What is DPDP?
The Digital Personal Data Protection Act, or DPDP, is India’s new data privacy law. It was passed on August 9, 2023, and received presidential assent from the President, Droupadi Murmu, on August 11, 2023. Compared to previous draft bills of the law, the DPDP has notable changes and has received criticism due to its strict nature. Despite this, the fact that it was passed and received assent so soon after, means that organizations should already consider getting a head start on compliance by determining the applicability of the law to them, mapping out data, building consent mechanisms, ensuring data subject rights, and implementing security measures (technical and organizational) to prevent data breaches.
To help with the understanding of the law, the DPDP includes illustrations of hypothetical situations where either one provision or another of the law applies, or an exemption is in order. As far as the effective date of the DPDP, this remains unclear at this time.
What is Personal Information and what are other key definitions?
Although the DPDP uses different terms it offers definitions that are similar to other privacy laws around the world. Data controllers, called here ‘data fiduciaries’ are “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data,” a data subject, referred to as a ‘data principal’ here is “the individual to whom the personal data relates and where such individual is a child, which includes the parents or lawful guardian of such a child; a person with disability, which includes her lawful guardian, acting on her behalf,” and a child is seen under the law as “an individual who has not completed the age of eighteen years.”
Same as with other privacy laws, a ‘data processor’ is “any person who processes personal data on behalf of a Data Fiduciary,” and ‘personal data’ is “any data about an individual who is identifiable by or in relation to such data.”
There is no definition for ‘sensitive personal data’ in the law but certain data fiduciaries or class of data fiduciaries, may be categorized by Central Government as ‘significant data fiduciaries,’ based on certain criteria such as “the volume and sensitivity of personal data processed; the risk to the rights of the Data Principal; the potential impact on the sovereignty and integrity of India; the risk to electoral democracy; the security of the State; and public order.”
Who has to comply with the DPDP?
The DPDP applies to “the processing of digital personal data within the territory of India where the personal data is collected in digital form or in non-digital form and digitized subsequently; and to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.”
Who is excluded from DPDP compliance?
India’s privacy law does not apply to “personal data processed by an individual for any personal or domestic purpose; and personal data that is made or caused to be made publicly available by either the Data Principal to whom such personal data relates; or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.” One illustrative example offered by the law here is as follows: “X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.”
In addition to these, the following instances of processing of personal data are exempted:
- “Processing by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and
- Processing necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.”
How can I keep my organization DPDP compliant?
Under DPDP, processing of personal data can only be done for lawful purposes, with the consent of the data subject, and for legitimate uses. Lawful purpose here is understood as “any purpose which is not expressly forbidden by law.” In addition, a notice has to be provided before or at the moment of collection of personal data, informing data subjects of the types of data being collected and the purpose for this, the way in which they can exercise their data subject rights, and the way in which they can submit a complaint to the regulatory authorities.
Consent has to be “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose” and can be withdrawn at any time. Other obligations of data controllers (data fiduciaries) include the following:
- complying with the provisions of the DPDP and any rules issued with respect to data processing performed by themselves or by a data processor;
- ensuring that any activity of a data processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals is performed only under a valid contract;
- where personal data is likely to be used to make a decision that affects data subjects or it is likely to be disclosed to another data controller, the processing of such data has to be complete, accurate, and consistent;
- implementing appropriate technical and organizational measures to ensure the effective observance of the provisions of the law and any rules issued;
- protecting the personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor, by taking reasonable security safeguards to prevent personal data breaches;
- in the event of a personal data breach, informing the Board and the affected data subject of this;
- unless required for compliance with any law, a controller has to cease the retaining personal data and instead erase personal data upon the withdrawal of consent by a data subject, or as soon as it is reasonable to assume that the purpose of collection no longer applies, and ensure that any data processor that received the data also erases this.
- if applicable, make available the details of the Data Protection Officer, or of a person who is able to answer on behalf of the data controller to any questions raised by the data subject about the processing of their personal data;
- establishing an effective mechanism for grievance redressal of data subjects;
- before processing any personal data of a child or a person with disability who has a lawful guardian, controllers must obtain verifiable consent from the parent of such child or the lawful guardian.
Additionally, if they are categorized as a ‘significant data fiduciary,’ controllers have an obligation to do all of the following:
- “appoint a Data Protection Officer who shall
- represent the Significant Data Fiduciary under the provisions of this Act;
- be based in India;
- be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and
- be the point of contact for the grievance redressal mechanism under the provisions of this Act;
- appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and
- undertake the following other measures, namely:—
- periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;
- periodic audit; and
- such other measures, consistent with the provisions of this Act, as may be prescribed.”
What data access rights does DPDP grant?
The DPDP grants the following rights to data subjects:
- Right to Access
- Right to Correct
- Right to Delete
- Right of grievance redressal
- Right to nominate a third part to act on their behalf
How to address data subject access requests under DPDP?
The text of the law offers no specifics as to how data subject requests have to be handled. It is expected that the official rules that have yet to be published will clarify the matter.
Enforcement and penalties
The enforcing authority will be the Data Protection Board of India, an independent body that has yet to be appointed by the Central Government. Once appointed, the DPB will have the authority to enforce the DPDP right away, investigating any violations and imposing penalties accordingly. According to Section 33 of the law, “if the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard,” impose monetary penalties, which include the following:
- Not taking reasonable security measures to prevent data breaches: up to 250 crore rupees (approx. USD 3,000,000).
- Not informing the DPB and the data subject in the event of a data breach: up to 200 crore rupees (approx. USD 2,400,000).
- Not fulfilling obligations related to the processing of personal data of children: up to 200 crore rupees (approx. USD 2,400,000).
- Not fulfilling obligations related to Significant Data Fiduciaries: up to 150 crore rupees (approx. USD 1,800,000).
- Not fulfilling obligations related to Data Fiduciaries: up to 10,000 rupees (approx. USD 120,000).
- Breach of any term of voluntary undertaking accepted by the Board: Penalty up to the extent applicable for the breach.
- Any other violations of the provisions of the DPDP: up to 50 crore rupees (approx. USD 600,000).
Data Subject Rights - GDPR vs. DPDP Saudi Arabia
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access
- Right to correct
- Right to delete
- Right to grievance redressal
- Right to nominate a third party to act on their behalf
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.