Applicability of the Act
Applies to: All organizations based in India and to all organizations offering goods or services to data principals within the territory of India.
Mumbai, India
+91 98337 67114
Riskpro has a strong team of experienced and certified data privacy and protection professionals with in-depth industry and technical knowledge.
Riskpro can assist you with the following services relating to India’s Personal Data Protection DPDP Act 2023:
Conduct a data privacy/protection gap assessment to highlight gaps or lapses in your framework/policies/processes and suggest an effective data privacy management mitigation plan based on relevant industry best practices for closing those gaps.
Define a data protection governance framework by setting up data inventories, privacy policies, controls, risk assessments, and consent forms compliant with the Digital Personal Data Protection Act 2023. Riskpro can also help you implement the framework/policies/processes on time and systematically.
If you have any third parties who handle processes wherein personal data may be involved, Riskpro can conduct a risk assessment to give you clarity/ assurance regarding the level of adherence to the DPDP Act by your third parties. Riskpro can also suggest putting a plan in place so that potential personal data breaches by third parties are identified and rectified on a timely basis.
Define procedures and processes to ensure any Act changes or updates are identified, incorporated within the company policies, and implemented accordingly. Riskpro can also conduct policy reviews to ensure the latest regulatory updates are reflected therein.
If you already have a data protection/privacy framework and policy/procedures defined, Riskpro can conduct a compliance audit to ensure the processes are working effectively and the controls/ framework defined is adequate and in accordance with the requirements of the DPDP Act.
Riskpro can conduct online or in-person training to relevant staff regarding the regulatory requirements of the Digital Personal Data Protection Act 2023 and their duties while handling or processing personal data to ensure compliance with the Act.
To know more contact us at info@riskpro.in
Why choose Riskpro for DPDPA Compliance Services?
I wanted to express my sincere appreciation for your guidance during our recent ISO 27001:2022 audit. Your expertise and support were key to our successful completion.
Working with RiskPro was an absolute pleasure. Their professionalism, attention to detail, and expertise were evident throughout the entire auditing process
We hired RiskPro for their expertise in Vulnerability Assessment (VA) and IT General Controls (ITGC), and we are very satisfied with the results.
RiskPro has an excellent team of auditors and information security experts. I’m very pleased to work with them, as they show great patience and have strong knowledge in their field.
Highly experienced and knowledgeable approach which helped to complete the audit activities in a timely manner. Highly recommended to other clients ! Thanks
The Digital Personal Data Protection Act (DPDPA) 2023 is a comprehensive data protection legislation enacted by the Indian government. It regulates the collection, processing, storage, and transfer of personal data to protect individuals' privacy and ensure data security. The Act establishes guidelines for data handling practices, sets requirements for consent, and mandates that organizations implement robust data protection measures. It aims to enhance transparency, accountability, and control over personal data while aligning with global data protection standards.
The DPDPA 2023 applies in the following scenarios:
Within India: When personal data is processed in a digital format, or if it was originally collected in a non-digital format and later digitized, as long as the processing occurs within the territory of India.
Outside India: When personal data is processed outside India, but the processing is connected to offering goods or services to individuals (data principals) located within India.
In essence, the Act covers both domestic and international processing activities that relate to data principles within India.**
Yes, the DPDPA 2023 stipulates penalties for non-compliance. Organizations that fail to adhere to the requirements of the Act may face significant financial penalties. The Act outlines specific fines based on the nature and severity of the non-compliance, which can include penalties for issues such as inadequate data protection measures, failure to obtain proper consent, or not responding to data subject requests appropriately. The regulatory authority responsible for enforcing the Act will determine the exact penalties in each case.
The Act applies to the collection and processing of personal data in both digitized formats and non-digitized formats. This means that if personal data is collected in a paper format and later digitized, it remains subject to the Act. The Act governs how personal data is handled, regardless of whether it is in a digital form or has been converted from a non-digitized format.
The Act applies to:
All organizations based in India.
All organizations offering goods or services to individuals (data principals) within India.
The Act does not apply to:
Processing of personal data by individuals for domestic or personal purposes.
Personal data that is made publicly available.
This means that while the Act covers a wide range of organizations and activities, there are exceptions for personal use and publicly available information.
Riskpro provides a range of services to assist with compliance, including:
Gap Assessments: Identifying and addressing gaps in your data privacy framework.
Establishing Data Privacy Framework: Setting up and implementing compliant data protection policies and processes.
Third-Party Risk Assessments: Evaluating and managing risks associated with third-party data handling.
Implementing/Reviewing Regulatory Updates: Ensuring your policies reflect the latest regulatory changes.
Compliance Audits: Reviewing your existing framework to ensure effectiveness and adherence.
Staff Training: Providing training on regulatory requirements and compliance best practices.
For more information, visit https://www.riskpro.in/it-advisory/digital-personal-data-protection-act-2023
The DPDP Act does not apply to:
Personal Data for Personal Use: Data processed by individuals for their own personal or household activities is not covered by the Act.
Publicly Available Data: Data that has been made publicly available by:The individual to whom the data pertains (the data principal), or
Any person or entity required by Indian law to make such data public.
These exemptions help ensure that the Act focuses on more formal data processing activities and does not interfere with personal or legally mandated public information.
The Digital Personal Data Protection Act (DPDPA) 2023 stipulates that personal data can only be processed with explicit consent from users, unless there is another valid legal basis for doing so. This consent must be freely given, meaning that users should not feel any pressure or coercion to provide it. Additionally, the consent must be unconditional, implying that it cannot be made dependent on any other conditions, such as the purchase of a product or service. These requirements ensure that users’ consent is both genuine and voluntary. However, the legal basis for processing personal data is not limited to consent alone. The Act also allows for processing based on certain legitimate uses, such as the necessity of processing for contractual obligations, compliance with legal requirements, or protection of vital interests.
No, the DPDP Act does not provide for compensation to individuals if their personal data is compromised. The Act focuses on setting out rules for data protection and requires organizations to implement measures to safeguard personal data, but it does not include provisions for financial compensation to data principals.
The purpose of the DPDPA 2023 is to regulate the processing of digital personal data in a way that balances the rights of individuals to protect their personal information with the need for organizations to process data for legitimate purposes. The Act aims to safeguard individuals' privacy while ensuring that data processing activities are lawful and properly managed.