The Digital Personal Data Protection Act, 2023 (“Act”) which came into effect on August 11, 2023, signifies a significant milestone in safeguarding individuals' privacy and regulating how businesses handle personal data.
To ensure compliance and uphold customer trust, companies must familiarize themselves with the Act's provisions and implement the necessary measures as outlined in the Article.
The Act introduces the following important roles in the data protection ecosystem:
a. Data Fiduciary: A data fiduciary is an entity that determines the purpose and means of data processing.
b. Data Processor: A data processor, on the other hand, processes data on behalf of the data fiduciary.
c. Data Principal: The data principal is the individual to whom the personal data belongs.
d. Consent Managers: The Act allows for the appointment of consent managers by Data Fiduciaries to manage consent-related activities efficiently, who shall be required to get registration under the Act in the manner as the Central Government may prescribe.
e. Significant Data Fiduciary: Any entity that may be designated as "significant data fiduciary" will be subject to stricter compliance requirements due to their substantial impact on individuals' privacy. Significant data fiduciary may be notified by the Central Government based on factors as provided in the Act including the volume, nature of risk to the rights of data principal, or security of the State.
Understanding these roles is crucial for businesses to determine their responsibilities and relationships when handling digital personal data.
The Act applies to the processing of all digital personal information in India whether such personal information is collected in digital or non-digital form. The Act also applies to the processing of digital personal information outside India if such processing is for providing goods and services to Data Principals in India.
Processing in itself encompasses a wide range of activities, including data collection, processing, storage, sharing, transmission, erasure, or destruction. The Act is designed to safeguard individuals' personal data rights, promote responsible data processing, and create a transparent and accountable data processing ecosystem.
Under the Act, individuals enjoy enhanced rights over their personal data, including the right to access, rectify, erase, and restrict processing of their information. Further, Data Fiduciaries are required to establish mechanisms to receive and address the grievance of the Data Principal in relation to the processing of their personal data. Businesses must establish processes to address these requests promptly and transparently, allowing individuals to exercise their rights effortlessly.
The Act places a strong emphasis on obtaining explicit and informed consent from individuals before collecting and processing their personal data. Businesses must review their consent mechanisms to ensure they are transparent, easily understandable, and allow individuals to grant or withdraw consent freely.
Further, special focus has been given to the processing of personal information belonging to a child, which would require the consent of a parent or guardian.
Transferring personal data across international borders except for certain exemptions as provided under the Act, will require special attention from the businesses. The Central Government may notify in future, countries to which transfer of personal data by a Data Fiduciary may be restricted.
In the unfortunate event of a data breach, Data Fiduciaries are required to notify the Board about such breach and such information as may be prescribed in the future under the Act. Thus, having a well-defined incident response plan in place can aid a Data Fiduciary in managing such situations efficiently.
a. Appointment of Data Protection Officer
One of the key requirements of the Act is the appointment of a Data Protection Officer (“DPO”) by a Significant Data Fiduciary. This individual serves as a bridge between the company, Data Principals, and regulatory authorities. The DPO is responsible for overseeing data protection activities, ensuring compliance, and acting as a point of contact for data subjects' inquiries and concerns.
b. Data Protection Impact Assessments
Significant Data Fiduciary are required to periodically conduct a Data Protection Impact Assessment (“DPIA”), which process will contain the rights of Data Principals, the purpose of processing their data, assessment and management of risks of the rights of Data Principals, and other matters as may be prescribed under the Act. Businesses designated as Significant Data Fiduciary must conduct DPIAs to assess the potential privacy risks associated with their operations, and process digital personal data of Data Principals. They may also need to implement measures to mitigate these risks.
The Act establishes the Data Protection Board of India (“Board”), a regulatory authority responsible for overseeing and enforcing data protection compliance under the Act including matters concerning data breaches or any complaint from Data Principals.
With implementation of the Act, India has taken huge step towards facilitating personal data privacy and protection. This is evident from few of the Data Principal’s rights such as right to erase and restrict processing of personal data, which are in line with General Data Protection Regulation of European Union which came into effect in May 2018 and California Consumer Privacy Act of 2018. The said rights have been provided by very few data privacy and protection regulations currently implemented around the world.
The Act underscores the significance of responsible data handling, granting individuals greater control over their information. By adhering to the essential compliances outlined in the Act, businesses can not only avoid legal repercussions but also build a foundation of trust and loyalty with their customers in this data-driven era.
About the author: Abhinav Jain is an Principal Associate in Singhania & Partners.
Disclaimer: The information provided in this article is intended for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023 as accessed on 28 August 2023. Regulations can change, and interpretations may vary, so readers are advised to take accurate legal advice based on individual business requirements or facts which may vary from business to business.
While efforts have been made to ensure the accuracy and reliability of the information, no warranties of any kind, whether expressed or implied, are made regarding the completeness, or accuracy of the content.