DPDP Act - What changes for Indian Businesses?

April 1, 2024

Summary

  • The Digital Personal Data Protection Act mandates explicit consent for every personal data use.
  • The data protection law simplifies the process for users to retract consent at any time.
  • DPDP obligates businesses to erase user data upon consent withdrawal.
  • Users now enjoy powerful rights over their data including data access and grievance redressal.
  • The Data Protection Board (DPB) will ensure strict compliance enforcement.
  • Businesses need to overhaul data management strategies to align with new regulations.

Personal data is the new currency in the digital age and keeping it safe is more important than ever. The Digital Personal Data Protection Act (DPDP Act) is a game-changer in India, making big waves in how we think about our digital privacy and the power we have over our own data. Let's break down what this means for you and your business, in plain language.

Taking Consent

Before the DPDP Act, Consent was predominantly required for sensitive personal data, such as financial, health, or biometric information. However, the Digital Personal Data Protection Act has expanded the scope of consent to encompass all personal data and for each specific purpose. This shift aims to empower individuals with greater control over their data and promotes transparency in data processing practices.

User Consent is now the primary basis for processing personal data

Before Digital Personal Data Protection Act, a bank might have only asked for consent to access account balances. Now, it must seek consent for each activity, like sending promotional emails or analyzing spending habits. Therefore, banks now need to revise the process of collecting consent on their website or application and add clear and granular purposes options in multiple languages. 

Withdrawing Consent

In the pre-DPDP era, withdrawing consent was often a convoluted and ineffective process. However, post-DPDP, withdrawing consent should be as seamless as giving consent. Individuals can now closely manage the usage of their personal data and user consent becomes an ongoing and revocable process.

Businesses must provide their users with the functionality to easily manage their consent preferences

For instance, in a budgeting app, users can now easily withdraw consent for data analysis, like tracking spending habits, without affecting basic app functions. Therefore, fintechs will now have  to implement consent management in their systems and design DPDP compliant interfaces for preference management and consent withdrawal. 

Sharing Information

Previously, there was no obligation to monitor a third party once data was shared with consent. However, under the DPDP framework, it's essential to ensure that all vendors delete data whenever consent is withdrawn. This provision enhances accountability throughout the data processing chain and reinforces the principle of data minimization and purpose limitation.

Businesses must take consent before sharing user data with third parties and must delete the same upon withdrawal of consent

Imagine a healthcare provider. After Digital Personal Data Protection Act, they must ensure labs delete patient data promptly if consent for testing is withdrawn.. Banks share customer data with underwriting companies, KYC/AML providers, payment processors, marketing companies, insurance companies, payment processors, the list goes on. Now, the bank must ensure prompt deletion of data when a user withdraws consent or asks for erasure. This involves, identifying all instances of shared data across all vendors, and overseeing the deletion process to guarantee compliance, necessitating meticulous coordination and verification.

User Rights

Pre-DPDP, individuals had limited rights regarding accessing their own personal data. However, the DPDP Act introduces the right to nomination, access and erasure and carries forward the right to grievance and correction/updation. Crucially, the law will now provide much better mechanisms to enforce these rights. 

For example, post-DPDP, financial institutions must grant customers access to their financial data, including a detailed summary, list of all vendors with whom data is shared, and a comprehensive list of processing activities carried out on that data. This means that finance companies must now establish systems to facilitate user requests for accessing and erasing their personal data. 

Enforcement

Previously, there was no specific governing body for data protection, leading to ineffective enforcement mechanisms. However, with the formation of the Data Protection Board (DPB) after the DPDP Act, there is now a clear authority with the power to enforce fines of up to 250 crore for each violation. 


In Conclusion, the DPDP Act brings in a new era for both individuals and businesses, transforming how personal data is managed and protected. Individuals now enjoy enhanced control and transparency over their data in everyday activities, such as banking and healthcare, thanks to simplified consent processes. 

Meanwhile, businesses must adapt by revising their data handling practices. They now need to revise consent procedures to ensure seamless consent management. Data sharing practices are now subject to stringent oversight, requiring meticulous coordination and verification to uphold individuals' privacy rights throughout the data processing chain. With the establishment of the DPB, the DPDP law and its penalties can be expected to be enforced rigorously. For Indian businesses, this means compliance is an absolute necessity.

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.