This Act marks a significant step in India's journey towards a stringent data protection regime, aligning closely with international norms while addressing the unique needs of the Indian context.
The Digital Personal Data Protection Act, 2023 (Act) was passed by the Parliament in August 2023. Almost after half a decade of deliberations, India has introduced a cross-sectoral legislation for protection of personal data.
The Act applies to all forms of personal data that is collected in digital form and non-digital form but digitised subsequently. The Act does not apply to non-digital data, data processed for personal or domestic purposes; and data made publicly available by a data principal or any other person under a legal obligation. In terms of its territorial applicability, the Act applies to processing of data within India, regardless of whose data is being processed. In addition, if any personal data is being processed outside India in connection with supply of goods and services within India, the provisions of this Act would be applicable.
While there are certain differences as compared to the General Data Protection Regulation (GDPR), the Act has based its foundation on the principles of data protection under GDPR. In the context of foreign companies with subsidiaries in India, it would be interesting to understand the manner in which the provisions of both these legislations will be synergised for building a strong data protection framework within a particular company.
While the Act comprehensively covers all aspects of data protection and privacy, there are few notable features which hold significance for companies. Some of the salient features of the Act are as under:
- One of the key aspects of DPDPA is consent. The data fiduciaries are required to seek consent from users for processing of personal data. Consent can be sought by notifying the data principal. Companies are required to maintain a compliance structure for notifying the data principals. The data fiduciary is under an obligation to provide data principals a notice: containing a description of the personal data and the purpose for which it will be processed; details of the way data principals may exercise their rights to withdraw consent and grievance redressal; and details on how data principals may file a complaint with the Data Protection Board. As a good governance measure, companies can strengthen their data protection measures by keeping a record of the consent collected. Such a measure is helpful for the company to provide proof of compliance to the provisions of DPDPA.
- The Act requires data fiduciaries to implement ‘technical and organisational measures’ to ensure compliance with the DPDPA; adopt “reasonable security safeguards” to prevent personal data breaches; and notify the affected data principals and the Board in the event of a personal data breach. A company, in order to ensure fulfilment of its obligations under the Act, can establish a ‘privacy by design’ approach. The company needs to ensure that privacy is seamlessly integrated into all its products, services and designs. For example, as reasonable safety measures, the company can put in place access controls, pseudonymisation and encryption. It can initiate measures such as data protection assessment, internal policy changes and training programs for its staff. In addition, automated systems to understand the flow of data in and out of the system will help companies to keep a tab on the usage and control of personal data.
- Under the Act, the data principals are provided with certain rights, which includes right to access information about personal data; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc. The data fiduciaries are required to provide data principals with grievance redressal mechanisms. In order to provide these rights to the data principals, a company would need to establish a comprehensive data governance system, consisting of a data inventory and a data mapping system. This would help a company to cater to the right-based needs of the data principals.
- The Act empowers the Board to impose heavy penalties for non-compliance with the provisions of the Act and to provide remedial and mitigation measures. While there are no criminal liabilities under the Act, the Board can award penalties up to INR 250 crores for certain breaches. In awarding penalties, the Board will assess the steps taken by the company to mitigate the impact of the breach or non-compliance. In addition, the Board can ask the Government to issue directions to block access to the Data Fiduciary’s platform in certain cases, if required.
Author:
Shradhanjali Sarma
Consultant
audius India Private Limited
Contact:
Pratik Ghumade
Director
audius India Private Limited
+91 8484 027530
pratik.ghumade(at)audius.de
www.audius.de/en