We value your privacy & take necessary steps to protect your information.
REQUEST A CALLBACK
Introduction
The Digital Personal Data Protection Act, 2023[1] (“Act”) which came into effect on 11 August 2023, signifies a significant milestone in safeguarding individuals' privacy and regulating how businesses handle personal data. To ensure compliance and uphold customer trust, companies must familiarize themselves with the Act's provisions and implement the necessary measures as outlined in the Article.
The Act introduces the following important roles in the data protection ecosystem:
Understanding these roles is crucial for businesses to determine their responsibilities and relationships when handling digital personal data.
The Act applies to the processing of all digital personal information in India whether such personal information is collected in digital or non-digital form. The Act also applies to the processing of digital personal information outside India if such processing is for providing goods and services to Data Principals in India.
Processing in itself encompasses a wide range of activities, including data collection, processing, storage, sharing, transmission, erasure, or destruction. The Act is designed to safeguard individuals' personal data rights, promote responsible data processing, and create a transparent and accountable data processing ecosystem.
Under the Act, individuals enjoy enhanced rights over their personal data, including the right to access, rectify, erase, and restrict processing of their information. Further, Data Fiduciary are required to establish mechanisms to receive and address the grievance of the Data Principal in relation to the processing of their personal data. Businesses must establish processes to address these requests promptly and transparently, allowing individuals to exercise their rights effortlessly.
The Act places a strong emphasis on obtaining explicit and informed consent from individuals before collecting and processing their personal data. Businesses must review their consent mechanisms to ensure they are transparent, easily understandable, and allow individuals to grant or withdraw consent freely.
Further, special focus has been given to the processing of personal information belonging to a child, which would require the consent of a parent or guardian.
Transferring personal data across international borders except for certain exemptions as provided under the Act, will require special attention from the businesses. The Central Government may notify in future, countries to which transfer of personal data by a Data Fiduciary may be restricted.
In the unfortunate event of a data breach, Data Fiduciaries are required to notify the Board about such breach and such information as may be prescribed in the future under the Act. Thus, having a well-defined incident response plan in place can aid Data Fiduciary in managing such situations efficiently.
One of the key requirements of the Act is the appointment of a Data Protection Officer (“DPO”) by a Significant Data Fiduciary. This individual serves as a bridge between the company, Data Principals, and regulatory authorities. The DPO is responsible for overseeing data protection activities, ensuring compliance, and acting as a point of contact for data subjects' inquiries and concerns.
Significant Data Fiduciary are required to periodically conduct a Data Protection Impact Assessment (“DPIA”), which process will contain the rights of Data Principals, the purpose of processing their data, assessment and management of risks of the rights of Data Principals, and other matters as may be prescribed under the Act. Businesses designated as Significant Data Fiduciary must conduct DPIAs to assess the potential privacy risks associated with their operations, and processing of digital personal data of Data Principals and may need to implement measures to mitigate these risks.
The Act establishes the Data Protection Board of India (“Board”), a regulatory authority responsible for overseeing and enforcing data protection compliance under the Act including matters concerning data breaches or any complaint from Data Principal.
Recommendations for the businesses
In view of the above provisions of the Act businesses in India are required to conduct a comprehensive data mapping exercise to identify the personal data they collect, process, and store. This includes understanding the purpose of data collection, the legal basis for processing, and the duration of data retention. Maintaining an accurate data inventory helps in better managing data flows and assessing compliance risks.
Compliance with the Act extends beyond processes and technology and may require the businesses to cultivating a culture of data protection within the organization. Regular training sessions and awareness programs for employees can help them understand the importance of data privacy and their role in maintaining compliance with the Act.
Maintaining accurate records of data processing activities, consent obtained, and compliance measures taken is crucial. These records serve as evidence of compliance and can be useful during audits or interactions with regulatory authorities.
Conclusion
With implementation of the Act is Indians has taken huge step towards facilitating personal data privacy and protection. This is evident from few of the Data Principal’s rights such as right to erase and restrict processing of personal data, which are in line with General Data Protection Regulation[2] of European Union which came into effect in May 2018 and California Consumer Privacy Act of 2018[3]. The said rights have been provided by very few data privacy and protection regulations currently implemented around the world.
The Act underscores the significance of responsible data handling, granting individuals greater control over their information. By adhering to the essential compliances outlined in the Act, businesses can not only avoid legal repercussions but also build a foundation of trust and loyalty with their customers in this data-driven era.
[1] The Digital Data Protection Act, 2023 <https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf> accessed on 28 August 2023
[2] General Data Protection Regulation of 2018 <General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu)> accessed on 28 August 2023
[3] The California Consumer Privacy Act 2018 <https://oag.ca.gov/privacy/ccpa#:~:text=The%20California%20Consumer%20Privacy%20Act,how%20to%20implement%20the%20law> accessed on 28 August 2023