In today's digital age, data is a valuable asset. The Digital Personal Data Protection (DPDP) Act 2023 is a new law in India that regulates how personal data is handled. It aims to protect people's privacy by ensuring that businesses manage personal data responsibly. For a comprehensive understanding of India's first data protection law, consult our detailed primer on the DPDP Act.
This article explains the key rights and duties of individuals in their personal data. The individual whose personal data is collected is known as Data Principal under the DPDP Act. Per these rights, an individual can ask to access, erase or update their personal data, raise grievances about how it is being handled or appoint nominees for their personal data.
Data Principals can claim their rights from Data Fiduciaries. Data Fiduciaries are entities that determine the purposes and methods of personal data processing. This includes a wide range of organizations, from banks and telecom service providers to social media platforms and various businesses.Understanding these rights and how to cater them will aid your business align with the law and enhance the transparency and accountability of your data management practices.
Rights of Data Principals
Under the DPDP Act, data principals are endowed with four key rights to ensure their personal data is handled with respect and transparency:
- Right to Information Access;
- Right to Correction and Erasure;
- Right to Grievance Redressal; and
- Right to Nominate.
Here's a detailed breakdown of each of these rights in turn:
- Right to Information Access
Data principals have the right to access information about what categories of personal data is being processed, what processing activities are done on it and all the third parties with whom it is being shared.
In the EU under General Data Protection Regulation (GDPR), the right to access personal data has been widely used by individuals. Businesses with robust data management frameworks have generally coped better, while those without such systems have found the process time-consuming and costly. In 2018, a group of Austrian users requested their data from major tech companies under GDPR's right to access. Facebook provided over 1,200 pages of data, including deleted messages, location tracking data, and metadata. Individuals have also used access requests to uncover how data brokers collect and sell personal data without direct user consent. Some individuals were able to access detailed profiles compiled from multiple sources, demonstrating the extensive tracking and profiling that has become commonplace.
To provide for this right to access information about personal data, businesses must do the following:
- Data Inventory: Companies need to maintain an extensive and up-to-date inventory of personal data across various data stores. This involves searching databases, cloud storage, third-party processors, and backup systems to identify all instances of the individual’s data. An effective data mapping process is crucial for finding where all personal data is stored.
- Request Channels: Create clear channels through which data principals can submit their requests for information. This could be via a dedicated email address, online portal, or customer service desk.
- Verification of Identity: Before disclosing any information, the business must first verify the identity of the requester. This involves confirming that the request is coming from the data principal or an authorized nominee. Verification processes might include multi-factor authentication, official documents, or a combination of identification methods to ensure that sensitive data is only released to the correct individual.
- Data Compilation: Once the data is located, the company must compile the information in a format that is easy to understand. This includes details about the types of personal data collected, how the data is processed and for what purposes, a list of third parties the data has been shared with, including processors, partners, and vendors and information on data retention policies and the criteria used to determine how long data is stored.
- Data Review: Before sending the information to the requester, the company must review the data to ensure it does not inadvertently disclose proprietary information, sensitive commercial data, or data relating to other individuals (which could breach other privacy regulations).
- Delivery: Finally the information must be shared within the timeline specified under the DPDP Act (we are still waiting on the timelines). The compiled information must be delivered securely to the data principal, often through a secure portal, encrypted email, or other protected means.
Handling such requests can be resource-intensive. Here are the cost implications:
- Time and Personnel: Each request requires personnel to verify identities, locate data, compile information, and ensure compliance with legal standards. For businesses handling large volumes of personal data, this could mean dedicating staff specifically to handle these requests. According to estimates from the GDPR experience, an access request could take several hours to a few days to process, depending on the complexity of the data.
- Infrastructure and Systems: Businesses must invest in data management systems that facilitate easy retrieval and collation of information. This involves implementing data inventories, privacy management software, and access control mechanisms to centralize data handling and access requests.
- Monetary Costs: Under the GDPR regime, companies reported varying costs for fulfilling information requests, ranging from €1,000 to €2,000 per request. The cost varies based on the size of the business, the complexity of the data, and the robustness of the company's data management systems.
Example:
Imagine a customer, Priya who uses an online shopping platform, ShopEase. Priya is concerned about her privacy and wants to know how her personal data is being handled. Here’s how it would work:
- Priya submits a request through ShopEase’s online data access request form, asking for a summary of her personal data and details of any third parties with whom it has been shared.
- ShopEase verifies Priya’s identity through an email verification process.
- ShopEase then generates a summary of Priya’s personal data, including her purchase history, contact details, and any data shared with third-party partners like payment processors or delivery services.
- ShopEase provides Priya with a clear, detailed report outlining what data is held, how it is used and with whom it has been shared.
- Priya reviews the information and notices that her data has been shared with an additional partner. She contacts ShopEase to withdraw her consent and delete her personal data.
- ShopEase now has to follow through with this request, ensuring the data is erased across all systems, including third-party processors, and notify Priya of the completed action.
II. Right to Correction and Erasure
Data principals have the right to request corrections to their personal data if it is inaccurate, incomplete, or outdated. Users can also request the erasure of their personal data in specific circumstances, such as when the data is no longer necessary for the purposes it was collected, or if they withdraw their consent. This right ensures that the data held by data fiduciaries is accurate and up-to-date
To provide for the right to correction and erasure, businesses must provide for the following:
- Data Accuracy and Review: Businesses need to implement procedures to keep personal data accurate and up-to-date. This could include sending periodic notifications to customers, prompting them to review and update their personal information. Allowing users to edit their data directly through user-friendly interfaces, such as an "edit" button on their profile page, simplifies the process and reduces friction.
- Responding to Requests: Businesses must respond to correction and erasure requests within a specified timeline.. A standard protocol for processing these requests helps ensure consistency and compliance. Automated acknowledgment of the request and regular updates on the status can enhance transparency and customer trust.
- Data Erasure Across Systems: A successful erasure request involves removing personal data from all systems, including backups and databases managed by third-party vendors. This step can be complex in environments where data sharing is dynamic, requiring a robust data governance framework and advanced IT infrastructure. Businesses must develop strategies for tracking data across interconnected systems to ensure complete and effective erasure.
- Detailed Explanations: After completing a correction or erasure request, businesses should provide the data principal with a clear explanation of the outcome. If some data cannot be erased due to legal or other constraints (e.g., regulatory requirements to retain financial data for a certain period), the reasons must be communicated transparently to the individual.
Costs and Challenges:
- Technical Infrastructure: Investing in automated systems to track data lifecycle, identity verification mechanisms, and data removal processes can be costly but is necessary for ensuring thorough compliance.
- Personnel: Handling requests manually requires personnel trained in data management and privacy regulations. For larger organizations, fulfilling these requests can take a considerable amount of staff time and expertise, especially when dealing with interconnected or legacy systems.
- Third-Party Data: Ensuring that data is erased from third-party systems adds another layer of complexity. Data fiduciaries must maintain agreements with their vendors to enforce data erasure requests consistently.
Example: Imagine a customer, Rajesh, who has an account with an online payment platform, PayEase. Rajesh moves to a new address and wants to update his information on the platform. Here's how it might unfold:
- Rajesh logs into his PayEase account and navigates to his profile page, where an "edit" button allows him to update his address.
- PayEase requires Rajesh to verify his identity using a two-factor authentication process before accepting any changes. Since the new address impacts his financial records, the platform asks him to upload a government-issued ID for verification.
- PayEase reviews the submitted information and updates the address in its system. They also communicate with their associated third-party vendors, such as payment processors, to ensure the new address is reflected in all shared records.
- Rajesh receives a confirmation, detailing that the update has been completed and explaining any limitations regarding data retention for regulatory purposes.
III. Right to Grievance Redressal
Data principals have the right to grievance redressal mechanisms for any complaints or concerns about how their personal data is being handled. This right ensures that data fiduciaries are accountable and provides data principals with a means to address issues related to data processing, including potential violations of their rights under the DPDP Act.
To provide for the right to grievance redressal, businesses must:
- Set up dedicated channels for receiving and handling complaints. This could include a customer service desk, an email address, or an online portal specifically for grievance submissions.
- Clearly communicate these channels to data principals, ensuring they know how and where to submit their grievances.
- Designate a grievance officer responsible for addressing complaints and ensuring they are resolved promptly and effectively. The officer should be knowledgeable about the DPDP Act and the company's data protection practices.
- Develop a standard protocol for responding to grievances. This includes acknowledging the receipt of a complaint, investigating the issue, and providing a resolution within the timeline specified under the Act (typically within a set number of days).
- When responding to grievances, ensure that the communication is clear and comprehensive. If a grievance cannot be resolved to the data principal's satisfaction, provide a detailed explanation and inform them of any further steps they can take, including escalation options.
- Keep detailed records of all grievances received, the actions taken, and the outcomes. This helps in monitoring the effectiveness of the grievance redressal process and ensures accountability.
Example:
Imagine a user, Ravi, who subscribes to an online streaming service, MovieHub. Ravi notices that despite opting out of marketing communications, he continues to receive promotional emails. Concerned, he decides to file a grievance.
Here's how it could work out in practice:
- Ravi submits a grievance through MovieHub’s online portal, describing the issue and providing evidence of his opt-out request.
- MovieHub's grievance officer acknowledges the receipt of the grievance and begins investigating the cause of the issue. They review Ravi’s account settings and the email logs.
- MovieHub identifies a technical error that caused the opt-out preference to not be applied correctly. They fix the issue and confirm that Ravi's preferences are now correctly set. They respond to Ravi, explaining the error, the steps taken to resolve it, and ensuring no further promotional emails will be sent unless he opts back in.
- Ravi receives the response and confirms that the issue has been resolved to his satisfaction. He is also informed about the steps he can take if he encounters any similar issues in the future.
IV. Right to Nominate
Data principals have the right to nominate another individual to exercise their data protection rights in case of death or incapacity. This right ensures that personal data is managed according to the data principal's wishes even when they cannot do so themselves. It provides a way to designate a trusted person to manage or control access to their personal data.
To provide for the right to nomination, businesses must:
- Develop a clear process for data principals to nominate a representative. This could involve a form or an online portal where data principals can submit the necessary information and nomination details.
- Ensure that the nomination process is secure and easy to understand, allowing data principals to specify the scope and duration of the nomination if needed.
- Implement verification procedures to confirm the identity of the nominee and the data principal.
- Keep accurate records of all nominations, including the details of the nominated individuals and any specific instructions provided by the data principal. Ensure these records are securely stored and easily accessible when needed.
- Clearly inform data principals of their right to nominate a representative. This communication can be included in privacy policies, terms of service, or direct notifications to ensure data principals are aware of this option.
- Provide the nominated individual with the necessary access and controls to manage the data principal's personal data according to their instructions. This may involve granting access to accounts, data retrieval, or making decisions about data processing.
Here’s how Data Principal can Exercise their Rights
Information Access: Data Principals will be able to request access to their data to review the personal information that businesses hold and share. They will be required to provide identification and necessary details to assist the business in locating their data. Upon receiving the request, businesses will provide a summary, allowing the principal to seek further clarifications or corrections.
Correction and Erasure: Data Principals will be able to submit requests for data correction or erasure through designated channels. These requests will need to clearly state the data to be corrected or erased and include proof of identity to facilitate verification. Businesses will then review these requests, make the necessary corrections, and inform the data principal of the actions taken.
Grievance Redressal: Data Principals will have the opportunity to submit grievances through designated channels provided by businesses. These grievances should clearly describe the issue and may include relevant details and evidence. Businesses will acknowledge receipt of the complaints, conduct an investigation, and respond to the data principal with the resolution or available options for further action, including escalation to the Data Protection Board if unresolved.
Nomination Process: Data Principals will be allowed to nominate a representative by submitting a request that specifies the nominee's name and contact details along with any specific instructions regarding their authority. Businesses will verify the identities of both the data principal and the nominee. Once verified, the business will confirm the nomination and record the details. Both the data principal and the nominee will receive notifications about their roles and responsibilities.
Duties of Data Principals
While the DPDP Act grants data principals several rights to protect their personal data, it also imposes certain duties to ensure the responsible use and management of personal information. In case of breach of any of these duties, a data principal may be liable to pay a fine up to ₹10,000. This is in contrast to ₹50 Crore which is the penalty for a data fiduciary breaching or failing to provide for the user rights mandated under the DPDP Act.
There are five duties of data principals under the DPDP Act:
- Compliance with Laws: Data principals must exercise their data rights in accordance with all applicable laws and regulations. The exercise of rights should not violate other laws or other rights of individuals.
- Avoidance of Impersonation and Fraud: Data principals must not impersonate others or provide false information when interacting with data fiduciaries. This duty is to help prevent identity theft and fraudulent activities that could compromise the security of personal data.
- Authenticity of Information: Data principals are responsible for providing accurate, complete, and up-to-date information to data fiduciaries. This duty includes refraining from suppressing material information while furnishing personal data.
- Refrain from Frivolous Complaints: Data principals should avoid filing false or frivolous complaints regarding data processing activities. This duty ensures that data fiduciaries can focus on genuine concerns and maintain efficient complaint resolution processes.
- Verification of Information: When exercising rights such as correction or erasure, data principals must provide verifiable and authentic information. This duty helps ensure that the data being corrected or erased is genuinely related to the data principal and that no unauthorized changes are made.
By adhering to these duties, data principals contribute to a transparent and secure data environment. Their cooperation helps data fiduciaries maintain accurate records, comply with legal obligations, and protect the rights and privacy of all individuals involved.
Final thoughts
Compliance with the DPDP Act offers businesses an opportunity to differentiate themselves through exemplary data governance. It is crucial to implement clear procedures and systems that align with the DPDP Act’s mandates. Additionally, businesses must be diligent in verifying the authenticity of data principal requests and maintaining accurate records. This includes not only providing accessible channels for data requests but also educating customers about their rights and duties under the DPDP Act.
By taking proactive steps to ensure compliance, businesses can mitigate risks, enhance their reputation, and foster a culture of trust and accountability. We encourage business leaders to prioritize data protection as a key component of their organizational strategy, ensuring a secure and respectful environment for all stakeholders.
Begin today by signing up for a demo of Leegality Consent Manager - and let us take care of all your user rights compliances!