Are you looking to comply with the new Digital Personal Data Protection (DPDP) Act implemented by the Indian government in the Lok Sabha?
If so, VISTA InfoSec is here to help you become DPDP compliant.
On August 11, 2023, the President of India gave his assent to the Digital Personal Data Protection Act, 2023 (DPDP Act), which outlines the lawful usage requirements for data collected by Data Fiduciaries and the rights and obligations of Digital Nagrik citizens.
The DPDP Act, 2023 is principle-based and less prescriptive than the EU’s GDPR. It’s more business-friendly and effectively protects user rights.
It focuses on digital personal data and replaces Section 43A of the IT Act and the SPDI Rules once enacted.
The DPDP Act promotes legality, fairness, and transparency in online personal data management.
● It assigns responsibilities to data custodians.
● It specifies data processing regulations.
● It grants individuals key rights.
● It establishes organizational obligations.
The DPDP Act proposes a compliance framework that includes the establishment of a Data Protection Board of India to ensure adherence.
The board will identify and penalize non-compliance, perform other duties assigned by the Central Government, and set up a Data Protection Authority for enforcement. Penalties up to Rs 250 crore for data misuse safeguard Indian citizens’ privacy (Clause 33 & Schedule, DPDP Act).
SDFs have several responsibilities under the Digital Personal Data Protection Act, including:
1. Appointing a Data Protection Officer (DPO): SDFs must appoint a DPO based in India, who will be responsible to the board of directors of the SDF.
2. Appointing an Independent Data Auditor: SDFs must appoint an independent data auditor to evaluate their compliance with the Act.
3. Undertaking Data Protection Impact Assessments (DPIA) and Periodic Audits: SDFs must undertake DPIAs and periodic audits, as prescribed under the rules.
4. Report Data Breaches: SDFs are required to report any data breaches to the authorities and to the affected users.
Let us help your organization achieve its Data Protection Compliance goals! Avoid the risk of penalties for data misuse by allowing us to assist you in safeguarding your customers’ privacy and protecting their personal data.
We are a global Information Security Consulting firm with offices in the US, UK, Singapore, and India, and have nearly two decades of experience in securing IT infrastructure and helping clients meet compliance obligations.
Our consulting services are designed to help you navigate the complexities of new legislation and ensure full compliance.
Schedule a complimentary consultation with our team of experts to learn more about the DPDP Bill and how we can help.
Conduct an initial study of business to understand your card processes, the environment and accordingly consolidate the Digital Personal Data Protection (DPDP) scope.
Confirm systems that fall under the Digital Personal Data Protection (DPDP) scope and formulate the scope statement.
Identify gaps in your organization’s security control systems and environment vis-à-vis Digital Personal Data Protection (DPDP) requirements.
Conduct a thorough data leakage assessment of your application and assist in remediation.
Conducts awareness sessions for your IT Team and personnel involved in the card data processing, on a quick background to Digital Personal Data Protection (DPDP).
Identify your information assets across the organization and classify them as per criticality to create an asset inventory.
Conducts risk assessment to identify assets exposed to risk and assess how it could impact your organization.
Provide you detailed remediation strategies including the recommendation of compensating controls as applicable that can help your organization strengthen its security posture.
Create policies and procedures as per Digital Personal Data Protection (DPDP) requirements which are then validated by your team.
Provide full support to your team in implementing necessary policies for your organization.
Conduct a User Training program for all personnel covered in scope on their specific responsibilities.
After a reasonable gestation period, our separate team of experts conducts a Pre-assessment (internal audit) of your setup to check whether the suggested measures are implemented and in place.
Once all controls are confirmed to be in place, we help you get attested with our own duly segregated audit team or any external auditors of your choice.
The Digital Personal Data Protection (DPDP) Act, 2023 regulates the processing of personal data within the territory of India. Under the Act, ‘Personal Data’ is defined as any data about an individual who can be identified by or about such data. The DPDP Act applies only to personal data in digital form and its applicability extends beyond the territory of India. This means that the Act can apply to the processing of personal data irrespective of the location of the processing, provided that the processing is related to any activity offering goods or services to data principals within India.According to Section 8 (5) of the DPDP Bill 2023, responsibility for compliance with the Act lies with the Data Fiduciary, even in cases where activities are undertaken by a DataProcessor or another Data Fiduciary on behalf of the Data Fiduciary. This means that any individual or entity that processes personal data within India must comply with the DPDP Act, regardless of whether they are physically present or incorporated in India, or whether the personal data belongs to a data principal located in India or abroad.
The cost of an audit may vary depending on various factors such as the size and complexity of the organization being audited, the scope of the audit, and the location of the organization.
The duration of an audit may vary depending on various factors such as the size and complexity of the organization being audited, the scope of the audit, and the location of the organization.
After a DPDP Audit is complete, you will receive a report detailing the findings of the audit. The report will typically include an assessment of your organization’s compliance with the Digital Personal Data Protection (DPDP) Act, 2023, as well as recommendations for improving your compliance. The report may also include an evaluation of your organization’s data protection policies and procedures, as well as an assessment of the risks associated with the processing of personal data within your organization.
A DPDP Audit Certification is an independent assessment of an organization’s compliance with the Digital Personal Data Protection (DPDP) Act, 2023. The purpose of a DPDP Audit is to ensure that the organization is complying with the requirements of the Act and to identify any areas where improvements can be made. The audit can help organizations to identify and address any potential risks associated with the processing of personal data, and to ensure that they are taking appropriate measures to protect the privacy of individuals.