Businesses with Indian customers or those accessible to Indian citizens, take note! The Digital Personal Data Protection Act (DPDP) has been passed in India. This new law, approved by the president on August 11, 2023, dictates how organizations handle personal data.
The DPDP Act is not yet enforceable as the Data Protection Board of India is still being established. Until then, businesses should adhere to existing Indian privacy laws, primarily the Sensitive Personal Data or Information Rules (SPDI) 2011.
To achieve a detailed understanding of the DPDP, please refer to our previous blog post.
In this blog, we will focus on “How to Comply with the Principles of the DPDP.” Let’s dive in!
Who Must Comply With the DPDP Act?
Under the DPDP Act, ‘Data Fiduciaries’ – entities that handle personal digital data in India – are primarily responsible for compliance (Clause 2 (i), DPDP Act). This responsibility includes adhering to DPDP regulations and identifying data processors.
Consent managers, registered with the Board, also have responsibilities under the DPDP. All data fiduciaries must adhere to the act’s regulations (Clause 2 (g), DPDP Act).
8 Steps to Achieve DPDP Compliance: Key Obligations for Data Fiduciaries
1.Notify and Obtain Consent Before Data Processing:
Under the DPDP Act, it is mandatory for a data fiduciary to notify and obtain consent from the data principal before processing personal data (Clause 5, DPDP Act). The notice should inform the data principal about the following:
- The personal data to be processed and its purpose
- How to exercise rights under the DPDP
- How to lodge a complaint with the Board
Consent should be clear, informed, and freely given. It should be limited to necessary data and can be withdrawn at any time, which would prompt data processing to stop (Clause 6(1), DPDP Act).
2.Appoint a Data Protection Officer:
A Significant Data Fiduciary shall publish the business contact information of a Data Protection Officer, if applicable, or a person who can answer on behalf of the Data Fiduciary, any questions raised by the Data Principal about the processing of her personal data. (Clause 10 (2) (a), DPDP Act)
The Significant Data Fiduciary shall appoint a Data Protection Officer who shall:
- Represent the Significant Data Fiduciary under the provisions of this Act.
- Be based in India.
- Be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary.
- Be the point of contact for the grievance redressal mechanism under the provisions of this Act.
3.Appoint an Independent Data Auditor:
The Significant Data Fiduciary shall appoint an independent data auditor to carry out a data audit.
The auditor shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act (Clause 10 (2) (b), DPDP Act).
4.Conduct the Data Protection Impact Assessment (DPIA) and Audits:
The Significant Data Fiduciary is responsible for implementing the following measures: (Clause 10 (2) (c), DPDP Act).
- Data Protection Impact Assessment (DPIA): This is a regular process detailing Data Principals’ rights and the purpose of processing their data. The DPIA manages risk to these rights and addresses other related matters.
- Periodic Audit: Regular audits are conducted to ensure compliance with the provisions of this Act and to identify any potential areas of concern.
These measures ensure lawful, transparent processing of personal data while maintaining privacy.
5.Maintain Data Integrity Policies During Decision-Making and Personal Data Sharing:
Clause 8(3) of the DPDP Act stipulates that in scenarios where the personal data processed by a Data Fiduciary is likely to either
(a) influence a decision that impacts the Data Principal, or
(b) be shared with another Data Fiduciary, the Data Fiduciary processing such personal data is obligated to ensure its completeness, accuracy, and consistency.
This is a statutory requirement that underscores the importance of data integrity in data processing activities.
6.Define Data Breach Policies and Procedures:
We underscore the importance of Clause 8(6) of the DPDP Act. It mandates that data controllers report any breach in personal data to both the affected individuals and the Data Protection Board of India.
However, the DPDP Board has yet to be formed. We plan to write a blog on this topic as well.
This is in addition to complying with the Computer Emergency Response Team (CERT-In) rules.
In the unfortunate event of a breach, data fiduciaries are required to inform both parties, following guidelines outlined by both DPDP and CERT-In.
7.Develop Documentation and Policies for Cross-Border Data Transfer:
Indian businesses are permitted to transfer digital personal data outside of India, except to countries that are restricted by the Indian government as per Clause 16(1) of the DPDP Act. The government will publish a list of these restricted countries in the future.
However, it is crucial to note that we have already discussed this topic in detail in our blog “Understanding the Basics of the DPDP Act”. I strongly recommend revisiting that resource for a comprehensive understanding of these regulations.
8.Obtain Verifiable Consent Prior to Processing Personal Data of Children and Individuals With Disabilities:
It is mandatory for data fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing the personal data of a child or an individual with disabilities. (Clause 9, DPDP Act)
Please note that a “child” is defined as anyone under the age of 18. Certain types of processing, such as online tracking or targeted advertising involving children’s data, are strictly prohibited. This includes any processing that could potentially harm the child.
Furthermore, the Indian Federal Government may allow edtech firms to bypass some data restrictions for children above a certain age, provided they can verifiably ensure the safety of the child’s data.
It is crucial that these guidelines are followed to ensure compliance and protect the rights and privacy of these vulnerable individuals.
Why Must Data Fiduciaries Comply With the DPDP Act?
There are several compelling reasons why data fiduciaries must ensure compliance with the DPDP Act:
Safeguarding Privacy: The DPDP Act’s main goal is to safeguard the digital personal data of Indian citizens. Data fiduciaries managing such data are required to ensure its processing is fair, transparent, and accountable.
Avoiding Hefty Penalties: While the DPDP Act isn’t legally mandatory, data fiduciaries risk severe penalties in case of a data breach. Therefore, it’s beneficial for them to be DPDP compliant. In a data breach scenario, the Data Protection Board could hold the fiduciary accountable, potentially leading to fines up to INR 250 crore (approximately USD 30 million).
Upholding Reputation: Compliance with the DPDP Act demonstrates a data fiduciary’s commitment to privacy, enhancing its reputation and aiding in customer attraction and retention.
In conclusion, adhering to the DPDP Act is vital for data privacy and avoiding penalties. As it’s being implemented, entities handling personal data in India should prepare for its principles. VISTA InfoSec can assist with DPDP compliance, covering all aspects from consent management to audits. Choosing us as your partner mitigates non-compliance risks and shows your commitment to data privacy. As the DPDP evolves, we’ll adapt our services to keep your organization compliant. Don’t wait for full DPDP enforcement – protect your data and reputation now with VISTA InfoSec.