Digital Personal Data Protection Act 2023
The Digital Personal Data Protection Act 2023 establishes guidelines for the processing of digital personal data.
The Act applies to:
- The personal data gathered offline but later digitised and
- The personal data obtained online from Data Principals in India
If the processing is done to provide products or services to Indian citizens, it will also be subject to the same rules.
- The obligations of Data Fiduciaries (that is, persons, companies, and government entities who process data) for data processing (that is, collection, storage, or any other operation on personal data)
- To have security safeguards to prevent personal data breaches.
- To intimate personal data breaches to the affected Data Principal and the Data Protection Board.
- To erase personal data when it is no longer needed for the specified purpose.
- To erase personal data upon withdrawal of consent.
- To have in place a grievance redressal system and an officer to respond to queries from Data Principals; and
- To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessments to ensure a higher degree of data protection.
- Rights to individuals:
- The right to access information about personal data processed.
- The right to correction and erasure of data.
- The right to grievance redressal; and
- The right to nominate a person to exercise rights in case of death or incapacity.
- Safeguards the personal data of children also.
- Allows a Data Fiduciary to process the personal data of children only with verifiable parental consent.
- Does not permit processing that is detrimental to the well-being of children or involves their tracking, behavioral monitoring, or targeted advertising.
- Data Protection Board:
- The Act calls for creating the Data Protection Board of India, which will oversee compliance, investigate violations, assess penalties, and take corrective or mitigating actions in case of a data breach.
- Penalties are outlined in the provisions and vary depending on the offense; for example, failure to implement reasonable security measures to prevent data breaches carries a fine of up to $250 crore, while failure to notify the Board and specific individuals of a data breach carries a fine of up to 200 crores. The fine for breaking additional obligations related to children can reach 200 crores.
The Way Forward:
- Be aware of the rules and regulations set forth by the law.
- Create a thorough data inventory.
- Implement a consent management system.
- Conduct Data Protection Impact Assessment
- Implement reasonable organizational and technical security measures based on the obligations and the risks.
- Identify the gaps via periodic internal audits and evaluations.
- Implement a system to react to requests for data primary rights.
- Make sure that contracts with data processors are up to date.
- Monitor modifications to The Digital Personal Data Protection Act.
How Riskpro can help?
Riskpro has a strong team of experienced and certified data privacy and protection professionals with in-depth industry and technical knowledge.
Riskpro can assist you with the following services relating to India’s Personal Data Protection DPDP Act 2023:
Conduct a data privacy/protection gap assessment to highlight gaps or lapses in your framework/policies/processes and suggest an effective data privacy management mitigation plan based on relevant industry best practices for closing those gaps.
Establishing Data Privacy Framework
Define a data protection governance framework by setting up data inventories, privacy policies, controls, risk assessments, and consent forms compliant with the Digital Personal Data Protection Act 2023. Riskpro can also help you implement the framework/policies/processes on time and systematically.
Third-Party Risk Assessments
If you have any third parties who handle processes wherein personal data may be involved, Riskpro can conduct a risk assessment to give you clarity/ assurance regarding the level of adherence to the DPDP Act by your third parties. Riskpro can also suggest putting a plan in place so that potential personal data breaches by third parties are identified and rectified on a timely basis.
Implement/ Review Regulatory Updates
Define procedures and processes to ensure any Act changes or updates are identified, incorporated within the company policies, and implemented accordingly. Riskpro can also conduct policy reviews to ensure the latest regulatory updates are reflected therein.
If you already have a data protection/privacy framework and policy/procedures defined, Riskpro can conduct a compliance audit to ensure the processes are working effectively and the controls/ framework defined is adequate and in accordance with the requirements of the DPDP Act.
Training to staff
Riskpro can conduct online or in-person training to relevant staff regarding the regulatory requirements of the Digital Personal Data Protection Act 2023 and their duties while handling or processing personal data to ensure compliance with the Act. To know more contact us at firstname.lastname@example.org