Protecting your personal data: Inside the Digital Personal Data Protection Act

Introduction

With the rapid growth of the digital ecosystem, the need to protect personal data and privacy has become crucial. Given the regulatory requirements like GDPR and CCPA that have brought significant changes to data processing in the EU and the US respectively, it is imperative for India to develop its own privacy regulations.

In August, the Ministry of Electronics and Information Technology (Government of India) had made the decision to withdraw the Personal Data Protection Act of 2019. This decision came after considering numerous recommendations received through public consultation. Introducing it as a revised version of its predecessor, the Indian Government introduced the Digital Personal Data Protection Act (DPDP) on November 18th, 2022, to oversee the processing of personal data. This new Act is one component of a comprehensive set of legislations, which includes IT rules, the National Data Governance Framework Policy, and a proposed Digital India Act.

After six years and four attempts the Digital Personal Data Protection Act was passed as an Act after the President's assent in the Monsoon session of the Parliment.

In this guide, we will explore:

• What the Digital Personal Data Protection Act is
• The key aspects of the Digital Personal Data Protection Act
• Implications of this significant legislation proposed by the Indian government
• How to comply with this proposed Act

Understanding the Digital Personal Data Protection Act

What is the Digital Personal Data Protection Act?

The DPDP Act is a comprehensive legislation aimed at safeguarding the privacy and protection of individuals' personal data. The DPDP Act seeks to establish a robust framework for data protection, ensuring accountability, transparency, and consent-based data handling practices across various sectors.

The DPDP Act defines personal data as any information that can be used to identify an individual, including their name, address, phone number, email address, and biometric data. It also defines indirectly identifiable information such as vehicle numbers, location data, employee codes, etc. The DPDP Act proposes to give certain rights to users including the right to information about personal data, the right to the correction and erasure of personal data, the right of grievance redressal, and the right to nominate.

What these rights mean is that every individual should know what items of their personal data are being collected and the purpose of collection of such data. In fact, an entity collecting data will need to give an itemized notice containing a description of personal data sought to be collected and a purpose for the processing of such personal data. Also a clear consent of individuals is needed to process personal data except in certain cases, for example to comply with any legal judgment or in case of medical emergency.

Why is a data protection Act needed in India?

With the exponential growth of digital technologies and online services, the collection and processing of personal data has become more prevalent. A data protection Act is essential to address concerns related to privacy, data security, and individual rights. The DPDP Act aims to fill this crucial gap by providing a comprehensive legal framework for data protection in India.

Apart from this, there is a lack of clarity about the legal rights of individuals in relation to their personal data. This means that individuals often do not know what their rights are or how to exercise them. Also, there is a lack of accountability for organizations that collect and process personal data. This means that there is no one to hold these organizations accountable if they misuse or abuse personal data. The DPDP Act would create a new Data Protection Authority (DPA) that would be responsible for enforcing the law and holding organizations accountable for their actions, thereby giving individuals more control over their personal data.

Who does the DPDP Act apply to?

The DPDP Act applies to a wide range of entities and individuals involved in the processing of personal data within India. The DPDP Act covers both government and private organizations, as well as individuals who act as data fiduciaries or data processors.

The DPDP Act's applicability extends to organizations of varying sizes, including large corporations, small and medium-sized enterprises (SMEs), startups, and government agencies. It encompasses various sectors such as healthcare, finance, telecommunications, e-commerce, social media platforms, and any other entities that deal with personal data.

Furthermore, the DPDP Act takes into account cross-border data transfers and applies to entities that transfer personal data outside of India if the transfer involves individuals in India. It ensures that adequate safeguards are in place when personal data is shared or processed internationally.

Key features of the Act

• The Act grants individuals greater control over their personal data by providing them with rights such as the right to information, correction, erasure, objection, and data portability, as well as the right to be forgotten.
• In order to ensure data sovereignty and strengthen data security measures, the Act introduces provisions for data localization, which require certain categories of personal data to be stored and processed within India.
• The Act recognizes certain categories of data as "sensitive personal data" and mandates higher standards of protection for such information. This includes financial data, health data, sexual orientation, biometric data, genetic data, and other categories requiring heightened protection.
• To oversee and enforce data protection regulations, the Act intends to establish an independent regulatory body called the Data Protection Authority (DPA).
• The Act emphasizes accountability by imposing significant penalties for non-compliance. It establishes mechanisms for addressing grievances and provides remedies for individuals affected by data breaches or violations of their data protection rights.

Key definitions

Before we delve further into the aspects of the DPDP Act, it is imperative to understand definitions for crucial terms used throughout this guide, ensuring clarity and consistency in interpretation. Some key definitions include:

Personal data

The DPDP Act defines personal data as any information used to identify an individual. It covers a broad range of data, including but not limited to name, address, identification numbers, and online identifiers.

Sensitive personal data

The DPDP Act recognizes certain categories of data as "sensitive personal data" and mandates higher standards of protection for such information. This includes data related to financial, health, sexual orientation, biometric, genetic, and other categories requiring heightened protection.

Data fiduciary

The DPDP Act introduces the concept of a "data fiduciary," which refers to entities or individuals who decide the objective of and ways to process personal data. Data fiduciaries have specific responsibilities and obligations under the DPDP Act.

Data processor

The DPDP Act also defines "data processor" as entities or individuals who process personal data on behalf of data fiduciaries. Data processors have certain obligations and responsibilities in handling personal data.

Data protection authority

The DPDP Act mandates the establishment of a Data Protection Authority (DPA), to oversee and enforce data protection regulations. The DPA plays a vital role in monitoring compliance, resolving disputes, and promoting a culture of data protection.

Rights of individuals

This chapter delineates the personal data rights conferred upon individuals, empowering them with control over their data and promoting transparency and accountability in data processing. The fundamental rights encompass:

Right to information

Individuals possess the entitlement to receive comprehensive information about the collection, processing, and purpose of collecting their personal data. Data fiduciaries are obligated to furnish clear and concise details concerning the utilization of individuals' data.

Right to correction

Individuals retain the prerogative to request rectification or have their personal data updated if found inaccurate or incomplete. Data fiduciaries are required to promptly put into effect the necessary amendments and inform relevant entities with whom the data has been shared.

Right to erasure

Individuals have the right to request the deletion or erasure of their personal data under specific circumstances. Data fiduciaries must comply with such requests, ensuring that the data is no longer retained or utilized.

Right to object

Individuals possess the right to object to the processing of their personal data in particular situations. Data fiduciaries are obligated to respect these objections unless there exist legitimate grounds for data processing that outweigh the individual's interests.

Right to data portability

Individuals enjoy the right to acquire and transfer their personal data from one service provider to another. This facilitates healthy competition and enables individuals to switch between services while retaining control over their data.

Right to be forgotten

Individuals possess the right to request the erasure of their personal data under specific circumstances. Data fiduciaries must undertake necessary measures to ensure the permanent removal of such data, rendering it no longer visible or accessible.

Responsibilities of data fiduciaries

Obtaining consent

Data fiduciaries must obtain explicit consent from individuals before collecting and processing their personal data. The DPDP Act emphasizes the importance of informed consent, requiring data fiduciaries to provide clear and easily understandable information regarding the purpose, scope, and duration of data processing.

Keeping data secure

Data fiduciaries are required to implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. This includes adopting robust security practices, conducting regular audits, and implementing necessary safeguards to mitigate data breaches.

Deleting data

Data fiduciaries must delete personal data once the purpose for which it was collected has been fulfilled or when the individual withdraws consent, unless there are legal obligations or legitimate interests to retain it. The DPDP Act provides specific guidelines for the deletion and anonymization of personal data.

Transferring data

Data fiduciaries are required to ensure secure and lawful transfer of personal data, especially when it involves cross-border data transfers. Adequate safeguards must be implemented to protect the data during transit and at the receiving end.

Accountability

Data fiduciaries must maintain a record of their data processing activities, including the purpose of processing, the categories of personal data involved, and any third-party data sharing. Additionally, they are required to conduct data protection impact assessments to identify and mitigate risks associated with data processing activities.

The Data Protection Authority of India

This chapter focuses on the establishment and powers of the Data Protection Authority of India (DPAI). The key aspects include:

Composition of the DPAI

The DPAI will be an independent regulatory body comprising members with expertise in data protection and privacy. The selection process will ensure a diverse and competent composition, enabling effective decision-making and enforcement.

Powers of the DPAI

The DPAI will have extensive powers to monitor, investigate, and enforce data protection regulations. It will have the authority to issue orders, conduct inquiries, and impose penalties for non-compliance with the provisions of the DPDP Act.

Enforcement of the law

The DPAI will play a crucial role in the enforcement of the DPDP Act. It will be responsible for conducting audits and investigations, as well as taking necessary actions to ensure compliance with the data protection framework.

Impact and way forward

Impact of the DPDP Act on organizations

India's data protection regime has taken a significant step towards digitization with the introduction of this Act. According to a report from KPMG, the Act adopts a progressive approach to bolster India's capacity to attract foreign investments, support the startup ecosystem, and reduce compliance burdens for organizations of various sizes. However, certain open-ended requirements in the DPDP Act need to be addressed by the Central Government, as they could play a pivotal role in shaping the future of data protection.

The Government has chosen a phased approach to address the need for a data protection regime in India, starting with the release of the initial DPDP Act, which may be followed by supplementary rules and guidelines. The inclusion of phrases such as "as may be prescribed" indicates that there is still further scope for development.

Large-scale consumer-centric organizations processing personal data on a significant scale—including but not limited to technology, telecommunications, healthcare, banking, financial, and e-commerce sectors—are likely to face more stringent obligations. The DPDP Act explicitly highlights parameters such as the volume and sensitivity of personal data, subjecting these organizations to heightened compliance requirements.

Organizations leveraging or focusing on emerging technologies such as virtual reality, artificial intelligence, Internet of Things (IoT), robotic process automation (RPA), Web 3.0, and the metaverse generate and process substantial amounts of personal data. This Act encourages innovation and enables such organizations to handle personal data with adequate safeguards and ethical considerations.

The DPDP Act introduces a revamped approach to cross-border data transfer, facilitating smoother data flows for multinational corporations (MNCs). By excluding data localization requirements, the DPDP Act allows small, medium, and large enterprises to store data across different geographies, resulting in cost reduction and minimizing the time spent on localized data storage.

The DPDP Act places greater emphasis on and encourages organizations to digitize personal data. Currently, the cost of collecting and managing offline data in physical form is significantly higher and unsustainable compared to digital data. Moreover, consumers tend to favour organizations that handle personal data in digital formats because it falls under the purview of this Act, ensuring adequate protection. However, it would be interesting to observe the decisions made by small-scale organizations and family-run businesses in response to these changes.

Checklist to ensure compliance

The DPDP Act is a proposed law that is expected to be presented in the Indian Parliment's monsoon session. Here is a checklist of activities that an help your organization to stay ahead of DPDP Act's compliance requirements.

• Understand the importance and business implications of the DPDP Act.
• Assess your current compliance posture and identify any gaps.
• Appoint a Data Protection Officer (DPO).
• Evaluate you data processing principles and change them if need be.
• Notify the Data Principals on what data is being collected and the purpose of collecting it.
• Establish processes to Data Principals' redressal requests.
• Immediately report data breaches.
• Deploy a SIEM solution that not only averts data breaches but also helps you automatically comply with regulatory mandates and avoid hefty fines for non-compliance.

Disclaimer:

It is important to note that the Digital Personal Data Protection Act of 2023 has been granted approval by the President on August 11, 2023. Hence, there is a possibility of differences between the current version and the final rules and regulations.

Sources:

https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill,%202022_0.pdf
https://assets.kpmg.com/content/dam/kpmg/in/pdf/2022/12/privacy-digital-personal-data-protection-bill2022.pdf

About us

About the author

Harshni is a devoted cybersecurity enthusiast, deeply fascinated by the intricacies of this rapidly evolving field. With a passion for learning and writing about new regulatory mandates that shape the cybersecurity landscape, Harshni brings fresh perspectives and valuable insights. When not delving into the world of cybersecurity, she likes singing, and learning new melodies on the ukulele.

About ManageEngine Log360

ManageEngine Log360, a comprehensive security information and event management (SIEM) solution, helps enterprises to thwart attacks, monitor security events, and comply with regulatory mandates.

The solution bundles a log management component for better visibility into network activity, and an incident management module that helps quickly detect, analyse, prioritise, and resolve security incidents. Log360 features an innovative ML-driven user and entity behaviour analytics (UEBA) add-on that baselines normal user behaviours and detects anomalous user activities, as well as a threat intelligence platform that brings in dynamic threat feeds for security monitoring.

Log360 helps ensure organizations combat and proactively mitigate internal and external security attacks with effective log management and in-depth AD auditing.