A Primer on India’s Digital Personal Data Protection Act
In an era where personal data has become a digital currency, the need to strengthen data privacy has never been more evident. In August 2023, the Indian Government published the Digital Personal Data Protection (DPDP) Act, a significant milestone for digital privacy in India. As the nation’s first comprehensive data protection act, the DPDP is designed to safeguard the digital personal data of Indian citizens, much like the EU’s GDPR. While the enforcement date is yet to be determined, organizations need to understand the Act’s significance and implications and why compliance is crucial.
Important Definitions in the DPDP
The DPDP introduces several key terms necessary to comprehend the law:
- Personal Data: Any data about an individual who can be identified by the data or in relation to the data
- Data Principal: The individual identified in the data
- Data Fiduciary: The entity that establishes the purpose and methods for processing data, similar to the data controller in GDPR. Data Fiduciaries must comply with the DPDP Act.
- Data Processor: Anyone who processes personal data on behalf of a data fiduciary
- Significant Data Fiduciary (SDF): The Act identifies SDFs based on the volume and sensitivity of personal data processed and associated risks. They have specific obligations, including appointing a data protection officer (DPO) in India, appointing an independent data auditor, and conducting a data protection impact assessment (DPIA).
What Data Does the DPDP Apply to?
The DPDP applies to the processing of three specific types of data:
- Digital personal data within India that is collected online
- Personal data within India that is collected offline and later digitized
- Digital personal data outside India if it involves providing goods or services to data principals within India.
Unlike existing data protection laws in India that protect specific types of personal data, such as sensitive data, the DPDP applies to all personal data unless that data is publicly available.
Citizen’s Rights Under the DPDP
The DPDP empowers Indian citizens with several rights pertaining to their data, including:
- Right to Information: The right to know how their data is used and processed.
- Right to Correction and Erasure: The ability to correct inaccuracies in their data and request its deletion.
- Right to Grievance Redressal: The means to address concerns regarding data protection.
- Right to Nominate: The right to nominate a representative to exercise their rights on their behalf.
How to Comply with the DPDP
To comply with the DPDP, a data fiduciary must obtain consent from a data principal before processing their personal data, providing specific details about the data to be processed, its intended purpose, and guidelines for exercising DPDP-granted rights and making complaints to the Board. Consent must be freely given, specific, informed, unconditional, and unambiguous with a clear affirmative action, and applies only to the necessary personal data for the specified purpose.
Data principals can revoke their consent at any time, requiring the data fiduciary to stop processing their personal data and instruct its data processors to do the same. Exceptions to notice and consent exist for legitimate uses, such as employment-related processing, compliance with Indian laws, and responding to medical emergencies and disasters. Notice and consent are also not mandatory when enforcing legal rights, preventing law violations, and processing the personal data of individuals outside India in contractual arrangements with foreign companies.
Under the DPDP, any unauthorized processing, disclosure, acquisition, sharing, alteration, destruction, or improper access of personal data that compromises its confidentiality, integrity, or availability constitutes a personal data breach. Data fiduciaries must implement reasonable security measures to prevent such breaches, but the DPDP does not specify particular security standards. In the event of a breach, the data fiduciary must report it to the Board and notify all affected data principals. The precise format and method for such disclosures are pending determination by the Central Government.
Steep Penalties for Non-Compliance
The DPDP enforces penalties for non-compliance that range from 10,000 INR to 250 crore INR. The severity of penalties depends on factors such as the nature, gravity, duration, repetitiveness, and impact of the breach, as well as the effectiveness and timeliness of actions taken in response and the likely imposition of the monetary penalty.
Largest Data Breach in India’s History: 8.15 Crore Records
The urgency of data protection in India is underscored by a recent data breach, the largest in the country’s history, attributed to a threat actor known as ‘pwn001’. A staggering 8,15 crore records, 815 million, from the Indian Council of Medical Research (ICMR) were compromised, including sensitive information such as Aadhaar and passport details, names, phone numbers, and addresses.
Discover and Protect Your Data with Secuvy
The recent data breach in India is a stark reminder of the importance of complying with data privacy regulations like the DPDP. This is where data security and privacy solutions like Secuvy come into play.
Secuvy is the world’s first self-learning AI data platform. By using self-learning AI, Secuvy can discover and catalog all your sensitive data from various sources, ensuring that you know where your data resides. Once you know where your data is, Secuvy offers a policy engine to create and manage data protection policies effectively, helping you enforce DPDP requirements across your data set.
While the enforcement date of DPDP has not been determined, now is the time to get ready and protect your data effectively. Secuvy’s platform can significantly reduce the risk of data breaches and assist organizations in adhering to the ever-evolving global privacy laws and regulations.
Discover how Secuvy’s self-learning AI can help you discover and protect your data and prepare for India’s DPDP Act.