The Digital Personal Data Protection Act of 2023 (DPDP Act) is the nation's first standalone law on data protection and privacy. It sets forth strict rules on how Indian entities can collect and process personal data, focusing on Consent and data security.
The Act's implications are particularly profound in sectors like Banking, Financial Services, and Insurance (BFSI), Telemarketing, Healthcare, E-commerce and others that handle enormous amounts of personal data.
Businesses big and small must navigate the DPDP Act diligently to avoid penalties up to 250 Crore Rupees. This underscores the need for a robust understanding and implementation of data protection measures in line with the Act. We have already discussed the DPDP Act in detail here. In this article we will share a practical action plan to prepare and guide your business towards DPDP compliance.
Step by Step Action Plan for DPDP Compliance
The following 7 steps provide a structured and practical guide for compliance, ensuring your business not only adheres to the new regulations but also thrives under them:
1. Understand and Assess
2. Audit and Map
3. Define Internal Policies
4. Manage Consent
5. Provide For User Rights
6. Manage Third Parties
7. Enhance Data Security
Let us take a closer look each step to your DPDP Compliance mastery.
Step 1 - Understand and Assess
- Understand exactly how the Digital Personal Data Protection law applies to your business. Prepare a list of every applicable DPDP obligation and what changes are required in your processes. (You will find dedicated articles on DPDP's applicability, exemptions, penalties, and sector specific breakdowns on our Consent Blog)
- Consider appointing a Chief Information Officer (CIO) for overseeing data management and security and a Data Protection Officer (DPO) with necessary certifications to oversee data protection compliance.
- These new hires will serve to sensitise the management, suggest staffing plans, kickstart discovery and data mapping exercises, and most importantly respond to customer requests and grievances.
- On the basis of your research and appointments start defining a compliance stratgey identifying clear timelines and responsibilities.
Step 2 - Audit and Map
- Identify each data point in your products and in your vendors’ systems that constitutes personal data. This includes any SaaS tools you are using, your organisational mail boxes, stray excels on your work device etc.
- Evaluate the current flows for different users sharing personal data including customers, employees, third parties etc.
- Specifically you must
- Identify the source of each data point;
- Where it is stored;
- Who has access;
- Purpose for processing; and
- Retention period
- Identify the grounds of processing each data point:
- Do you need to take consent to process that data?
- Can you store and process it pursuant to a legal compliance?
- Or is there some other DPDP exemption for it like processing for employment purposes?
- Develop a comprehensive data inventory detailing the above for all personal data collected and processed.
- Determine when and how personal data needs to be deleted, ensuring compliance with data retention policies, industry specific laws like the PMLA and the DPDP Act.
Step 3 - Define Internal Policies
- Draft fresh internal policies and standard operating procedures detailing access to data, collection, storage, retention, etc.
- Emphasise data minimisation in policies, ensuring only necessary data is collected and processed for specific and legitimate purposes.
- Identify key stakeholders responsible for compliance and assign roles clearly across different levels.
- Ensure these policies are easily accessible to all stakeholders, including employees, customers, and partners.
- Implement comprehensive training programs for employees and contractors on data protection and privacy. Integrate policy acknowledgment into employee onboarding and periodic training programs.
- Update vendor agreements to reflect processing obligations and consent requirements.
- Update your business and partnership agreements to ensure adherence to consent requirements.
Step 4 - Manage Consent
- This is the biggest DPDP compliance hurdle. For processing most personal data, companies will need to collect valid Consent from users.
- Determine when and where consent is required. Review data maps to identify which processing activities rely on consent.
- Update each collection point to meet the standards of the DPDP Act. This includes making a Request for Consent which is
- Written in plain and clear language;
- Available in English or 22 local languages; and
- Includes contact details of DPO or equivalent point of contact.
- For each request for consent, you must include a detailed Notice which is available in English with the option of local languages. This notice must cover:
- Itemised list of personal data to be processed;
- Specific purposes for processing each data point;
- Declaration that only the data necessary for the specified purpose will be processed;
- List of user rights;
- Specific duration for which the data will be processed;
- Particular communication link of webpage or app that can used to withdraw consent;
- Manner in which the user can seek grievance redressal; and
- Manner in which the user can make complaints to the Data Protection Board (DPB).
- Even for all the consents collected prior to the enactment of the DPDP Act, you must send a one time notice detailing the above information.
- For each each consent you collect, you need to be able to identify
- Categories of personal data;
- Ids of Data Principals;
- Ids of vendors and third parties who have access to the data; and
- Specific purpose of processing.
- Provide a system for enabling the user/Data Principal to
- Access a summary of their personal data processed;
- View and manage their consent preferences;
- Update their personal data; and
- Withdraw consent with ease.
- Develop a system for timely erasure of personal data upon consent withdrawal or fulfilment of specified purpose.
- Establish procedures for managing and documenting parental or guardian consent for minors or individuals with disabilities.
- The easiest way to comply with consent obligations is through our Consent Manager. Leegality's Consent Manager serves as a one stop solution which can be plugged into your existing flows and solve for these challenges across systems and vendors.
Step 5 - Provide for User Rights
- Another big one - the DPDP Act seeks to empower users by providing powerful rights over their personal data. Enabling your customers to effectively exercise their rights is a major compliance challenge.
- Develop a streamlined and accessible system for customers to submit requests related to their data rights including access to summary, correction, and erasure of their personal data.
- Implement effective identity verification measures to ensure the authenticity of requests. This is crucial for sensitive cases involving minors or persons who nominate another in case of death or incapacity.
- Set up grievance redressal protocols, allowing Data Principals to report and resolve any issues related to data processing or rights violations with ease.
- Ensure that any data erasure requests are effectively communicated and executed across all relevant Data Processors and systems.
- Create a process for users to nominate someone who can manage their data rights in case of their death or incapacity. Ensure this nomination is securely documented and readily accessible when required.
- Similar to the consent obligations, the best way to easily manage exercise of rights obligations is by onboarding our Consent Manager.
Step 6 - Manage Third Parties
- Assess and monitor the data protection practices of existing vendors, service providers and other third parties processing personal data on your behalf.
- Conduct due diligence on vendors' data security measures and compliance standards before onboarding and during the contract period.
- Ensure that all contracts with third-party vendors include comprehensive data protection clauses in line with the DPDP Act.
- Set up processes to notify vendors promptly if a data principal withdraws consent, requiring them to cease processing the relevant data.
- Establish a system for regularly reviewing and updating vendor contracts to ensure ongoing compliance with the DPDP Act.
- Ensure that you have your user’s consent to share any personal data with a third party.
Step 7 - Enhance Data Security
- Enhance data security protocols to prevent breaches, incorporating strong encryption and access control systems.
- Establish regular security audits to identify and address potential vulnerabilities in data handling and storage.
- Implement a robust incident response plan for potential data breaches, ensuring swift action and compliance with DPDP Act reporting requirements.
- Develop and maintain a secure configuration for all devices and software handling personal data.
- Regularly update and test security measures to adapt to new threats and changes in the data protection landscape.
Next Steps
While the Digital Personal Data Protection Act 2023 is now law, the government is yet to set up the Data Protection Board and release the DPDP Rules. The Board will enforce the law and the rules will provide greater detail. Sooner or later, most businesses would need to make big changes.
Understanding the law well, preparing your resources, and putting practical measures in place are crucial not just for compliance. These also help your business in making the most of the new regulations, earning customer trust and setting a strong foundation for your data protection practices.