What is DPDP Act in India?
In an era of digital transformation, India has introduced its first comprehensive data protection legislation: the Digital Personal Data Protection Act of 2023 (DPDP Act). This landmark law aims to empower Indian citizens with decisive control over their personal data while imposing stringent obligations on businesses processing this data.
What are the penalties under the Data Protection Bill?
The Digital Personal Data Protection Act imposes significant fines for breaches, calculated based on the nature, duration, and severity of the breach. This underscores the seriousness with which data protection is now regarded in India. Read our blog on DPDP Penalties for greater detail.
Essentially, the Data Protection Board wields considerable discretion in levying monetary penalties, taking into account a range of factors to ensure that the punishment is both proportionate and effective.
What are the key features of DPDP Act?
While the government is yet to release the detailed DPDP Rules, these are the key features arising from the text of the Digital Personal Data Protection Act:
A. Consent as Primary Ground of Processing: Consent is the main requirement for processing personal data under the DPDP Act, with other grounds being rare exceptions.
B. Data Fiduciaries' Responsibility: The DPDP Act holds Data Fiduciaries accountable for all data processing, including that done by third party vendors. There are higher obligations for Significant Data Fiduciaries.
C. Data Security and Breach Notification: Data fiduciaries must ensure strong data security and promptly report breaches to the Data Protection Board and affected individuals.
D. Data Protection Board (DPB): The Data Protection Board shall oversee the enforcement of the Act, impose penalties, and handle complaints.
E. Cross-Border Data Transfers: Data can be transferred to any jurisdiction unless specifically prohibited by the government. Read more about restrictions on cross border data transfers and data localization.
F. Protection of Children's Data: The Act gives special consideration to children's and disabled persons' data, requiring verified parental consent for processing and banning certain practices like targeted advertising. Read more about DPDP law on children's data on our consent blog.
What is difference between GDPR and DPDP Act?
The General Data Protection Regulation (GDPR) of the European Union and India's DPDP Act are both landmark legislations in their respective regions for data protection and privacy. To understand all the major differences between the two laws, read our piece on GDPR and DPDP Act. Here are some key differences between the two:
When and where will the DPDP Act apply?
The law applies to “Digital Personal Data”. Personal data means any data about an individual who can be identified using that data. A person’s name, mobile number, bank account, photograph, signature, Aadhar details, etc. will be classified as personal data as they can be used to identify an individual. Read our article on DPDP Applicability to dive deeper.
Who is affected by the DPDP Act?
Everyone. The DPDP Act defines two main stakeholders - Data Principals and Data Fiduciaries.
- Data Principals: These are individuals to whom the data belongs, such as customers opening bank accounts or users registering on websites. They are empowered with extensive rights over their data.
- Data Fiduciaries: Entities like banks, telecom providers, and social media platforms that process personal data. They face the highest level of compliance obligations and are responsible for proving adherence to data collection and processing standards.
Apart from these two central players, the DPDP Act also classifies Data Processors as someone who processes personal data on behalf of a Data Fiduciary. The critical difference between Data Processors and Fiduciaries is that only the Fiduciaries determine the means and purpose of processing.
What are the Exemptions under DPDP Law?
There are exemptions to the Act's provisions in certain cases like investigation of offenses, enforcement of legal rights or claims, and processing outside Indian territory. The government has the power to exempt certain businesses from some obligations but more clarity is needed from the awaited Digital Personal Data Protetction Rules. You can read our article on DPDP Exemptions for a comprehensive breakdown.
What are consent obligations on Data Fiduciaries?
Consent forms the crux of the Digital Personal Data Protection Act 2023. Data processing must be based on clear, informed, and specific consent from Data Principals, except in certain cases like state functions or legal obligations. The Act mandates that Data Fiduciaries provide detailed notices at data collection points, informing Data Principals about the nature of data collected, processing purposes, and their rights.
The Data Fiduciary is obligated to notify the following terms to the Data Principal:
- The personal data being collected and purpose for processing;
- The manner of exercise of rights of the Data Principal; (covered later in this article)
- The manner in which the Data Principal can make a complaint to the Data Protection Board.
This notice is crucial because right from the beginning, the Data Principal will have full knowledge of exactly which personal information is being collected and to what end.
What will happen to the data collected prior to the Act?
Even for consents collected prior to the enactment of the DPDP Act, the Data Fiduciary must send a one time notice in the format stated above. If the Data Principal withdraws their consent after this notice, the data processing will have to stop.
This is a significant obligation on many industries especially the data colossuses like finance, healthcare, ecommerce and others. A customized notice must be sent to all the existing customers detailing their data, purpose of use, right to withdraw consent and method of grievance redressal.
How will the collected data be stored and managed?
Data Fiduciaries cannot store personal data indefinitely. Data must be erased once the purpose is fulfilled or consent is withdrawn. The Act introduces the concept of Consent Managers, digital platforms that enable Data Principals to manage their consent preferences easily.
Next Steps
The DPDP Act is set to revolutionise data protection for good. Companies need to adapt quickly and reimagine how they collect and process personal data. Failure to do so will invite legal and monetary consequences as well as reputational damage. Long story short, the DPDP Act is a wake-up call to all businesses: the era of taking data for granted is over, and a more respectful, consent-oriented approach is the new norm.
Still unsure about what the DPDP Act 2023 means for your business?
Read Part 2 of this series on how the DPDP Act is a game changer. We break down the history leading up to this landmark law. This will help contextualize just how drastic the shift is compared to previous data regulations.
Businesses of all shapes and sizes will be affected by the Digital Personal Data Protection Act 2023. To understand sector specific implications please refer to our articles on the impact of the DPDP Act on BFSI and Telemarketing sectors. Read our article on DPDP Compliance to get started on your compliance strategy.