(DPDP Act 2023) Overview of the Digital Personal Data Protection Act, 2023
The DPDP Act 2023, an evolution in the realm of personal data regulation in India, aims to regulate the processing of digital personal data. This Act redefines how personal data is handled, mandating stringent compliance measures for organizations.
Scope of the DPDP Act, 2023
– The Act applies to the processing of personal data in digital form.
– It covers processing activities within India and extraterritorial processing related to offering goods or services to Indian data principals.
– Excludes personal data made publicly available under legal obligation.
Key Definitions
– Personal Data: Data about an identifiable individual.
– Data Fiduciary: Entity determining the purpose and means of personal data processing.
– Data Principal: The individual to whom the personal data belongs.
– Data Processor: Entity processing personal data on behalf of a Data Fiduciary.
– Data Protection Officer (DPO): Individual appointed for compliance oversight.
International Data Transfers
– Central Government may restrict data transfer to certain territories.
– Existing laws with stricter data transfer regulations prevail.
Consent and Notification Obligations
– Strict consent standards: free, specific, informed, unconditional, and unambiguous.
– Notice required with each consent request.
– Continued processing permissible until withdrawal of consent.
Legitimate Uses
– Includes specific purposes like employment and legal compliance.
– Data processing without authorization for certain “legitimate uses.”
Responsibilities of Data Fiduciaries
– Compliance assurance for any processing activity.
– Specific erasure requirements.
– PD breach reporting obligations.
Processing Children’s Personal Data
– Verifiable parental or guardian consent required.
– Prohibitions on behavior tracking and targeted advertising towards children.
Obligations of Significant Data Fiduciaries (SDFs)
– Periodic audits, impact assessments, and appointment of a DPO.
– DPO to be domiciled in India, responsible for grievance resolution.
Data Processor Duties
– Data fiduciaries must ensure processors comply with legal obligations.
Further Exemptions
– Exemptions for BPO operations and certain state instrumentalities.
– Possible exemptions for startups and specific data fiduciaries.
Rights of a Data Principal
– Access, correction, and erasure of personal data.
– Grievance redressal mechanisms.
Consent Managers
– Platforms for managing data principal’s consent.
– Must be registered with the Data Protection Board.
Data Protection Board
– Investigatory and enforcement authority for PD violations.
– Appeals mechanism via Telecom Disputes Settlement and Appellate Tribunal.
Authority of the Central Government
– Regulatory powers over notifications and regulations.
– Authority to issue blocking orders.
Voluntary Commitments & Penalties
– Option for voluntary rectification undertakings.
– Civil liability regime with penalties up to INR 250 crore.
Information Technology Act Compliance
– Established in 2000 and amended in 2008.
– Covers data protection, privacy, and reasonable security practices.
Compliance Strategies
– Appointment of a DPO.
– Regular risk assessments and data handling audits.
– Transparent data policies.
– Regular employee training.
Netlawgic’s Advisory Services
– DPDP Readiness Assessment.
– Training and Awareness Programs.
– Contract Review and Revision.
– Formulating DPDP Policies and Procedures.
– Data Principal Rights Execution Procedures.
– Privacy by Default Strategies.
– Data Protection Impact Assessments.
– Cross-Border Data Transfer Procedures.
– Incident Response Planning.
– DPDP Audit.
In summary, the Digital Personal Data Protection Act, 2023 introduces comprehensive measures for personal data protection, emphasizing consent, data principal rights, and responsibilities of data fiduciaries and processors. For organizations, adapting to these changes demands a rigorous approach to data protection, requiring a blend of legal, technical, and operational strategies. Netlawgic offers a suite of services to assist businesses in navigating these complex requirements, ensuring compliance and safeguarding the privacy of data principals.