Key Insights into India’s DPDPA 2023: Navigating the New Era of Data Protection
The Digital Personal Data Protection Act (DPDPA) of 2023 is a major step in privacy legislation, aiming to balance individual rights and the practical needs of data processing. Enacted in August 2023 and expected to be implemented in 2024, the act defines the rights and responsibilities of data principals (individuals) and obligations for data fiduciaries (entities controlling data). It introduces penalties for data breaches and a special category for "significant data fiduciaries." It also mandates verifiable consent for children and people with disabilities. Enforcement will be handled by the Data Protection Board, with appeals going to the Telecom Disputes Settlement and Appellate Tribunal.
Key Entities in the India's DPDPA
- Data Principal: The individual to whom personal data belongs. For minors, parents or legal guardians take on this role, and for individuals with disabilities, it's the legal guardian.
- Data Fiduciary: Any entity, such as a business, financial institution, or startup, that determines why and how personal data is processed.
- Data Processor: An organization or individual that handles data on behalf of a data controller.
- Significant Data Fiduciaries (SDFs): These entities have extra responsibilities, such as appointing a Data Protection Officer (DPO), conducting impact assessments, and performing data audits. The government designates SDFs based on factors like the volume or sensitivity of data and potential national security risks.
Scope of India's DPDPA
The India's DPDPA applies to any entity processing digital personal data under these conditions:
- The processing takes place within India's borders.
- The processing occurs outside India but involves offering goods or services to individuals in India.
- It covers personal data collected in both digital and non-digital forms, as long as the data has been digitized. However, it excludes public information or data used for personal or household purposes.
Definition of Personal Data
Under the India's DPDPA, personal data refers to any information about an individual that can be used to identify them. However, this does not include publicly available information. The Act legally defines personal data as "any information related to a natural person who can be identified from that information" (Section 2, Sub-clause t). Publicly disclosed information, meant for authorized bodies or data subjects, does not include private data that wasn't intended for public release.
Responsibilities of Data Fiduciaries
- Data Minimization: Data fiduciaries are only allowed to collect the minimum data necessary for a specific purpose. They must erase data that is no longer needed or when consent has been withdrawn. This responsibility extends to ensuring data processors also delete the data.
- Purpose Limitation: Data can only be processed for the purpose for which it was collected with the data principal’s consent. Exceptions include legal obligations or processing in the public interest.
- Privacy Notices: Privacy notices must be clear, detailed, and provided in English and a second language from the 22 official languages of India. These notices should accompany consent forms and explain the types of data processed, the purpose of processing, and how individuals can exercise their rights.
- Consent: Data fiduciaries cannot process personal data without consent unless allowed by law or under an exemption. The process for withdrawing consent should be simple. For children and persons with disabilities, consent must come from a parent or legal guardian.
- Accuracy and Security: Fiduciaries must ensure that personal data is accurate and complete, especially when it impacts the individual or is shared with others. They must also take strong measures to prevent data leaks.
- Grievance Redressal: There must be an accessible and clear process for handling complaints. Fiduciaries should address grievances promptly and provide contact information for their Data Protection Officer or relevant official.
- Child Protection: The Act prohibits tracking, profiling, or using children’s behavioral data for advertising unless the central government explicitly allows it. Data fiduciaries must avoid processing children’s data if it may be harmful.
- Breach Reporting: Data breaches must be reported to the Data Protection Board and the affected individuals without delay, though there is no prescribed format for breach notifications at this time.
Rights of Data Principals
- Right to Correction: Individuals can request data fiduciaries to update, correct, or complete their personal information.
- Right to Access: Individuals can ask for summaries of their processed personal data, details about the data fiduciary’s activities, and information on third parties with whom their data is shared.
- Right to Erasure: People have the ability to ask for their personal data to be removed. However, data fiduciaries can retain the data if it’s required for legal purposes or for the original purpose it was collected.
- Right to Grievance Redressal: Data principals must have an easy and clear way to raise complaints about data processing. They can approach the Data Protection Board only after exhausting all internal complaint procedures.
- Right to Nominate: Individuals can designate someone to act on their behalf in the event of their death, mental incapacity, or physical disability.
- Right to Revoke Consent: Individuals can withdraw their consent at any time. However, they may face any consequences of the withdrawal, and once revoked, the data fiduciaries must stop processing their data.
Consent Requirements – India's DPDPA
Consent holds legal importance under the DPDP Act. Before processing personal data, data fiduciaries must obtain consent from the data principal, which must be free, specific, informed, and clear. Consent should be paired with a privacy notice that outlines the types of data collected, the purpose of processing, and available grievance redressal mechanisms.
The Act also introduces the concept of consent managers, who act on behalf of data principles to manage, review, or withdraw consent across various platforms where the data was shared.
Personal Data Breaches and the Penalties
Under the DPDP Act, a "personal data breach" refers to any unauthorized processing, accidental processing, loss, or unauthorized disclosure or alteration of personal data that compromises its confidentiality, integrity, or availability. Regardless of the severity of the breach, it must be reported to both the affected individuals and the Data Protection Board.
Non-compliance with the DPDP Act can result in fines of up to INR 250 crores (~$30 million), depending on the violation. Factors considered when imposing penalties include the severity and duration of the breach, the type of data involved, and the impact on those responsible.
Compliance Steps for the India's DPDPA
- Obtain valid consent before processing any personal data.
- Provide clear, accessible privacy notices in multiple languages.
- Collect only the data necessary for the specific purpose and ensure its deletion when it's no longer needed.
- Implement strong security measures to protect personal data.
- Obtain verifiable consent for processing the data of children and individuals with disabilities.
- Make sure personal data is correct and complete.
- Report data breaches promptly to both the Data Protection Board and the affected individuals.
- Avoid practices like behavioral monitoring or targeted advertising aimed at children unless explicitly allowed by the government.
- Conduct regular audits and impact assessments if designated as a Significant Data Fiduciary.
- Ensure that personal data is not transferred to countries restricted by the Indian government.
- Maintain contracts with data processors and ensure their compliance with the DPDP Act.
How Ardent Privacy helps to comply with India's DPDPA?
Ardent Privacy offers solutions that help organizations comply with India’s Digital Personal Data Protection Act (DPDP) by addressing key requirements of the law related to data management, privacy, and security. Here's how it aligns with DPDP compliance:
1. Data Discovery and Classification:
Ardent Privacy helps organizations discover and classify personal data across their systems, ensuring they know exactly where personal data is stored. This is crucial for compliance with DPDP as organizations need to be aware of what personal data they hold to safeguard it properly and manage consent effectively.
The DPDP Act emphasizes the principle of data minimization, meaning companies should collect only the data necessary for a specific purpose. Ardent Privacy offers data minimization tools that automatically flag and eliminate unnecessary data, helping organizations stay compliant by reducing data risks and exposure.
One of the core requirements of the DPDP Act is obtaining explicit consent from individuals for collecting and processing their personal data. Ardent Privacy can assist in consent management by integrating mechanisms that help track, record, and manage consent, ensuring organizations can prove consent when required.
4. Data Subject Rights (DSRs):
The DPDP Act grants data subjects rights such as access to their data, the right to correction, and the right to erasure. Ardent Privacy supports the management of these data subject requests (DSRs) by streamlining workflows for responding to requests, managing erasure, and modifying or providing access to personal data in compliance with the law.
5. Data Retention Policies:
Compliance with the DPDP Act also requires implementing proper data retention policies to ensure personal data is not stored longer than necessary. Ardent Privacy's solutions allow organizations to enforce automated data retention policies, thereby avoiding potential penalties for holding onto data longer than required.
6. Data Anonymization and Encryption:
To meet the DPDP Act’s security requirements, Ardent Privacy provides tools for data anonymization and encryption. These ensure that even if data is breached or exposed, it remains protected by being rendered unintelligible to unauthorized parties, reducing the risks of non-compliance.
7. Audit and Reporting:
Ardent Privacy helps with audit readiness by maintaining comprehensive records of data processing activities, including consent and data subject requests. This documentation is vital for compliance checks and reporting obligations required by the DPDP Act.
8. Risk Assessments and Privacy Impact Assessments (PIAs):
Conducting regular risk assessments and privacy impact assessments is essential under the India's DPDP Act to evaluate the impact of data processing activities on individuals' privacy. Ardent Privacy provides tools to automate these assessments, allowing organizations to detect potential risks and take preventive measures.
By offering these comprehensive solutions, Ardent Privacy can play a significant role in helping organizations comply with India's Digital Personal Data Protection Act efficiently and effectively.