As a natural corollary to the growing infusion of technology into regular economic transactions, it becomes imperative to safeguard every individual personal data from potential insecurity in the process of collection, storage, processing and utilisation or disclosure. While the prospects of data protection became relevant with Information Technology Act, 2000 and recognition of Right to Privacy, a specialised statutory regime has only been sought to be established with the introduction of the Digital Personal Data Protection Act, 2023 to establish data protection in India.
Scope of the Digital Personal Data Protection Act
Essentially, the Act identifies informational privacy manifesting as personal data as an “essential facet” of the fundamental Right to Privacy. It sets out provisions to regulate the processing of personal data within Indian Territory or by the Indian Government, entities incorporated under Indian law and Indian citizens or outside Indian Territory but with some tangible connection in India. Under the Act, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. This Act has a wide application and includes within its ambit everything from e- commerce, social media, IT companies, to brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies.
Rights of Data Principal
The purpose of DPDPA is also to lay down the rights of the data principal, the person whose data is being collected and processed by data collector to allow for stricter compliance from the initial stages to the last. All information conveyed to the data principals should be in a clear and unambiguous manner.
Right to information about personal data To obtain confirmation of processing, summary of personal data, identification of data fiduciaries with whom personal data has been shared, etc
Right to correction and erasure of personal data
To ask for correction of inaccurate data or updating data or even deletion of data.
Right of grievance redressal
To file a complaint with the data fiduciary and file a grievance with the data protection board.
Right to nominate
To nominate any person to exercise these rights upon death or incapacitation of the data principal
Compliance Obligations
- To ensure accountability, the Act provides a comprehensive outline of obligations of the entities responsible for deciding the means and purpose of data processing, with corresponding penalties for violations.
- Processing of personal data is prohibited except for any specific, clear and lawful purpose. Under these provisions, processing of data is mandated to be subject to certain purpose, collection and storage limitations.
- Grievance redressal mechanisms must also be implemented to address complaints of individuals.
- There is a separate categorization of certain entities as significant data fiduciaries which is based on certain criteria such as volume of data processed and turnover of fiduciary.
- There are additional obligations on these fiduciaries that include accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
- The Act also talks of transparency and accountability measures such as the Privacy by Design Policy which has to be in place for all data fiduciaries.
Privacy By Design
Every organisation should prepare a Privacy By Design Policy, containing:
- the managerial, organisational, business practices and technical systems to avoid harm to data principal
- the obligations of data fiduciaries
- the technology used in the processing of personal data is in accordance with commercially accepted or certified standards
- the legitimate interests of businesses including any innovation is achieved without compromising privacy interests
- the protection of privacy throughout processing from the point of collection to deletion of personal data
- the processing of personal data in a transparent manner
- the interest of the data principal is accounted for at every stage of processing of personal data
Reporting Data Breaches
The Data Protection Board shall be informed about a breach of any personal data by the data fiduciary, where such data breach may cause harm to the data principal
The notices should contain the following information:
- nature of personal data which is the subject-matter of the breach;
- number of data principals affected by the breach;
- possible consequences of the breach; and
- action being taken by the data fiduciary to remedy the breach.
Penalties
The Act focuses on financial penalties to regulate compliance with the obligations. The Data Protection Board has the power to issue penalties up to INR 250 crore. Additionally, Data fiduciaries are liable to pay a penalty up to INR 250 crore for breach in observing the obligation of a data fiduciary to take reasonable security safeguards to prevent personal data breach.
Enforcement Mechanism
Lastly, the DPDPA provides for establishing the Data Protection Board to monitor and enforce the provisions. This Authority will have members with expertise in fields such as data protection and information technology. Any individual not satisfied with the grievance redressal by the data fiduciary can file a complaint to said Authority. There is a mechanism for appeal of such Orders of the Authority to an Appellate Tribunal and from there the Appeals will go to the Supreme Court.
Benefits of the DPDPA Implementation Program
- Comply with Indian Privacy Laws efficiently and effectively.
- Recognize, Access and Strategize Personal Data within your organization
- Adapt, Improvise and leverage your existing privacy compliance in order to comply with the DPDPA.
- Policy and Notice Management and maintain data privacy structures within the organizations.
If you are a company situated in India, and provide services globally, in regions such as US, Middle East or EU, please check our privacy programs provided as provided here.