Corp Legex

NAVIGATING COMPLIANCE: A GUIDE TO THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

  • Home
  • NAVIGATING COMPLIANCE: A GUIDE TO THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

NAVIGATING COMPLIANCE: A GUIDE TO THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

 

The Article has been authored by Suman Kumar Jha (Founder & Managing Partner), Afnaan Siddiqui (Co-Founder & Partner) & Visakha Raghuram (Associate) and Gurpreet Kaur

INTRODUCTION

India’s progress towards robust data privacy and protection reached a significant milestone with the passage of the Digital Personal Data Protection (‘DPDP’) Act on August 11, 2023. The increasing digitization of personal data and the urgent need to protect both individual and company privacy in a rapidly evolving digital landscape have led to the creation of this groundbreaking legislation.

Businesses operating in India must abide by the Digital Personal Data Protection (DPDP) Act 2023 since data privacy is becoming a major global concern. This law establishes strict guidelines for managing personal data of Data Principals, with a strong emphasis on security, openness, and respect for individual rights. Heavy penalties have been levied on Data Fiduciaries if they do not comply with the provisions of the DPDP Act.

In the recent budget, the government has allocated significant resources for establishing the Data Protection Board of India, signalling a strong commitment to enforcing the Digital Personal Data Protection (DPDP) Act, 2023. With the anticipated publication of the Digital Personal Data Protection Rules, it is crucial for organisations, especially organisations that heavily use individuals’ personal data to familiarize themselves with the Act’s provisions. This article outlines the key compliance measures that companies must take to align with the upcoming rules, ensuring robust data privacy and protection in a rapidly evolving digital landscape.

IMPORTANT TERMS

Before delving into the nuances of the DPDP Act, it is important to get acquainted with a few new terms which have been introduced in the Act:

  1. Data Fiduciary- A Data Fiduciary is one who alone or in conjunction with some other persons determine the purpose and means of processing of personal data.
  2. Consent Manager- A consent manager is a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform;
  3. Board– Board refers to the Data Protection Board of India, which is established by the Central Government under Section 18.
  4. Data Principal– A Data Principal means the individual to whom the personal data relates to and where such individual is (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with a disability, includes her lawful guardian, acting on her behalf;
  5. Data Processor– A Data Processor means any person who processes personal data on behalf of a Data Fiduciary.

ESSENTIAL MEASURES BY DATA FIDUCIARIES

  1. Inform by Notice and Secure Consent before processing data

Section 5 of the DPDP Act stipulates that a data fiduciary must inform by way of a notice and obtain consent from a data principal before processing personal data. Such notice must state the following:

  • The purpose of processing personal data.
  • How the Data Principal can exercise their rights under the DPDP.
  • How to file a complaint with the Board.

While seeking consent, the request should be in clear and plain language. An option must be given to the Data Principal to access the request in English or in any other language specified in the Eighth Schedule to the Constitution. Additionally, the details of a data protection officer or any other person authorised by the Data Fiduciary who is authorised to receive communications by the Data Principal must be stated in the request.

Until the Data Principal withdraws consent, the Data Fiduciary may keep processing their personal data. Withdrawing Consent must be as easy as providing consent. The consent provided by the Data Principal must be voluntary, specific, informed, unconditional, and clear.

The Data Principal shall be able to revoke her consent at any moment. However, such revocation shall not impair the legitimacy of processing such personal data before withdrawal of consent. The Data Fiduciary shall, within a reasonable time, cease and cause its data processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorized under law.

  1. Concessions related to legitimate uses

According to Section 7, Data Fiduciaries are allowed to process personal data for “legitimate uses.” These include scenarios such as:

  • For specified purposes with voluntary consent
  • To access state benefits like subsidies or licenses
  • For state obligations or legal requirements
  • To protect national security and integrity
  • To comply with court orders
  • In medical emergencies or health services
  • To ensure safety or provide disaster assistance
  • For employment-related needs and protecting against corporate risks

 

  1. General responsibilities of a Data Fiduciary
  • Data Accuracy: Section 8 mandates Data Fiduciaries to ensure that all personal data processed, directly or indirectly, is consistent, correct, and complete if used for decisions affecting the Data Principal or for disclosure to another fiduciary.
  • Engaging Data Processors and Ensuring Data Protection: A Data Fiduciary may engage with a Data Processor to handle personal data with a valid contract. They must protect all personal data handled by them, including that processed by the Data Processor, with adequate security measures.
  • Effective Technical and Organizational Measures: To ensure compliance with the provisions of the Act, a data fiduciary is under an obligation to implement effective technical and organisational measures. This obligation may be said to be one of the most wide and arduous task to be undertaken by a data fiduciary. Implementation of technical processes may require a complete overhaul of existing processes and a rethinking of technical systems to ensure thorough compliance. Ongoing monitoring is also necessary to maintain continuous compliance.
  • While the top management of an organisation must ensure compliance and frame policies on a strategic level, insights from the personnel who are involved in core processes are crucial for effectively designing and implementing procedures.
  • Grievance Redressal Mechanism: According to Section 8(10), a Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. The contact information of a Data Principal officer has to be publicized by a Data Fiduciary. The Data Principal shall have the right to grievance redressal, which shall be supported by the Data Fiduciary. A Data Principal may only file a grievance with the Board after using all available redressal mechanisms.
  • Intimation to the Board in case of Data Breach: A Data Fiduciary is duty bound to intimate the Board in case of any data breach.
  • Erasure of Personal Data: When a Data Principal withdraws consent, the Data Fiduciary must ensure that all personal data related to that individual is erased by either themselves or their Data Processor.
  1. Obligations for Processing Children’s Personal Data

When processing children’s personal data, Data Fiduciaries must exercise heightened caution and adhere to additional requirements under Section 9, including obtaining parental consent and refraining from monitoring the child’s behaviour. However, the Central Government may exempt certain Data Fiduciaries from these stringent requirements and state an age of children for such exemption, if it deems that the data processing is conducted safely.

  1. Significant Data Fiduciary- Meaning and Obligations

The Central Government may designate certain Data Fiduciaries or classes thereof as Significant Data Fiduciaries based on factors such as:

  • Volume and sensitivity of personal data processed
  • Risks to Data Principals’ rights
  • Potential impact on India’s sovereignty and integrity
  • Risks to electoral democracy
  • State security
  • Public order

Designated Significant Data Fiduciaries must appoint a Data Protection Officer and an independent data auditor, and are required to conduct periodic Data Protection Impact Assessments and audits. Significant Data Fiduciaries face heightened obligations in view of the quantum and kind of personal data processed by them because any breach of data held by Significant Data Fiduciaries may lead to grave consequences.

  1. Cross-Border Data Transfer

The Central Government may notify restriction on transfer of personal data by a data fiduciary to a country or territory outside India.

  1. Exemptions from rights and obligations of Data Principal and Data Fiduciaries

The Act has stated certain circumstances in which data principals and data fiduciaries are exempted from the applicability of their rights and obligations with respect to processing of personal data. These circumstances are:

  • Enforcement of any legal right or claim;
  • Processing by a court/tribunal/quasi-judicial body;
  • For prevention, detection, investigation or prosecution of any offence;
  • For processing of personal data of Data Principals who are not located within India;
  • Processing for giving effect to a scheme of compromise or arrangement or merger or amalgamation;
  • For ascertaining financial information and assets and liabilities of a loan defaulter;

 

  1. Enforcement Mechanism

The DPDP Act envisages the constitution of the Data Protection Board of India. It shall be formed as a supervising body with quasi-judicial powers and functions. The Board has the power to direct remedial or mitigation measures, inquire into any data breach or breach of obligation by a consent manager. The measures undertaken by the Board should comply with the norms of natural justice. The Telecom Disputes Settlement and Appellate Tribunal is the Appellate Tribunal envisaged under the DPDP Act which shall hear appeals from the orders or directions issued by the Board. Apart from this set-up, in appropriate cases, mediation may also be recommended by the Board. However, no civil court can take up any matters arising from the DPDP Act.

  1. Penalties

When a major data breach occurs, the Board has the authority to impose penalties, which shall be ascertained on the basis of factors such as nature, gravity of breach, kind of data, repetitive nature, quantum of unlawful gains or losses, if any action was taken. The penalty, while having a deterrent effect, should also be proportionate and effective.  The Schedule of the DPDP Act specifies the severity and classification of the penalty based on the type of offence. The following are the maximum fines for the various kinds of violations:

  • Non-compliance of duty of the Data Principal: – may extend to Rs. 10,000/-
  • Non-fulfilment of additional obligations in relation by significant data fiduciary: – may extend to Rs. 150 crores
  • Non-fulfilment of additional obligations in relation to the personal data of children: – may extend to Rs. 200 crores
  • Failure to notify the Data Protection Board of India and affected data principals in case of personal data breach: – may extend to Rs. 200 crores
  • Failure of Data Fiduciary to take reasonable security safeguards to prevent Personal Data breach: – may extend to Rs. 250 crores
  • Residuary penalty: – may extend to Rs. 50 crores

 

Conclusion

As mentioned above, the DPDP Act, 2023 assigns Data Fiduciaries a variety of duties. These responsibilities could have a big effect on how businesses operate. Businesses need to set aside funds in order to abide by these rules, which include hiring a Data Protection Officer, putting in place sufficient organisational, technical and security measures, and more. Furthermore, the DPDP Act places heavy regulatory penalties on Data Fiduciaries who violate it, which might put a heavy financial strain on companies.

The DPDP Act 2023 is recognized as a crucial piece of legislation that can revolutionize data privacy. Safeguarding privacy has become a top priority for authorities, and the passage of the DPDP Act 2023 reflects India’s commitment to data privacy. The establishment of the Data Protection Board ensures the effective implementation of the Act and business compliance. However, adhering to the new Act presents challenges for businesses. As they work towards compliance, the focus will shift to creating a privacy-centric ecosystem, fostering digital trust. Businesses will need to adapt, ultimately building consumer trust. In this rapidly advancing technological era, data privacy will significantly enhance consumer trust and ensure online data protection. However, as organizations strive for compliance, more focus will be placed on a privacy-centric ecosystem with increased cultivation of digital trust. Businesses will have to adjust to the new Act, which will eventually help establish the groundwork for consumer trust. In this ever-changing technological era, Data Privacy will go a long way toward establishing customer trust and safeguarding the security of data online.

Recent Posts

ACKNOWLEDGEMENT

The rules of the Bar Council of India prohibit lawyers and law firms from soliciting work and advertising. By proceeding further and clicking on the “I AGREE” button herein below, I hereby acknowledge that I, of my own accord, intend to know more and subsequently acquire more information about CORP LEGEX for my own purpose and use. I further acknowledge that there has been no advertisement, solicitation, communication, invitation or inducement of any sort whatsoever from CORP LEGEX or any of its members to create or solicit an attorney-client relationship through this website. I further acknowledge having read and understood and perused through the content of the DISCLAIMER mentioned below and the Privacy Policy.

DISCLAIMER

This website (www.corplegex.com) is a resource for informational purposes only and is intended, but not promised or guaranteed, to be correct and complete. CORP LEGEX does not warrant that the information contained on this website is accurate or complete, and hereby disclaims any and all liability to any person for any loss or damage caused by errors or omissions, whether such errors or omissions result from negligence, accident or any other cause. Any information obtained or downloaded from this website is completely at the user’s volition and their own discretion and any further transmission, receipt or use of this website would not create any attorney-client relationship. The contents of this website do not constitute, and shall not be construed as, legal advice or a substitute for legal advice. All material and information (except any statutory enactments and/ or judicial precedents) on this website is the property of CORP LEGEX and no part thereof shall be used, without the express prior written consent of CORP LEGEX.

AGREE
DISAGREE