Digital Personal Data Protection (DPDP)

Are you looking to comply with the new Digital Personal Data Protection (DPDP) Act implemented by the Indian government in the Lok Sabha?

If so, VISTA InfoSec is here to help you become DPDP compliant.

What is the DPDP Act?

On August 11, 2023, the President of India gave his assent to the Digital Personal Data Protection Act, 2023 (DPDP Act), which outlines the lawful usage requirements for data collected by Data Fiduciaries and the rights and obligations of Digital Nagrik citizens.

The DPDP Act, 2023 is principle-based and less prescriptive than the EU’s GDPR. It’s more business-friendly and effectively protects user rights.

It focuses on digital personal data and replaces Section 43A of the IT Act and the SPDI Rules once enacted.

The DPDP Act promotes legality, fairness, and transparency in online personal data management.

● It assigns responsibilities to data custodians.

● It specifies data processing regulations.

● It grants individuals key rights.

● It establishes organizational obligations.

Why is it important to be DPDP compliant?

The DPDP Act proposes a compliance framework that includes the establishment of a Data Protection Board of India to ensure adherence.

The board will identify and penalize non-compliance, perform other duties assigned by the Central Government, and set up a Data Protection Authority for enforcement. Penalties up to Rs 250 crore for data misuse safeguard Indian citizens’ privacy (Clause 33 & Schedule, DPDP Act).

Responsibilities of Significant Data Fiduciaries (SDFs) (Clause 10 of DPDP Act)

SDFs have several responsibilities under the Digital Personal Data Protection Act, including:

1. Appointing a Data Protection Officer (DPO): SDFs must appoint a DPO based in India, who will be responsible to the board of directors of the SDF.

2. Appointing an Independent Data Auditor: SDFs must appoint an independent data auditor to evaluate their compliance with the Act.

3. Undertaking Data Protection Impact Assessments (DPIA) and Periodic Audits: SDFs must undertake DPIAs and periodic audits, as prescribed under the rules.

4. Report Data Breaches: SDFs are required to report any data breaches to the authorities and to the affected users.

How can VISTA InfoSec help your organization comply with regulations and standards?

Let us help your organization achieve its Data Protection Compliance goals! Avoid the risk of penalties for data misuse by allowing us to assist you in safeguarding your customers’ privacy and protecting their personal data.

We are a global Information Security Consulting firm with offices in the US, UK, Singapore, and India, and have nearly two decades of experience in securing IT infrastructure and helping clients meet compliance obligations.

Our consulting services are designed to help you navigate the complexities of new legislation and ensure full compliance.

Schedule a complimentary consultation with our team of experts to learn more about the DPDP Bill and how we can help.

Enquire


    Our Approach to Digital Personal Data Protection (DPDP)

    Initial study
    Initial study

    Conduct an initial study of business to understand your card processes, the environment and accordingly consolidate the Digital Personal Data Protection (DPDP) scope.

    Scope Definition
    Scope Definition

    Confirm systems that fall under the Digital Personal Data Protection (DPDP) scope and formulate the scope statement.

    Gap Analysis
    Gap Analysis

    Identify gaps in your organization’s security control systems and environment vis-à-vis Digital Personal Data Protection (DPDP) requirements.

    Data Leakage Assessment
    Data Leakage Assessment

    Conduct a thorough data leakage assessment of your application and assist in remediation.

    Awareness Sessions
    Awareness Sessions

    Conducts awareness sessions for your IT Team and personnel involved in the card data processing, on a quick background to Digital Personal Data Protection (DPDP).

    Data & Assets Classification
    Data & Assets Classification

    Identify your information assets across the organization and classify them as per criticality to create an asset inventory.

    Risk Assessment
    Risk Assessment

    Conducts risk assessment to identify assets exposed to risk and assess how it could impact your organization.

    Risk Treatment
    Risk Treatment

    Provide you detailed remediation strategies including the recommendation of compensating controls as applicable that can help your organization strengthen its security posture.

    Documentation Support
    Documentation Support

    Create policies and procedures as per Digital Personal Data Protection (DPDP) requirements which are then validated by your team.

    Policy role out support
    Policy role out support

    Provide full support to your team in implementing necessary policies for your organization.

    User Training
    User Training

    Conduct a User Training program for all personnel covered in scope on their specific responsibilities.

    Pre-Assessment
    Pre-Assessment

    After a reasonable gestation period, our separate team of experts conducts a Pre-assessment (internal audit) of your setup to check whether the suggested measures are implemented and in place.

    Audit & Attestation
    Audit & Attestation

    Once all controls are confirmed to be in place, we help you get attested with our own duly segregated audit team or any external auditors of your choice.

    Digital Personal Data Protection (DPDP)

    Why work with VISTA InfoSec?

    Vendor-neutral Consultancy & Advisory Service Company.
    Strict no Outsourcing Policy.
    Secure Cloud-based portals with two-factor authentication for reporting and progress tracking.
    Specialize in Risk Management, Compliance Solutions, and Consultancy Services.
    Focus on Cyber Resilience, Data Protection, and Cyber security Solutions.
    Pragmatic Approach towards achieving Compliance.
    More than a decade of industry experience and expertise.
    Frequently Asked Questions

    Frequently Asked Questions on Digital Personal Data Protection (DPDP)

    The Digital Personal Data Protection (DPDP) Act, 2023 regulates the processing of personal data within the territory of India. Under the Act, ‘Personal Data’ is defined as any data about an individual who can be identified by or about such data. The DPDP Act applies only to personal data in digital form and its applicability extends beyond the territory of India. This means that the Act can apply to the processing of personal data irrespective of the location of the processing, provided that the processing is related to any activity offering goods or services to data principals within India. According to Section 8 (5) of the DPDP Bill 2023, responsibility for compliance with the Act lies with the Data Fiduciary, even in cases where activities are undertaken by a Data Processor or another Data Fiduciary on behalf of the Data Fiduciary. This means that any individual or entity that processes personal data within India must comply with the DPDP Act, regardless of whether they are physically present or incorporated in India, or whether the personal data belongs to a data principal located in India or abroad.

    The cost of an audit may vary depending on various factors such as the size and complexity of the organization being audited, the scope of the audit, and the location of the organization.

    The duration of an audit may vary depending on various factors such as the size and complexity of the organization being audited, the scope of the audit, and the location of the organization.

    After a DPDP Audit is complete, you will receive a report detailing the findings of the audit. The report will typically include an assessment of your organization’s compliance with the Digital Personal Data Protection (DPDP) Act, 2023, as well as recommendations for improving your compliance. The report may also include an evaluation of your organization’s data protection policies and procedures, as well as an assessment of the risks associated with the processing of personal data within your organization.

    A DPDP Audit Certification is an independent assessment of an organization’s compliance with the Digital Personal Data Protection (DPDP) Act, 2023. The purpose of a DPDP Audit is to ensure that the organization is complying with the requirements of the Act and to identify any areas where improvements can be made. The audit can help organizations to identify and address any potential risks associated with the processing of personal data, and to ensure that they are taking appropriate measures to protect the privacy of individuals.

    Discover our latest resources