The Digital Personal Data Protection Act (DPDP) of 2023 along with the Rules, seeks to establish a comprehensive framework for data protection in India. The Act aims to balance the rights of individuals to protect their personal data with the necessity of processing such data for lawful purposes. For companies navigating India’s Digital Personal Data Protection (DPDP) Act of 2023, here’s a breakdown of key compliance considerations. Please note that only the Ruels are still in a draft stage and a final picture will emerge only when the Rules are notified.
Understanding Your Role: Determine if your organisation is a Data Fiduciary (an entity determining the purpose and means of processing data), or a Data Processor (an entity processing data on behalf of a data fiduciary). The DPDP Act places obligations on both. If you are a Data Fiduciary, you will have the primary responsibility for complying with the Act.
Consent and Lawful Processing:
- Lawful Purpose: Data processing must be for a lawful purpose.
- Consent Requirements: If relying on consent, it must be freely given, specific, informed, unconditional and unambiguous. Companies must present consent requests in a clear and plain language.
- Clear Notices: Provide a clear, self-contained, and easily understandable notice to individuals before or at the time of requesting consent. This notice should detail the data collected, the purposes for processing it, how individuals can exercise their rights, and how to complain to the Data Protection Board. It should also provide contact information for a Data Protection Officer or another person who can answer questions about data processing. Companies should also include a link to their website or app for ease of access.
- Withdrawal of Consent: Companies must provide a means for data principals to withdraw consent as easily as it was given. If consent is withdrawn, processing must cease.
- Purpose Limitation: Companies can only process personal data for the specific purpose for which consent was given.
Data Security and Breach Management:
- Security Safeguards: Implement appropriate data security measures, such as encryption, obfuscation and mapping personal data to virtual tokens, to protect against personal data breaches.
- Access Controls: Enforce appropriate access controls to computer resources and maintain logs, monitoring, and reviews to detect and prevent unauthorised access to personal data. Maintain personal data storage logs for a period of one year to help detect unauthorised access.
- Data Backups: Ensure there are reasonable means to continue processing personal data in the event of a breach via data backups.
- Data Breach Reporting:
- Report data breaches to the Data Protection Board (DPB) and affected individuals “without delay”.
- Provide affected individuals with a description of the breach, its timing, nature, extent and location, the consequences, measures taken to mitigate risks, security measures for the affected person, and business contact information for queries.
- Within 72 hours of learning about the breach, provide the DPB with an updated description of the breach, circumstances leading up to it, risk mitigation measures, findings regarding the person who caused the breach, remedial measures, and a report of the intimations sent to affected people. A company may request an extension of the 72-hour window.
- Failure to report a data breach could lead to fines of up to Rs. 200 crore.
- Companies can be fined up to Rs. 250 crore for failing to implement “reasonable” security safeguards.
Data Handling Obligations:
- Accuracy: Make reasonable efforts to ensure the accuracy of processed personal data.
- Storage: Retain personal data only as long as necessary to achieve specified purposes or comply with existing laws.
- Accountability: Maintain accountability for the purpose and means of processing personal data to effectively match the standards of the act.
- Data Retention: Data fiduciaries must publish the business contact information of a Data Protection Officer, if applicable, or another person who can answer questions about data processing.
Significant Data Fiduciaries (SDFs): If your company is designated as an SDF, you will have additional responsibilities:
- Data Localisation: Ensure that certain personal data, as specified by the Central Government, and traffic data pertaining to its flow, does not transfer outside India.
- Algorithmic Impact: Verify that algorithmic software used for hosting, display, uploading, modification, publishing, transmission, storage, updating, or sharing of personal data does not harm the rights of individuals.
- Data Protection Impact Assessment (DPIA) and Audits: Conduct a DPIA and an audit every twelve months. Provide a report containing key findings to the Data Protection Board.
- Data Protection Officer: Appoint a Data Protection Officer based in India to act as the company’s representative under the Act, report to the company’s governing body and handle grievance redressal. Also hire an independent data auditor to review compliance.
- Penalties: Breach of provisions of the Act or rules by an SDF can result in penalties of up to Rs. 150 crore.
Data Processors:
- Reasonable Security Standards: Contracts with data processors must include a requirement that they implement ‘reasonable security standards’.
- Breach Notification: Consider including a breach notification obligation on data processors to ensure they immediately inform the data fiduciaries they work with about breaches.
Consent Managers:
- While not mandatory for companies, you may use a Consent Manager to manage consent records. Consent Managers must be registered with the Data Protection Board.
- Record Keeping: Companies must have records of consent given, denied, or withdrawn in a machine-readable format, which can be managed using consent managers.
- Conflict of Interest: A Consent Manager shall avoid conflict of interest with Data Fiduciaries.
Government Data Requests:
- The Central Government can request information from data fiduciaries for purposes including national security and the integrity of India.
- Companies may be prohibited from informing the Data Principal of such requests if disclosure could affect the “security of the state”.
- In such cases, companies must get written permission from an authorised person before disclosing the information.
Data Transfers:
- The Act allows cross-border data transfers except to countries specifically restricted by the government.
- The rules now state that companies must comply with any requirements the Central Government sets regarding making data available to a foreign state or its entities.
Grievance Redressal:
- Establish a grievance redressal mechanism and publish the timeframe for addressing grievances. Implement appropriate technical and organisational measures to ensure timely responses.
- The timeframe for addressing grievances is determined by the company itself.
Penalties for Non-Compliance:
- Failure to meet obligations can result in fines ranging from Rs 50 crore to Rs 250 crore.
- The Data Protection Board will consider various factors such as the repetitive nature of a breach, whether there was a gain or loss, steps taken to mitigate consequences, the impact of the penalty on the person, and more, when deciding penalties.
This information should help companies understand their obligations under the DPDP Act and prepare for compliance. However, the rules are still in draft form, and some clarifications from the government are pending. Companies should monitor updates and seek legal advice to ensure full compliance.