that aims to safeguard individuals‘ personal data while enabling the responsible use of data for various purposes. In this article, we delve into the key aspects of India’s DPDP Act and its implications for individuals, businesses, and the digital ecosystem as a whole.
Application of the DPDP Act
The DPDP Act applies to entities processing digital personal data as well as non-digital data that is digitized later, within the Indian territory. The law also applies outside the Indian territory when the processing of personal data is related to offering goods or services to data principals, also known as data subjects under the GDPR, within India.
It also applies to all entities that process personal data, regardless of their size or location except if the Central Government makes an exemption. While the specifics of exemptions can vary and may change over time, here are some common areas where exemptions might apply:
- Processing of digital personal data for any personal or domestic purpose; and
- When personal data is made or caused to be made publicly available by the data principal to whom such personal data relates; or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
- Central government can also exempt itself and State bodies depending on their function including in matters of law enforcement;
- The Central Government may further, having regard to the volume and nature of personal data processed, notify certain data fiduciaries or class of data fiduciaries, including startups,
- Publicly available personal data, processing for research and statistical purposes, and;
- Processing the personal data of foreigners by companies in India under a contract with a foreign company.
With the DPDP Act the Central Government has more power to apply or exempt from the Act including the power to adopt a multitude of “rules” that detail the Act’s application.
Legal bases for processing digital personal data
The DPDP Act focuses mainly on two legal bases:
- Informed consent of the data principal stays the primary legal base for digital personal data in India, and;
- Certain permissible Legitimate uses as under:
- The data principal voluntarily provides personal data to the Data Fiduciary and it is reasonably expected that the data principal would provide such personal data;
- Performance of any function under a law;
- Provision of service or benefit by the State;
- Medical emergency;
- Employment purposes; and
- Specified public interest purposes such as national security, fraud prevention, and information security.
Data Principal Rights and Duties
The DPDP Act provides a comprehensive framework for the protection of digital personal data and gives data principals several rights over their data, as follows:
Data Principal Rights
- Right to obtain information about processing;
- Seeking correction and erasure of personal data;
- Right to nominate another person to exercise rights in the event of death or incapacity, and;
- Grievance redressal.
Data Principal Duties
They must not:
- Register a false or frivolous complaint;
- Furnish any false particulars, suppress information, or impersonate another person in specified cases.
Violation of these duties will be punishable with a penalty of up to INR 10,000.
Substantial Changes in Data Fiduciary Duties
Apart from taking care of data principal rights the data fiduciary, also known as data controller under the GDPR, has to undertake certain other obligations when processing personal data, including:
- Ensure accuracy and completeness of data;
- Build reasonable security safeguards to prevent a data breach, and inform the Data Protection Board of India and affected persons in the event of a breach, and;
- Storage limitation. Please note that the storage limitation requirement will not apply in case of processing by government entities.
- When engaging a data processor, make sure that a valid contract is entered and that the data processor follows proper security standards and a retention schedule.
Furthermore, the Central Government may notify any data fiduciary or class of data fiduciaries as significant data fiduciary depending on the nature of the processing which means if the processing is riskier to the rights and freedoms of the data principals. When a data fiduciary is recognized as a significant data fiduciary, it has to fulfill additional obligations as follows:
- The appointment of a resident data protection officer (‚DPO‘) responsible for grievance redressal;
- The appointment of an independent data auditor;
- conducting Data Protection Impact Assessments (‚DPIAs‘); and (iv) such other compliances as may be prescribed.
The Central Government may restrict the transfer of personal data to certain countries through a notification. This means it may create a list of adequate countries where it is safe and allowed to transfer the data from India. These transfers will be subject to prescribed terms and conditions by the Government.
Establishing the Data Protection Board of India
The Central Government will establish the Data Protection Board of India to oversee the implementation of the DPDP Act. The key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) issuing directions to the data fiduciaries to take necessary mitigating measures in the event of a data breach, and (iii) conducting hearings about grievances from affected people and accordingly pronouncing decisions. The Central Government will prescribe (i) the composition of the Board, (ii) the selection process, (iii) terms and conditions of appointment and service, and (iv) the manner of removal.
Current Recommended Measures
The DPDP Act is a major milestone for data protection in India. It is expected to have a significant impact on businesses and individuals in the country. While the Central Government is preparing to issue regulations and guidelines on the application of the DPDP Act, the current period could be used to start preparing for a structured process starting with a gap analysis. Here are several key actions that foreign entities with Indian subsidiaries and Indian entities should consider:
Gap Analysis and Assessment of Data Processing Activities
- Conduct a thorough audit of all data processing activities within the organization.
- Identify the types of personal data collected, processed, and stored, along with the purposes for which it is used.
- Determine whether the data collected falls under the category of critical personal data or sensitive personal data, as these have specific requirements under the DPDP Act.
- Analyse the current process in place for Data Protection and accordingly start working towards a more structured process in line with the DPDP Act.
Consent Management and Data Principal Rights
- Review and update the organization’s consent mechanisms to ensure they comply with the DPDP Act’s requirements for explicit and informed consent.
- Implement processes to obtain, manage, and withdraw data principal consent for data processing activities.
- Facilitate a system to help enforce data principal rights.
Purpose Limitation and Data Accuracy, Completeness and Reliability
- Review Data collection and maintenance process.
- Collect only the data that is necessary for the intended purpose and avoid over-collection of personal data.
- Make sure that the data is accurate, complete, and consistent.
Appointment of Data Protection Officer (DPO)
- Appoint a Data Protection Officer (DPO) who will be responsible for overseeing data protection activities and ensuring compliance with the Act.
- Provide necessary resources and support to the DPO to carry out their responsibilities effectively.
- Start data mapping to create a structure that will help systemize the data for proper management and, in the future, also facilitate smooth cross-border data transfer.
Privacy by Design
- Integrate privacy considerations into the design of new products, services, and processes.
- Implement measures to protect personal data from the moment it is collected throughout its lifecycle.
Vendor and Partner Compliance
- Review and update agreements with vendors and partners to ensure they comply with the Act’s data protection requirements.
- Conduct due diligence on third-party processors before engaging to ensure they maintain adequate data protection practices.
Data Breach Response Plan
- If there is not already one, develop a robust data breach response plan to effectively handle and mitigate the impact of data breaches in line with the new law.
Regular Audits and Assessments
- Conduct regular internal audits and assessments to monitor compliance with the DPDP Act and identify areas for improvement.
- Update data protection policies and procedures based on audit findings and the changing regulatory landscape.
Engagement with Regulatory Authorities
- Stay updated on the regulations and guidelines issued by the Central Government.
- Once the Data Protection Board is formed, stay informed about updates and guidelines issued by the Data Protection Authorities and engage with them as needed to seek clarifications and guidance on compliance matters.
Cultural Shift towards Data Protection
- Foster a culture of data protection and privacy within the organization.
- Educate employees about the provisions of the DPDP Act and their roles in ensuring compliance.
- Conduct regular training sessions to keep employees updated on data protection practices and procedures.
India’s Digital Personal Data Protection Act of 2023 represents a significant stride towards safeguarding personal data in the digital age. By aligning with global privacy standards and addressing the challenges of data protection, the DPDP Act not only enhances individuals‘ rights but also fosters a more responsible and accountable digital ecosystem. While businesses might initially face compliance challenges, the Act opens doors to innovative data protection solutions and builds a stronger foundation of trust between businesses and their customers. As India’s digital landscape continues to evolve, this Act lays a crucial foundation for a more secure and privacy-respecting future.