Six Steps to Comply with India's Digital Personal Data Protection Act (DPDPA)

The India Digital Personal Data Protection Act (DPDP Act) is a comprehensive legislation aimed at safeguarding the privacy and security of personal data in India. On 11 Aug., India's first comprehensive regulatory framework for privacy, the Digital Personal Data Protection Act 2023, received the assent of President Droupadi Murmu and was published in the official gazette.

While the act's effective date is pending confirmation, and several details are yet to be hashed out, organizations should start evaluating their exposure to get a head start on compliance strategy development. This article outlines six steps privacy professionals can take to build a proactive compliance roadmap, focusing on the most resource-intensive and technology-dependent operational elements. 

  1. Applicability

    The DPDP Act applies to:
    • the processing of digital personal data within the territory of India, where the personal data is collected in (i) digital form or (ii) non-digital form and digitized subsequently.
    • the processing of digital personal data outside the territory of India, if such processing is in connection with any activity relating to the offering of goods and services to data principals within the territory of India.
    The DPDP Act does not apply to:
    • personal data processed by an individual for any personal or domestic purpose.
    • personal data that is made or caused to be made publicly available by (i) the data principal to whom such personal data relates; or (ii) any other person who is under an obligation under any Indian law to make such personal data publicly available. As an example of the former, if an individual makes available their personal data while blogging their views, the provisions of the Act will not apply.
    • the processing of personal data (i) by Government-notified state instrumentalities for reasons of national or public interest; or (ii) if it is necessary for research, archiving or statistical purposes as long as such data is not used to take any decision specific to a data principal and such processing remains consistent with prescribed standards.

    The DPDP Act defines “processing” in relation to personal data to mean a wholly or partly automated operation (or set of operations) performed on digital personal data, and includes operations such as collection, storage, retrieval, use, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

    In summary, the DPDP Act establishes a legal framework to protect digital personal data, including by prohibiting the unauthorized use, alteration or sharing of information in a way that compromises the confidentiality, integrity and/or accuracy of such data.

  2. Build a data inventory and data map

    Data governance is foundational for building any privacy compliance program. Although the act does not explicitly call out data inventory or data map as requirements, privacy pros will need to understand what personal data types are processed, where they are stored, what kind of processing activity is performed and which data processors the data is shared with to comply with certain obligations of the Act. Some examples of these obligations that rely on data inventory for implementation are:

    • Data fiduciaries must ensure the data's completeness, accuracy and consistency, where personal data is used for decision-making that affects the data principals.
    • Data fiduciaries must enable data principal rights such as the right to access, correction and erasure of personal information.
    • Data fiduciaries and data processors must enforce data erasure requirements when the specified data processing purpose is no longer being served.
    • Data fiduciaries must provide notice to data principals about the personal data being processed and the purpose of processing.
    • There is no one size fits all solution for data inventory and mapping initiatives. Data discovery, classification and cataloging approaches can range from manual, often starting with interviews/questionnaires, to automated, with code scanning or machine learning-based data classification tools. Before selecting the appropriate method, privacy pros must consider several factors, including data ecosystem complexity, data volume, resource requirements, executive support, tooling availability and scalability. 
  3. Set up consent mechanisms

    If data processing relies on consent, organizations will need to comply with consent requirements under the Act and build a compliance plan that includes the following steps:

    • One of the fundamental principles of the act is obtaining informed and explicit consent from individuals before collecting or processing their personal data. Consent plays a pivotal role in establishing the lawful basis for processing personal information and upholds the principle of data autonomy for individuals.
    • Consent under the DPDP Act must be freely given, specific, informed, and unambiguous. This means that individuals must have a clear understanding of what they are consenting to and have the ability to withdraw their consent at any time. Data fiduciaries and processors are required to keep records of consent to demonstrate compliance with the Act.

    Lastly, the act requires data fiduciaries to prove data principals gave consent under its provisions. Therefore, it is crucial to retain consent logs to demonstrate compliance. At a minimum, these logs should include an identifier of the data principal, timestamp of consent, method of consent and version of the notice associated with the consent request.

  4. Enable data principal rights

    To comply with the act, organizations will need to create processes to enable data principal rights

    • The right to know what personal data is being processed by a Data Fiduciary, the processing activities undertaken with respect to such personal data, and the identities (and not just categories) of all other Data Fiduciaries and data processors to whom the personal data has been shared.
    • The right to correction, completion (i.e., complete any incomplete data), updating, and erasure of personal data for the processing of which the Data Principal has previously given consent.
    • The right of grievance and redress for any act or omission of the Data Fiduciary regarding the performance of its obligations relating to the Data Principal’s personal data.
    • The right to nominate any other individual to exercise the Data Principal’s rights in the event of death or incapacity.

    Significant Data Fiduciaries

    The Central Government may notify any Data Fiduciary, or larger class of Data Fiduciaries, that they are deemed a “Significant Data Fiduciary.” Such designation comes with a series of additional, heightened obligations, including:

    • Appointing a Data Protection Office who: (1) represents the Significant Data Fiduciary; (2) is based in India; (3) is responsible to a governing body of the Significant Data Fiduciary; and (4) shall be the point of contact for addressing grievances.
    • Appointing an independent data auditor to carry out data audits under the DPDP.
    • Undertaking a periodic audit.

    The Central Government may designate a Data Fiduciary as “significant” based on an assessment of relevant factors, including the volume and sensitivity of personal data processed, the security of the country, public order, and the risk to the rights of Data Principals. While these factors provide some guidance as to what activities may result in a business being deemed a Significant Data Fiduciary, the Central Government may consider any additional factors that it considers relevant, which provides the Central Government with broad discretion to deem any Data Fiduciary as “Significant” if so desired.

  5.  
  6. Adopt Data Protection Measures and Safeguards

    The DPDPA requires a Data Fiduciary to:
    • Implement “technical and organizational measures” to ensure compliance with the DPDPA and the upcoming DPDPA Rules.
    • Adopt “reasonable security safeguards” to prevent personal data breaches, including among its Data Processors.
    • Notify the affected Data Principals and the Data Protection Board in the event of a personal data breach.
    • The DPDPA Rules will provide further details on personal data breach notification requirements. For now, let’s consider the measures and safeguards you can implement in advance.

    Ultimately, the Data Fiduciary is responsible for determining how to meet the DPDPA’s security and compliance requirements, accounting for its resources, the types of personal data it processes, and the context in which it operates.

    Take a “privacy by design” approach by implementing privacy and security protections throughout all of your systems and processes. 

    Some measures and safeguards to help achieve DPDPA compliance include:
    • Access controls: Ensure personal data is only accessible to people who require access.
    • Data obfuscation: Adopt methods such as pseudonymization and encryption at every opportunity.
    • Privacy code scanning: Software companies should scan their code throughout development to detect privacy vulnerabilities and ensure transparency.
    • Policies and procedures: Implement “organizational measures” such as internal privacy policies and staff training programs.
    • Automated data mapping: As noted above, gaining visibility over data flows is essential. Automated tools can help you understand how personal data flows into and out of your organization.
  7. Understand the Seriousness of DPDPA Enforcement and penalties

    The DPDPA requires a Data Fiduciary to:

    The DPDPA takes a graded approach to enforcement, with some violations attracting more severe penalties than others. But some serious DPDPA breaches come with very steep potential penalties.

    Along with corrective measures, the Data Protection Board will have the power to impose a fine of up to INR 250 crore (approximately USD 30 million) for the most serious offense, failing to implement reasonable security measures to prevent a personal data breach.

    Selecting the measures and safeguards to implement should be a risk-based decision, considering industry best practices, the context of data processing and privacy harms to data principals. Below are some example measures data fiduciaries and data processors may consider to protect personal information:

    Organizational measures:
    • Roll out a security and privacy training and awareness program for employees and contractors handling personal information.
    • Draft standard operating procedures detailing personal data handling requirements.
    • Publish internal policies related to security and privacy. Human resources teams may integrate acknowledgment of these policies into the employee onboarding process or periodic training programs.
Conclusion:

Organizations need to check whether and to what extent the DPDP Act applies to them and their operations. With respect to notice and consent requirements, they should be prepared to go back to individuals once the Act becomes effective. Organizations that collect, process and monetize personal data need to ascertain where, how and whose personal information is lodged within their systems. Although organizations also need to consider improving their information technology and cybersecurity systems to meet the new compliance requirements, including in respect of a breach. Relatedly, organizations will need to monitor entities in their supply chains, such as suppliers, about data processing obligations, and review existing contractual arrangements.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with various global regulations by taking a data centric approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify data inventory, data mapping, data minimization, and securely delete data in enterprises to reduce legal and financial liability.

Legal Disclaimer: The information provided in this blog is not intended to, and does not constitute, legal advice. All content is provided for general informational purposes only. Access to and use of the materials provided do not create an attorney-client relationship. Readers and users should consult with their individual attorneys for advice about their specific legal concerns.