Digital Personal Data Protection Act of India (DPDP)

India, the most populous country in the world with more than 1.4 billion people, is the largest democratic country to pass a comprehensive personal data protection law – The Digital Personal Data Protection Act, 2023 (DPDP Act).

The new law marks a seminal moment in the nation's legislative landscape, establishing a comprehensive framework that serves to protect the personal data of its citizens. Given the Act's all-encompassing scope, it promises to bring about significant changes in how organisations handle, process, and safeguard personal data. Let’s dive in and learn more about it. 

In this blog, we’ll cover:

• What is the background of DPDP Act 2023?
• What is the purpose of DPDP Act?
• What is the effective date of DPDP Act?
• Which organisations does DPDP Act apply to?
• DPDP Act's key terms and definitions 
• What are DPDP requirements?
• What are the DPDP Act's principles? 
• What are the important aspects that organisations should pay attention to?
• What are the rights and duties of individuals?
• What are the consequences of non-compliance?
• How usecure can help you increase DPDP staff awareness

What is the background of DPDP Act 2023? 

The journey towards data protection legislation in India has been an evolving process.

• In 2017, the Supreme Court of India declared the Right to Privacy a fundamental right under Article 21 and Part III of the Constitution. Following the verdict, the Indian government initiated steps to create a data protection framework.
• In December 2018, a committee of experts was constituted to deliberate on this framework. The committee released white papers and sought public input. By August 2018, the draft of the Personal Data Protection Bill, 2018 was released and public feedback was solicited.
• After further refinements, the Personal Data Protection Bill, 2019 was approved by the cabinet and tabled in the Lok Sabha (the lower house of India's Parliament) on December 11, 2019. It was then referred to a Joint Parliamentary Committee. However, the Bill was withdrawn later. On August 3, 2022, a new draft, the Digital Personal Data Protection Bill, 2022, was released for public consultation.
• Finally, the updated Digital Personal Data Protection Bill, 2023 was introduced in the Lok Sabha on August 3, 2023. On 11 August 2023, the President of India gave assent to the Digital Personal Data Protection Bill, 2023 which made it the Digital Personal Data Protection Act, 2023.

What is the purpose of DPDP Act?

The DPDP Act is a robust piece of legislation that aims for transparency, accountability, and most importantly, the secure and ethical use of personal data.

According to the official statement by the Indian government, the purpose of DPDP is: 

"to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto."  

-- Ministry of Law and Justice

What is the effective date of DPDP Act?

The effective date of DPDP Act is still yet to be set. However, with the Lok Sabha's approval of the Bill on 7th August 2023, the Act's date of enactment will be announced in the near future with different enacted dates for different provisions.

Once the DPDP Act is in effect, it is going to replace the Information Technology Act of 2000, commonly known as the "IT Act," as well as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules from 2011, also known as the "SPDI Rules." These have been serving as the existing foundation for data protection in India.

Which organisations does DPDP Act apply to?

The DPDP Act lays out an all-encompassing structure for safeguarding personal data. This Act applies to organisations that:

• handle personal data within India's borders, whether the data is initially collected in digital format or non-digital format and later converted to digital, or
• process personal data that occurs outside India, as long as the activity is related to offering goods or services to individuals in India.

However, it is important to note that, not every piece of personal data will be protected by the Act. Personal data will not be included if it is:

• managed by an individual for personal or household reasons, or
• publicly disclosed either by the Data Principal or by another individual required by existing Indian law to make such information public.

DPDP Act's key terms and definitions 

The terminology used in the DPDP Act is different from that in other data protection laws around the world, such as GDPR. Learning the key terminology of the DPDP Act is vital to understanding the new law.

• Personal data 

  Any data about an individual who is identifiable by or in relation to such data

• Digital personal data

  Personal data in digital form

• Data Fiduciary

  Any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data

• Data Principal 

  The individual to whom the personal data relates and where such individual is:

• • a child, includes the parents or lawful guardian of such a child; or
  • a person with disability, includes her lawful guardian, acting on her behalf

• Data Processor

  Any person who processes personal data on behalf of a Data Fiduciary

• Processing of personal data

  A wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction

What are DPDP Act requirements?

• Chapter 1: Preliminary (Sections 1-3)

  This preliminary chapter sets the foundational terms and scope for the law, detailing its name, applicability, and key terms aiming to protect individual data while facilitating its legitimate use.

• Chapter 2: Obligations of Data Fiduciary (Sections 4-10)

  The chapter outlines the obligations and guidelines that a "Data Fiduciary" must follow. It aims to regulate the relationship between Data Fiduciaries and Data Principals, ensuring data protection, transparency, and accountability. 

• Chapter 3: Rights and Duties of Data Principal (Sections 11-15)

  The chapter states the rights and duties of the Data Principal. It also indicates the processes and timelines within which these rights can be exercised and grievances can be addressed.

• Chapter 4: Special Provisions (Sections 16-17)

  The chapter discusses special provisions regarding the transfer and processing of personal data. The section offers a nuanced approach, granting the Central Government the authority to make exceptions while still prioritising data protection.

• Chapter 5: Data Protection Board of India (Sections 18-26)

  The chapter outlines the establishment, functioning and authority of the Data Protection Board of India, a regulatory body responsible for data protection in the country. 

• Chapter 6: Powers, Functions and Procedures to be Followed by Board (Sections 27-28)

  The chapter describes the powers, functions, and procedural guidelines that govern the Data Protection Board of India. It grants the Board significant authority to enforce data protection laws, investigate breaches, and impose penalties.

• Chapter 7: Appeal and Alternate Dispute Resolution (Sections 29-32)

  The chapter outlines the appeal and alternative dispute resolution mechanisms. In summary, this chapter provides for appeal mechanisms, aims for digital efficiency, and offers alternative dispute resolution methods, ensuring that both parties have avenues for redress and settlement.

• Chapter 8: Penalties and Adjudication (Sections 33-34)

  This chapter deals with penalties and adjudication related to data protection violations. The Board will consider factors like the gravity, duration, and nature of the breach, as well as any gains made or losses avoided due to the breach, among other things, while determining the penalty amount. 

• Chapter 9: Miscellaneous (Sections 35-44)

  The chapter outlines miscellaneous legal and procedural aspects. It provides legal immunity to the Central Government and the Board when acting in good faith, enables the government to request information and block public access to certain data, and specifies how the Act interacts with other laws. The government is also empowered to make rules for implementing the Act, and any changes must be presented to Parliament. This chapter also amends existing laws to align them with this new data protection framework. 

What are the DPDP Act's principles for organisations and individuals?

The DPDP Act 2023 imposes rigorous principles and obligations on organisations and individuals to ensure stringent data protection and secure processing of personal information.

What are the important aspects that organisations should pay attention to?

• Data Protection and Security

  Data Fiduciaries are responsible for protecting personal data, including taking technical measures to prevent data breaches. They are also obligated to notify the authorities and affected individuals in the case of a breach. 

• Consent

  Data can only be processed if the Data Principal gives explicit, informed consent or if the data is processed for legitimate uses defined by law.

• Notification

  Data Fiduciaries must provide detailed notices to Data Principals about what data is being collected, for what purpose, and how they can exercise their rights or make complaints.

• Language and Clarity 

  Requests for consent must be in clear language, and Data Principals should have the option to receive the notice in English or any language specified in the Eighth Schedule to the Constitution.

• Withdrawal of Consent

  Data Principals can withdraw their consent at any time, and Data Fiduciaries must cease processing data once consent is withdrawn, unless required by law.

• Data Erasure 

  Data should be erased if the Data Principal withdraws consent or if the original purpose for which the data was collected is no longer valid.

• Special Cases 

  Extra care must be taken when processing the data of children or persons with disabilities, including obtaining verifiable consent from their parents or guardians.

• Significant Data Fiduciaries 

  Certain fiduciaries may be classified as "Significant Data Fiduciaries" based on criteria such as volume and sensitivity of data processed. They have extra obligations, including the appointment of a Data Protection Officer and conducting data audits.

• Accountability 

  Data Fiduciaries must establish grievance redressal mechanisms and are accountable for any data processing activities, even those carried out by third-party Data Processors on their behalf. 

What are the rights and duties of individuals?

The DPDP Act grants a comprehensive set of rights to individuals: 

• Right to access personal data

  The right to request and receive a summary of personal data and related processing activities from the Data Fiduciary.

• Right to correction and erasure of data

  The right to correction, completion, updating, and erasure of personal data.

• Right to grievance redressal

  The right to a readily available means for grievance redressal against any actions by the Data Fiduciary or Consent Manager.

• Right to nominate a Consent Manager

  The right to nominate someone to exercise these rights on their behalf in case of death or incapacity.

While the DPDP Act empowers data principals with various rights, it also stipulates exceptions where Data Fiduciaries are not obligated to disclose information, particularly when it involves sharing data for lawful purposes like crime or cyber incident prevention and investigation.

• The Data Fiduciary is exempt from revealing information when sharing personal data with another Data Fiduciary authorised by law, especially for the prevention, detection, or investigation of crimes or cyber incidents.

Duties of individuals

In contrast to most other data protection regulations, DPDP Act places specific obligations on data principals. Data principals could face fines for non-compliance.

• To comply with all applicable laws
• To not impersonate another person when providing personal data
• To not suppress any material information
• To not register false or frivolous grievances or complaints
• To furnish only verifiably authentic information for corrections or erasures

What are the consequences of non-compliance?

The Data Protection Board of India which will be established soon will have the power to determine non-compliance with the DPDP Act and impose penalties. 

The Act establishes a stringent penalty system, imposing fines for business data protection violations that can range from a minimum of ₹50 crores (6 million USD) to a maximum of ₹250 crore (30 million USD).

How usecure can help you stay compliant with DPDP Act

DPDP Act marks a seminal moment in the nation's legislative landscape, establishing a comprehensive framework that serves to protect the personal data of its citizens. Businesses will need to review not only their internal practices but also their user interfaces to ensure compliance.

Increase employee security awareness with uLearn

To enhance staff awareness of DPDP, security awareness training is a crucial tool. uLearn training modules provide a holistic approach to help you stay ahead of the law.

• Comprehensive coverage

  uLearn offers training modules that cover the essentials of DPDP, educating staff about the importance of safeguarding personal data and the legal consequences of failing to do so.

• Regular updates 

  As DPDP Act evolves, uLearn platform will be updated accordingly to include new training materials, helping our clients obtain up-to-date knowledge of new regulations.

• Assessment and tracking 

  After training sessions, uLearn can assess employee knowledge and track progress over time, identifying areas that may require further training.

Make your policy management pain-free with uPolicy

Complying with the DPDP Act can be a daunting task, particularly when your existing policies are disorganised and your policy updates go unnoticed. Our policy management tool - uPolicy is designed to help you overcome these pain points.

• Centralised repository

  uPolicy can serve as a single point of reference for all DPDP Act-related policies, making it easier for staff to access and understand them. Our hassle-free eSign approvals feature is built to make audits less stressful. These records can be essential for proving your compliance efforts under the DPDP Act, making your audit process smoother.

• Effortless policy distribution 

  uPolicy does a great job at distributing new or updated policies to employees, requiring them to read and acknowledge that they understand the policy.

• Automated reminders 

  Regular reminders about policy updates or revisions can be automated to be sent to employees, keeping everyone in the loop and ensuring continuous awareness. 

Increase your staff's DPDP awareness today!

The DPDP Act of 2023 is more than just a legal requirement but a reflection of the evolving dynamics of data privacy in the digital age. 

Navigating the complexities of the DPDP Act 2023 can be challenging, but you don't have to go it alone. Take advantage of our 14-day free trial or watch our demo to see how our tools can empower your organization to stay compliant effortlessly. You can also explore our blog for in-depth insights on effectively navigating global regulations and standards. 

Don't miss out on this opportunity to equip your staff with the resources they need for a smooth transition into the new regulatory landscape!