Digital Personal Data Protection Act

About Digital Personal Data Protection (DPDP) Act

The Indian Digital Personal Data Protection Act, 2023 is focused on safeguarding individual privacy rights and promoting responsible data management practices. The DPDP Act provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

Read FAQ

The Act includes but not limited to:

Notice Requirements
Functions of the consent manager
Procedure for data breach notifications
Parental consent for children’s data
Grievances
Exemptions for processing of personal data
Redressal procedures

Key Features in the DPDP Bill

Applicability of the Act

Key Terms DPDP

Other Terms of DPDP

Exemptions

Data Protection Board

Penalty

Data Lifecycle

Data Fiduciary

Applicability of the Act

Processing of digital personal data within the territory of India

Data is collected online – Digital form
Data is collected offline and digitized.

Processing of digital personal data outside the territory of India:
Any activity related to the offering of goods or services to data principals within the territory of India

Key Terms of DPDP

DATA PRINCIPAL: Individual whose data is processed

DATA PROCESSOR: Who processes the Data

DATA PROCESSING: Personal Data and Sensitive Personal Data

DATA FIDUCIARY: Decides the purpose of the data processing

CRITICAL PERSONAL DATA: Categories of data that require most protection as defined by the DPDP Act

Other Important Pointers from the Law

Key Responsibilities of Data Fiduciary:

Having a Data Protection Officer and Consent Manager (SPOC for Fiduciary)
Compliance of all Data Processors
Relevant Policies and Procedures covering
Grievance and Data Principal’s request handling process

Data Principal Rights:

Always share Legitimate Data to Data Fiduciary
Right to Access
Right of Correction/Update
Right to Erasure
Right to Nominate
Grievance and Redressal

Other Key Pointers:
Establishment of Data Protection Board of India – By Govt.

Penalty of up to 250 Crores for not adhering to the Law
Grievance and Complaints by Data Principals/Data Fiduciary
Dispute resolution and Appeals by Principal and Fiduciary

Exemptions

The rights of the data principal and obligations of data fiduciaries will not apply in specified cases such as:

Prevention and investigation of offenses
Enforcement of legal rights or claims
The Central government may exempt certain activities
In the interest of the security of the state and public order Research, archiving, or statistical purposes

Data Protection Board of India

It will be established by the Central Government of India. Key functions of the Board include:

Monitoring compliance and imposing penalties
Directing data fiduciaries to take necessary measures in the event of a data breach
Grievance redressal

Penalty

Rs 200 crore: Reason- Non fulfillment of obligations for children
Rs 250 crore: Reason-Failure to take security measures to prevent data breaches.

Implementation at Every Stage of Data Lifecycle

Collection:

Consent from the Data Principal – with purpose and use of personal data
Notice to Data Principals (existing) on the purpose and use of the personal data already collected/processed/stored/shared
Guardian/Parental Consent as applicable

Processing:

For legitimate use only, Grounds to Process personal data
Rights of Data Principal taken care by Data Fiduciary (access, correction/update, nominate)
If shared, maintaining Data Processor list and adherence to the Law by Data Processor (responsibility of Fiduciary)

Lifecycle-Implementation-DPDP-Act-CyRAACS

Storage:

Data Security requirements to be considered and implemented – Encryption, Pseudonymization, Anonymization
Data Retention requirements considered (with other legal and regulatory requirements as well)

Deletion:

Right to Erasure / Forgotten of Data Principal being taken care by Data Fiduciary
Process to delete personal data (anonymize if required) by Data Fiduciary and also with any shared Data Processor

Action Items for Data Fiduciary

Frequently Asked Questions

You can find answers to some of the most frequently asked questions here, so feel free to send us a message if you do not find what you are looking for.

We are storing the user's personal data for logs and debugging-related tasks for our client. Then what is the process in this DPDP act? How we can comply with this act?

Personal data stored in logs or in debugging-related tasks also qualify as PII of the data principal and hence has to be protected.

As Software supplier under SaaS model the Data is stored outside India and used by our clients who collect personal data. Since we are Service providers what is our responsibility under DPDP act?

You become the data processor and the data fiduciary for the provider. It becomes your responsibility to protect the personal data. The security controls and other process controls must be implemented in agreement with the data fiduciary.

Is there any guideline provided when building application/system that would process PI data like privacy by design

Since the government has not specified any guideline, the industry best practices to protect the PII data can be taken into consideration.

Can a DPO also take on the additional role of consent manager or it has to be a separate position altogether?

The DPO can take on the additional role of consent manager as of now since there is no law that prohibits it. The consent manager works between the data fiduciary and the data principal in upholding their rights.

Difference between a Data Fiduciary and Data Processor

Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data while Data Processor means any person who processes personal data on behalf of a Data Fiduciary.

Difference between a Data Fiduciary and Data Processor

If the consent is not directly taken from data principal and if the data is not voluntarily provided then the right to access and right to correction is not applicable to data principals?

A data fiduciary or data processor cannot process any personal data without the consent of the data principal. Purpose of data collection and processing of the same has to be explicitly called out.

Will the scope of data audit be prescribed by Data Protection Board of India Or the data fiduciaries will have the liberty to decide the scope of data audit?

The data protection board will decide the scope of data audit.

Please shed some light on the subject of data fiduciaries. Who all are included and what are the consequences/charges.

Data fiduciaries are the ultimate protectors of the PII of the data principal. They have to implement reasonable controls to protect the PII of the data principal and also provide all their rights in spirit of the law provided.

The data taken for employment purposes, is it covered under the DPDP Act?

Yes it is covered under the DPDPA.

Can a data fiduciary be the same as data processor?

A data fiduciary can also process PII data.

What to do if i am unable to comply with some parts of the DPDP act. Any process for exceptions?

There is no space for non-compliance unless there is a valid reason. The law has detailed the list of exemptions to the Act.

As a tech partner for my client, does it matter that we are directly collecting the data from the principal? Does it make us Data Fiduciary or Data Processor?

As a tech partner to a data fiduciary, you will be a data processor.