DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Our Locations
Copyright 2024 © DPDP Consultants, A Privacyium Tech Pvt. Ltd. Company
DPDP Consultants, your trusted partner in ensuring Digital Personal Data Protection (DPDP Act 2023) compliance for businesses in India.
Data is the cornerstone of modern business operations. With the increasing reliance on digital platforms for various transactions and interactions, there was an urgent need to establish a legislative framework to protect user’s data. India has finally taken a significant step forward by introducing the Digital Personal Data Protection Act (DPDPA) in 2023. This groundbreaking legislation is poised to reshape how businesses handle personal data and safeguard user privacy. However, every new law brings forth its unique set of challenges. With the initiation of the DPDP Act 2023, businesses now face accountability not only for current user data but also for the entirety of data collected since their inception. The chief objective of the Digital Personal Data Protection Bill is to systematise a durable framework for the protection and processing of personal data. The bill covers data captured in digital form or physical form if the data is subsequently digitised. The legislation affects all sectors, including education, banking, insurance, healthcare, hospitality, e-commerce, retail, travel, aviation, and telecom.
On August 3, 2023, the Ministry of Electronics & Information Technology (MeitY) introduced the Digital Personal Data Protection Bill, 2023. The Parliament passed the bill on August 7, 2023, and concertedly the Rajya Sabha on August 9, 2023. And on August 11, 2023, it was published in the Official Gazette after Presidential approval. Here are the key features:
Coverage Under DPDPAAny person or entity processing personal data for any purpose other than personal or domestic or having another party process the personal data will be covered under the DPDPA.
A notice while obtaining consent about the purpose and the processing is mandatory under the DPDP Act.
\Data Principals can request revisions of inaccurate information stored and deletion of their personal data if they terminate using services for which the data was collected. Use and retention is to be per appropriate disclosures to the Data Principal.
Data storage is to be in effect only after explicit, defined consent and for use only for the purpose for which the consent was sought and given.
A Data Fiduciary shall not undertake the processing of personal data that may cause detrimental effects on the well-being of a child. In addition, it shall not track or monitor children’s behaviour or target advertising directed at children.
The Act recommends that international data transfers must have an adequate level of data protection in the country benefiting from the data transfer. If adequate protection is lacking, standard contractual clauses or approved mechanisms should be in place to safeguard cross-border data flow.
1. Data Protection Board The DPDP Bill is yet to establish a Data Protection Board as an enforcement body of the Central Government.
2. Data Fiduciary A Data Fiduciary is any person/entity defining the purpose and means of processing personal data. Under the DPDP Act, a Data Fiduciary can process the data or via any party processing personal data on behalf of it, defined as a Data Processor. The Data Fiduciary is responsible for compliance under the DPDP Act.
3. Consent Manager The Data Principal may give, manage, review, revise or withdraw consent via a Consent Manager. The Consent Manager is accountable to the Data Principal and must be registered with the Data Protection Board.
4. Data Principal Individuals to whom the information pertains have the right to request access to their personal data held by organisations under the DPDP Act 2023. They can inquire about the data processing, the purpose, and the entities involved in data handling.
The DPDP Act, among other things, provides the following rights to the Data Principal. Prior to the DPDP Bill, there was no provision for Data Principals to recognise how their data was used/misused. Today, if affected due to violations of the information provided to businesses, visas, educational consultants, HR consultants, employers, e-commerce, mar tech businesses, banks, healthcare, and such, the Data Principal may have redressal measures under the DPDP Act.
Presently, the only exemption or entity protected by the DPDP Act is the government and its entities. "The Digital Personal Data Protection Bill, 2023, introduced in the parliament on August 3, 2023, gives the government broad powers to exempt any of its agencies from all provisions of the Bill." Contextually, DPDP Consultants in India will be sought after by businesses trying to understand the Act and its impact on their business. Administrative Fines & Penalties for Non-Compliance Under the DPDP Act
1 | Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent a personal data breach under sub-section (5) of section 8 | May extend to two hundred and fifty crore rupees. INR 250,000,000 . |
2 | Breach in oBreach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8 | May extend to two hundred crore rupees. INR 200,000,000 |
3 | Breach in observance of additional obligations concerning relation to children under section 9 | May extend to two hundred crore rupees. INR 200,000,000 |
4 | Breach in observance of additional obligations of Significant Data Fiduciary under section 10 | May extend to one hundred and fifty crore rupees. INR 150,000,000 |
5 | Breach in observance of the duties under section 15. | May extend to ten thousand rupees. INR 10,000 |
6 | Breach of any term of voluntary undertaking accepted by the Board under section 32 | Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. |
7 | Breach of any other provision of this Act or the rules made thereunder | May extend to fifty crore rupees. 50,000,000 |
"The DPDP Act is the latest legislation governing how businesses and organisations will process, retain and protect the digital personal data of individuals. Each organisation that collects and processes the digital personal data of any individual, including its own employees, will be required to comply with these new regulations.
Compliance Requirements: The DPDPA likely imposes various compliance requirements on businesses, including the implementation of data protection policies, the appointment of a Data Protection Officer (DPO), conducting data protection impact assessments, and adherence to certain data protection principles.
Data Localisation: The bill may have provisions regarding the storage of personal data within India. This could impact businesses that rely on global data storage and processing facilities.
Consent and Transparency: The DPDPA may require businesses to obtain explicit consent before collecting and processing personal data. It may also mandate transparency in how businesses handle and use personal information.
Data Subject Rights: The bill may grant individuals certain rights over their personal data, such as the right to access, correct, and delete their data. Businesses would need to establish mechanisms to facilitate the exercise of these rights.
Data Breach Notification: The DPDPA might introduce requirements for businesses to promptly notify authorities and affected individuals in the event of a data breach.
Impact on Tech Companies: Technology companies, especially those dealing with a significant amount of personal data, may need to reassess their data processing practices and implement measures to ensure compliance with the new regulations.
Cross-Border Data Transfers: If the DPDPA includes provisions on cross-border data transfers, businesses involved in such transfers may need to adhere to specific requirements to ensure the lawful transfer of personal data.
Penalties for Non-Compliance: The bill may introduce penalties for non-compliance, which could include fines and other regulatory actions. Businesses need to consider these potential penalties when developing their data protection strategies.
With an extensive new digital law to be implemented in phases, many misses and missteps by businesses, Data Fiduciaries, and Consent Managers can result in substantial non-compliance penalties. Moreover, all financial penalties shall be credited to the Consolidated Fund of India and not Data Principals. To sidestep non-compliance penalties, DPDP consultants in India are the best help for businesses trying to understand the Digital Personal Data Protection Bill framework.
Compliance Made Easy With DPDPA Consultants We create tailored solutions to meet your organisation's needs, from expert guidance and training on identifying and mitigating privacy risks to automation tools to manage and review data privacy compliance.
DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Copyright 2024 © DPDP Consultants, A Privacyium Tech Pvt. Ltd. Company