.svg)
Personal data is the new currency in the digital age and keeping it safe is more important than ever. The Digital Personal Data Protection Act (DPDP Act) is a game-changer in India, making big waves in how we think about our digital privacy and the power we have over our own data. Let's break down what this means for you and your business, in plain language.
Taking Consent
Before the DPDP Act, Consent was predominantly required for sensitive personal data, such as financial, health, or biometric information. However, the Digital Personal Data Protection Act has expanded the scope of consent to encompass all personal data and for each specific purpose. This shift aims to empower individuals with greater control over their data and promotes transparency in data processing practices.
Before Digital Personal Data Protection Act, a bank might have only asked for consent to access account balances. Now, it must seek consent for each activity, like sending promotional emails or analyzing spending habits. Therefore, banks now need to revise the process of collecting consent on their website or application and add clear and granular purposes options in multiple languages.
Withdrawing Consent
In the pre-DPDP era, withdrawing consent was often a convoluted and ineffective process. However, post-DPDP, withdrawing consent should be as seamless as giving consent. Individuals can now closely manage the usage of their personal data and user consent becomes an ongoing and revocable process.
For instance, in a budgeting app, users can now easily withdraw consent for data analysis, like tracking spending habits, without affecting basic app functions. Therefore, fintechs will now have to implement consent management in their systems and design DPDP compliant interfaces for preference management and consent withdrawal.
Sharing Information
Previously, there was no obligation to monitor a third party once data was shared with consent. However, under the DPDP framework, it's essential to ensure that all vendors delete data whenever consent is withdrawn. This provision enhances accountability throughout the data processing chain and reinforces the principle of data minimization and purpose limitation.
Imagine a healthcare provider. After Digital Personal Data Protection Act, they must ensure labs delete patient data promptly if consent for testing is withdrawn.. Banks share customer data with underwriting companies, KYC/AML providers, payment processors, marketing companies, insurance companies, payment processors, the list goes on. Now, the bank must ensure prompt deletion of data when a user withdraws consent or asks for erasure. This involves, identifying all instances of shared data across all vendors, and overseeing the deletion process to guarantee compliance, necessitating meticulous coordination and verification.
User Rights
Pre-DPDP, individuals had limited rights regarding accessing their own personal data. However, the DPDP Act introduces the right to nomination, access and erasure and carries forward the right to grievance and correction/updation. Crucially, the law will now provide much better mechanisms to enforce these rights.
For example, post-DPDP, financial institutions must grant customers access to their financial data, including a detailed summary, list of all vendors with whom data is shared, and a comprehensive list of processing activities carried out on that data. This means that finance companies must now establish systems to facilitate user requests for accessing and erasing their personal data.
Enforcement
Previously, there was no specific governing body for data protection, leading to ineffective enforcement mechanisms. However, with the formation of the Data Protection Board (DPB) after the DPDP Act, there is now a clear authority with the power to enforce fines of up to 250 crore for each violation.
In Conclusion, the DPDP Act brings in a new era for both individuals and businesses, transforming how personal data is managed and protected. Individuals now enjoy enhanced control and transparency over their data in everyday activities, such as banking and healthcare, thanks to simplified consent processes.
Meanwhile, businesses must adapt by revising their data handling practices. They now need to revise consent procedures to ensure seamless consent management. Data sharing practices are now subject to stringent oversight, requiring meticulous coordination and verification to uphold individuals' privacy rights throughout the data processing chain. With the establishment of the DPB, the DPDP law and its penalties can be expected to be enforced rigorously. For Indian businesses, this means compliance is an absolute necessity.
