Introduction to Digital Data Protection Act, 2023
The Digital Personal Data Protection (DPDP) Act, 2023, marks India’s inaugural data protection legislation, establishing a comprehensive framework for personal data processing within the country. In an era dominated by technology, this regulation reflects India’s commitment to fostering a robust data privacy regime.
Developing robust privacy governance programs is not only a crucial risk management and business integrity imperative but also a fundamental aspect of cultivating a transparent and sustainable organization for the future.
Scope of DPDP Act
The DPDP Act applies to the processing of digital personal data, whether collected online or offline and subsequently digitized, within the borders of India. It also extends its jurisdiction to the processing of digital personal data outside India if it pertains to providing goods or services to data principals within India.
Significance of Significant Data Fiduciaries (SDF)
One of the key features of the DPDP Act is the emphasis on Significant Data Fiduciaries (SDF), identified by the government based on the volume and sensitivity of the personal data they handle and the associated risks. Specific obligations for SDFs include appointing a Data Protection Officer (DPO) located in India, engaging an independent data auditor, and conducting a Data Protection Impact Assessment (DPIA).
Citizens’ Rights under DPDP Act
The Act grants significant rights to citizens, empowering them as data principals. However, a specific timeline for implementing grievance redressal and data principal rights has not been specified yet.
Right to Access Information
Data Principals have the right to seek information on how their data is processed, available in clear and understandable way.
Right to Correction and Erasure
Individuals have the right to correct inaccurate / incomplete data and erase data that is no longer required for processing
Right to Nominate
Individuals can nominate any other individual to exercise these rights in the event of death or incapacity.
Right to Grievance Redressal
Individuals have the right to readily available means of registering a grievance with a Data Fiduciary
Penalties for Non-Compliance
The Act introduces a penalty clause, imposing fines on data fiduciaries for non-compliance with its provisions, with penalties reaching up to INR 250 crore. These penalties cover various infractions, such as breaches in the duty of data principals (up to INR 10,000), failure to notify the Data Protection Board and affected data principals in case of a personal data breach (up to INR 200 crore), and breaches related to the obligations concerning children’s data (up to INR 200 crore).
Exclusions and Limitations
Certain exclusions have been outlined in the Act, including non-automated personal data, offline personal data, and personal data in existence for at least a century. The previous cap of INR 500 crore for penalties has been removed, and there is currently no provision for grievance redressal review. Additionally, the stipulated 72-hour timeline for reporting a data breach to authorities has been excluded.
Impact on Organizational Sectors
The DPDP Act is poised to impact a wide array of organizational domains, including legal, IT, human resources, sales and marketing, procurement, finance, and information security. This is due to the nature and volume of personal data handled, stored, processed, retained, and disposed of in India. Consequently, organizations operating in these sectors, and related fields, must establish robust data privacy and protection programs in alignment with the DPDP Act of 2023.
Download DPDP Full PDF