10 Steps Compliance to India DPDP Act 2023
Harsh Sahu
CTO
May 2024 | 7 mins
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as DPDP) is enacted to provide the much needed privacy of Indian citizens by laying down procedures to process digital personal data in a lawful manner.
Factors such as accountability, transparency, data minimization, fairness, accuracy, lawful processing of personal data have been reflected in the DPDP act.
This blogs talks about the steps to get compliant with DPDP Act, 2023. To know more about the various provisions and the exemptions under the act, explore The Guide to India DPDP Act.
The India’s DPDP act acts as the hallmark to India’s way of governing and securing personal data of individuals. Businesses need to promptly act on their ways of processing personal data to get compliant with the act and avoid hefty fines, which may range upto INR 250 crore for failure to take security measures to prevent data breaches.
Below are the 10 steps for getting compliant with India's DPDP Act 2023
The DPDP Act makes it mandatory to process digital personal data in a lawful manner. To perform this action, organizations need to keep a check on how personal data in being collected, where it is stored, who uses it and for what duration; basically a check on top of the data while in use or in transit.
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her is a valid way of collecting digital personal data.
The data protection law in India requires every consent request to be accompanied or preceded by a notice. The notice must (a) be made available in English and all other languages specified in the Eighth Schedule to the Indian Constitution, (b) describe the categories of personal data sought to be processed and the purposes of processing, (c) state the manner in which data principals may exercise the right to withdraw consent and the right of grievance redressal; and (d) specify the manner in which data principals may file complaints with the Data Protection Board of India.
Under the Digital Personal Data Protection Act, 2023, the lawful grounds for processing of personal data are (a) consent, and (b) certain legitimate uses. As per the law, Data Fiduciaries are required to offer granular choices and obtain separate consent for each purpose of processing. Data fiduciaries must only collect personal data that is necessary for accomplishing the specified purposes of processing. Businesses must refrain from bundling multiple purposes together within a single consent request as it would no longer be compatible with the DPDPA 2023.
For processing a minor’s personal data, consent from their lawful guardian would be required.
Consent management is the process of obtaining, managing, and complying with user consent for the collection and use of personal data. This aligns with the rights of Data Principals when two key principals of privacy are followed by organizations:
Consent Managers, under the India DPDP act have certain roles:
Cookies consent is a must to be compliant with the India DPDP Act.
According to the DPDP Act 2023, while requesting for consent, a data fiduciary must notify data principals with specific information that includes a reference to the right of grievance redressal, as well as a description of how to make a complaint to the Data Protection Board of India (DPBI).
This means individuals have the right to be heard about any discrepancies related to the processing of their personal data. Organizations must lay down the appropriate procedures to redress any grievance as and when it arises.
Data Principals under the act has the right to access their personal data, right to correct their personal data, restrict the processing of personal data, right to data portability, right to object to the processing of their personal data, and the right to withdraw consent.
Few steps are involved in exercising the above data principal right under the DPDP Act:
Since the India DPDP Act is silent on categorization of personal data and sensitive personal data, organizations need to take measures to protect both sensitive and non-sensitive personal data equally. Businesses have to take measures for protection of data from collection till its deletion.
The right way to proceed for organizations would be to experience the data discovery and classification of OptIQ Data Security Platform, and check all boxes for securing data across multi-cloud environments for both structured and unstructured data.
A Data Sharing Agreement (DSA) is a legally binding contract between two or more parties that outlines the terms and conditions under which data will be shared. DSAs are typically used when businesses need to share data with each other in order to collaborate on projects, provide services to customers, or improve their products and services.
According to India DPDPA, a contract is required whenever a business (Data Fiduciary) is sharing personal data with another party (Data Processor), regardless of whether the other party is located in India or outside of India. This includes sharing personal data with third-party vendors, partners, or other businesses. For example, a business that uses a third-party data analytics company to analyze customer data needs to enter into a DSA with the data analytics company.
The DPDP Act requires a data fiduciary and data processor to inform each affected data principal as well as the DPBI, in case of a personal data breach. The DPDP Act prescribes reporting for all types of personal data breaches, regardless of the sensitivity of the breach or its impact on a data principal.
Personal data breach is broadly defined under DPDP Act as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.
For greater readiness, it is advisable to keep a template handy for quick notification in times of data breach.
Under the DPDP Act, businesses are required to delete personal data once its purpose has been fulfilled or if the user withdraws their consent. This necessitates that businesses establish data lifecycle management policies that address different types of data and their respective retention periods.
The Act emphasizes that data should be deleted if it is no longer serving its specified purpose or if the user has not interacted with the fiduciary for a certain period, suggesting inactivity as a cue for deletion. This provision is in place to ensure that personal data is not held indefinitely and is only used for its intended purpose.
The India DPDP Act is comprehensive in its coverage and a great data compliance headstart for organizations looking to operate lawfully and without breaches. Also, there are few other aspects that businesses need to look out while complying with this Act:
The India DPDP Act is a welcome move to better and secure data processing, and it is much more than just a regulatory requirement. Data regulations are generally regarded as roadblocks to business, but they are enablers in disguise. With better data security, gaining customer trust and maintaining a compliant reputation comes handy in the long run.
To have maximum data utility and govern your users, while safeguarding the privacy of your customers, OptIQ Data Security Platform is the key. To know more and experience a security first approach to data inventory, schedule a demo.
Any company or organisation processing digital personal data of Indian Data Principals. Processing entails the collection, organisation, structuring, storage, sharing, disclosure by transmission, erasure, destruction, or any other automated operation performed on personal data.
Upon commencement of the DPDPA, organisations need to issue a fresh notice to Data Principals and provide them with the details of personal data, the purpose for which they are processed, the rights of Data Principals, and how they can file a complaint with the Board.
Data Fiduciaries or Data Processors are not required to be registered with the Board. However, Consent Managers have this requirement. The procedure for registering with the Board is yet to be prescribed.
