The Digital Personal Data Protection Act (DPDPA) 2023 is a comprehensive data protection regime for India enacted to safeguard the rights of individuals and ensure the lawful processing of digital personal data. The DPDPA establishes a comprehensive rights-based framework for data protection, focusing on individual rights.
The DPDPA applies to personal data collected in digital or non-digital forms but is subsequently digitized. It does not apply to non-digital data, data processed for personal or domestic purposes, or data made publicly available by a data principal or any other person under a legal obligation. The law applies to personal data processing within the Indian territory and extends its scope outside India if such processing is in connection with offering goods and services to data principals within India.
The DPDPA mandates that organizations implement appropriate security safeguards to protect personal data from unauthorized access, use, disclosure ,modification, or destruction. These safeguards include encryption ,anonymization, pseudonymization, firewalls, access controls, and audits. Organizations also need to adhere to the codes of practice issued by the Data Protection Board regarding various aspects of personal data processing.
The Digital Personal Data Protection Act (DPDPA) of India is a comprehensive data protection law enacted to address data protection and privacy concerns in the country. The key provisions of the DPDPA are as follows:
1. Scope: The DPDPA applies to any entity that processes digital personal data within Indian territory. It also imposes extraterritorial jurisdiction and covers data processed outside India with the intent of offering goods and services to individuals within India. However, this does not apply to data in non-digitized forms. The DPDPA introduces the concept of "Significant Data Fiduciaries" (SDFs), which are organizations that deal with large volumes of individual personal data. However, the Act does not provide quantifiable thresholds for designating an organization as an SDF.
2. Data Fiduciaries and Data Processors: This act defines a data processor as anyone who processes personal information on behalf of a data fiduciary, the term used under the law to refer to a data controller. A data fiduciary is defined as any person who "alone or in conjunction with other persons determines the purpose and means of processing of personal data." The data fiduciary is initially liable for violations by data processors.
3. Consent for Data Processing: The DPDPA hinges on consent as grounds for processing personal data, although additional narrowly defined or situation-based legal grounds are also available. The consent for the processing of personal data must be "free, specific, informed, unambiguous, and unconditional with a clear affirmative action.”
4. Rights of Data Principals: The DPDPA establishes a comprehensive rights-based framework for data protection, focusing on individual rights and consent as the primary legal grounds for data processing. The rights of data principals (individuals) under the DPDPA include the right to access their information, request its erasure, correct their information, receive notice before consent is sought, and grievance redressal.
5. Exemptions: The DPDPA provides broad exceptions for government entities, while also exempting processing for specific purposes, such as activities that are in the interest of the sovereignty and integrity of India, security of the state ,friendly relations with foreign states, maintenance of public order, and prevention of incitement to commit crimes. One of the Act’s provisions exempts most personal data of people outside India that are processed in India under cross-border contracts.
6. Penalties for noncompliance: The DPDPA grants the government the power to create a board charged with enforcement. The board has a preset list of penalties it may imposed pending on the nature of the violation, which ranges from INR 10,000 (roughly USD 120) to INR 250 Crores (roughly USD 30M)
This law has significant implications for Chief Information Security Officers (CISOs), Data Protection Officers (DPOs), Risk Managers, and Compliance Officers.
To comply with the DPDPA, organizations need to understand their position under the Act. The DPDPA will impact millions of businesses that process personal data within India or are located outside India, and process personal data in connection with offering goods and services to individuals in India.
Organizations should adopt data protection measures and safeguards ,including implementing "technical and organizational measures" to ensure compliance with the DPDPA and adopting "reasonable security safeguards" to prevent personal data breaches. They should also notify affected Data Principals and the Data Protection Board in the event of a personal data breach.
Under the DPDPA, obtaining a Data Principal’s consent is mandatory in most, but not all, circumstances. Valid consent under the DPDPA fulfils all the following conditions: it is a “clear affirmative action,” access to services is not conditional on consent, the Data Principal can easily withdraw consent, and separate consent requests are made for separate purposes.
As a CISO, DPO, Risk Manager, or Compliance Officer, you play a crucial role in ensuring your organization's compliance with the DPDPA. Some key responsibilities are as follows:
· Implementation of Security Measures: Appropriate security safeguards must be implemented to protect personal data from unauthorized access, use, disclosure, modification, or destruction.
· Compliance with Data Protection Board Directions: You need to ensure that your organization complies with the directions of the Data Protection Board of India and the regulatory authority established by the DPDPA.
· Facilitating Secure and Lawful Data Transfers: You must ensure compliance with the conditions for secure and lawful data transfers.
· Adherence to Codes of Practice: You need to ensure that your organization adheres to the codes of practice issued by the Data Protection Board on various aspects of personal data processing.
· Appointment of a Data Protection Officer (DPO): If your organization is classified as a significant data fiduciary (SDF), you need to appoint a DPO based in India to oversee compliance with the DPDPA. However ,it is important to note that a CISO should not assume the role of a DPO because of potential conflicts of interest.
· Data Handling and Deletion: Once the purpose of data processing has been met, DPDPA requires that the data be deleted.
· International Data Transfers: You need to ensure compliance with the DPDPA's provisions on international data transfers.
By understanding and implementing these aspects of the DPDPA, you can help your organization navigate the new data protection landscape in India effectively and lawfully.