Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Explore the definition, importance, and protection of personal data; and the difference between regulations like GDPR and DPDPA.

In an era dominated by information exchange, understanding the nuances of personal data has become paramount. Extensive data flows through networks, linking users and devices. Organizations rely on gathering personal information to enhance service quality, understand consumer preferences, optimize business strategies, foster customer growth and retention, and potentially monetize data by offering it as second-party data to other enterprises at a profit.

For such reasons, data privacy laws emphasize the critical need to protect individuals’ personal information.

What is Personal Data?

Personal data refers to any information tied to an identified or identifiable individual, such as:

• Name
• Age
• Gender
• Address
• Contact details
• Marital status

and more.

This information can be used to directly or indirectly identify a person. Protection of personal data is crucial for privacy, identity theft prevention, cybersecurity, legal compliance, and discrimination. There are data protection laws in place that set standards for ethical practices, reinforcing the significance of safeguarding personal information in today’s interconnected and data-driven world.

Laws like the General Data Protection Regulation (GDPR) in the European Union, or the California Consumer Privacy Act (CCPA) in the United States, ensure responsible collection, processing, and handling of personal data.

On August 11, 2023, India’s parliament introduced the Digital Personal Data Protection Act 2023 (DPDPA), marking the country’s inaugural comprehensive data protection law.

Set to replace existing fragmented regulations, the DPDPA is poised to revolutionize how companies handle personal data, in compliance with Indian data protection laws.

What is Personal Data under the DPDPA?

The Act has familiar terms but it introduces some key distinctions. Mainly the definition of personal data. According to the Act Personal Data could include “any data about an individual who is identifiable by or in relation to such data”.

It includes all information under one term and does not categorize data as sensitive or non-sensitive like other existing regulations. The Act also does not define any standards for de-identification or anonymization.

Personal data according to GDPR vs. DPDPA

The European Commission established the General Data Protection Regulation (GDPR) to regulate the collection and handling of personal data of European Union (EU) citizens. GDPR differentiates between personal data and sensitive personal data, imposing stricter requirements on the latter.

Unlike the GDPR, the Digital Personal Data Protection Act (DPDPA) treats all personally identifiable data equally, removing the distinction between personal and sensitive personal data.

According to GDPR, personal data encompasses details like:

• Name
• Address
• Phone Number
• Email
• Date of Birth
• Work
• Education
• Hobbies

Sensitive data,requiring enhanced protection, involves confidential information such as:

• Financial Details
• Medical Records
• Passwords
• Social Security Numbers

Exposure of this kind of data has the potential to cause significant harm. In sharp contrast, the Digital Personal Data Protection Act adopts a comprehensive strategy.

Unlike GDPR, the DPDP Act doesn’t categorize personal data into subtypes like sensitive or critical. It uniformly imposes its stipulations on all personal data, disregarding its characteristics.

This deviates from the current Indian data protection law, which differentiates data into ‘personal information’ and ‘sensitive personal data or information,’ accompanied by distinct compliance criteria for the latter as outlined in the Information Technology Rules, 2011.

Notable distinctions between the DPDPA and GDPR include various aspects:

• Scope: The DPDPA governs the processing of digital personal data, excluding data made publicly available under a legal obligation. Its definition aligns with GDPR but differs in scope.
• Legal Basis: DPDPA allows processing with data principals’ consent or for specific “legitimate uses”. This consent standard resembles that of GDPR. However, it doesn’t recognize processing under bases like contractual necessity or legitimate interests.
• Data Principal Rights: Beyond GDPR-like rights, DPDPA introduces unique provisions. Data principals gain a right to grievance redressal through designated officers and can nominate representatives in case of death or incapacity.
• Cross-Border Transfers: DPDPA permits cross-border data transfers, excluding specific restricted jurisdictions. Unlike GDPR, it doesn’t mandate transfer mechanisms.
• Data Breach Notification: Data fiduciaries must report breaches to the Data Protection Board and affected data subjects in all cases, without specified deadlines. In contrast, the GDPR requires data breaches to be reported within 72 hours (3 days).
• Significant Data Fiduciaries: The government can classify certain data fiduciaries as significant, imposing additional obligations like independent audits and data protection impact assessments based on various factors. This is different from the GDPR, which mandates all entities to conduct data protection impact assessments in particular situations.

FAQs

1.       Is CCTV personal data?

Yes, CCTV footage is subject to data privacy laws. These regulations extend beyond written information, such as names and addresses, and include any data that can identify an individual. This includes images and videos, emphasizing the need for cautious handling of CCTV footage in compliance with data privacy regulations.

2.     Can my boss watch me on CCTV? Yes, workplace cameras are legal, but their use is governed by data protection laws. These acts outline guidelines for collecting, processing, and sharing CCTV data. Businesses using workplace CCTV must register with the respective authoritative office, inform individuals of the recording, and ensure recordings serve a specific purpose, such as preventing theft.

3.     When recording or monitoring employees at work, companies need to adhere to legal procedures. They could start with an impact assessment, evaluating the effects and justifications for surveillance. It is a must to inform employees of monitoring and reasons, preferably through a written statement. This transparent approach aids in onboarding, ensuring a smooth understanding of workplace monitoring for both new and existing staff.

DPDPA Compliance — The Way to Go Forward

With the implementation of the DPDPA, businesses must anticipate the imposition of diverse compliance requirements. Businesses would be required to formulate data protection policies, appoint a Data Protection Officer (DPO), conduct impact assessments, and adhere strictly to specified principles.

To mitigate the risk of non-compliance penalties, businesses, Data Fiduciaries, and Consent Managers should exercise caution. Any incurred financial penalties will contribute to the Consolidated Fund of India rather than benefiting Data Principals. DPDP consultants can help you navigate these challenges by providing valuable assistance in understanding and aligning with the complexities of this new regulatory framework:

• The DPDPA Readiness Review assists in comprehending the DPDPA’s impact on all operational aspects.
• Ensuring compliance, our Data Protection Officer (DPO) services enable organizations to engage a third party for audits and oversee DPDP implementation.
• For existing agreements, our Contract Review service ensures compliance with DPDP specifications, prompting revisions as needed.
• Our dedicated team offers comprehensive DPDPA Compliance Assistance, establishing internal audit frameworks for regulatory alignment.
• The DPDPA Training program emphasizes the practical implications of policies, providing effective compliance education.
• Our Data Protection Impact Assessment (DPIA) process aids in identifying and mitigating privacy risks linked to projects and policies.

Let DPDP Consultants Guide You Through The Complexities of DPDPA!