Introduction:
The President of India on 11 August 2023 granted assent to the Digital Personal Data Protection Bill, 2023, This bill has officially transformed into law, marking the culmination of a decade-long process for establishing a comprehensive data protection framework for India. The Act applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will also apply to such processing outside India even if it is for offering goods or services in India.
It is essential to emphasize that the Act is fundamentally grounded in seven key principles that underpin its framework:
The principle of consented, lawful and transparent use of personal data.
The principle of purpose limitation, mandating that personal data should only be used for the specific purpose for which the Data Principal's consent was obtained.
The principle of data minimization, requiring the collection of only the essential personal data necessary to fulfill the specified purpose.
The principle of data accuracy, ensuring that collected data remains accurate and up-to-date.
The principle of storage limitation, specifying that data should be retained only for as long as it is necessary to achieve the defined purpose.
The principle of implementing reasonable security safeguards to protect personal data.
The principle of accountability, enforced through adjudication of data breaches and violations of the Act's provisions, leading to penalties for any breaches.
These guiding principles collectively establish a robust foundation for the proper handling and protection of personal data under the Act's purview.
Here are the steps you can take to comply with the Digital Personal Data Protection Act 2023 (DPDP Act) in India:
1- Assess your obligation under the Digital Personal Data Protection Act (DPDP Act):
The first step is to assess whether your organization is subject to the DPDP Act. This will depend on the type of personal data that you process, the purpose for which you process it, and the location of your organization. Also, there are a few processing activities that are exempted from the provision of the Act. These exemptions include:
For notified agencies, in the interest of security, sovereignty, public order, etc.
For research, archiving or statistical purposes
For startups or other notified categories of Data Fiduciaries
To enforce legal rights and claims
To perform judicial or regulatory functions
To prevent, detect, investigate, or prosecute offenses
To process in India the personal data of non-residents under foreign contract
For approved mergers, demergers, etc.
To locate defaulters and their financial assets etc.
If you are unsure whether the DPDP Act applies to your business, you should seek legal advice.
2- Identify whether you are Data Fiduciary or Data Processor: Under the Digital Personal Data Protection Act (DPDP Act), organizations that process personal data (that is, collection, storage, or any other operation on personal data) in India are classified as either Data Fiduciaries or Data Processors. The distinction between these two roles is essential, as they have different legal obligations under the DPDP Act.
Data Fiduciaries are persons, companies, and government entities that determine the purposes and means of processing personal data (that is, collection, storage, or any other operation on personal data). They are responsible for ensuring that personal data is processed lawfully, transparently, and securely.
Data Processors are persons, companies, and government entities that process personal data on behalf of Data Fiduciaries. They must comply with the instructions of the Data Fiduciary and are not responsible for determining the purposes or means of processing. However, Data Processors do have some obligations under the DPDP Act, such as protecting personal data and responding to data subject requests.
To determine whether you are a Data Fiduciary or a Data Processor, you need to answer the following questions:
Data Fiduciary:
1- Do you decide what type of personal data to collect and how it will be used
2- Can you make decisions about the data's use, storage, sharing, and disposal?
Data Processor:
1- Are you following the instructions of the Data Fiduciary in how to handle the data?
2- Do you primarily carry out processing activities based on the directions provided by the Data Fiduciary, without deciding the purpose or means of processing?
If you answered yes to the first two questions, then you are a Data Fiduciary. If you answered yes to the last two questions, then you are a Data Processor. It is essential to understand your role as a Data Fiduciary or Data Processor, as this will determine your legal obligations under the DPDP Act. If you are unsure of your role, you should seek legal advice.
3- Obtain consent from Data Principals: Under the Act, consent from the Data Principal must be free, specific, informed, unconditional, and unambiguous. It must be provided by a clear affirmative action and signify the data principal's agreement to the processing of her personal data for the specified purpose. The Act also grants the data principal the right to withdraw consent at any time, with the same ease with which she gave it.
4- Provide Notice to Data Principals: A new requirement has been inserted that requires a notice to be provided to the data principal, along with or preceding every request for consent, informing the data principal about the personal data and the proposed purpose of the processing; and the manner in which she may exercise her rights to withdraw consent, avail the grievance redressal mechanism, and make a complaint to the Data Protection Board of India. If the data principal has given consent for the processing of her personal data before the law comes into force, a similar notice must be provided to her as soon as is reasonably practicable.
5- Delete personal data after the completion of its purpose. The Act imposes an obligation on the Data Fiduciary to erase personal data when it is no longer needed for the specified purpose and also, to erase personal data upon withdrawal of consent. Therefore, it is crucial that a system is created to track the various stages of the data lifecycle within your organization, i.e., when and how data is collected, processed, used, and stored, along with identifying the specific purposes for which data is collected. Given that different types of data may have different retention periods, you can establish clear and reasonable retention periods based on legal requirements, business needs, and the purpose of each type of data that was collected. You can implement organizational data retention policies.
6- Respond to Data Principals' requests and set up a grievance redressal mechanism. The Act provides certain rights to data principals, such as the right to access information about personal data that is processed, the right to correct or erase data, the right to grievance redressal, and the right to nominate a person to exercise their rights in case of death or incapacity. Therefore, data fiduciaries are required to set up a grievance redressal mechanism to address any grievances that data principals may have regarding these rights or the breach of obligations by data fiduciaries. Data principals must exhaust all options for grievance redressal through the mechanism before approaching the Data Protection Board of India.
7- Report Data Breaches: Under the Act, the Data fiduciaries are required to intimate personal data breaches to each affected Data Principal and the Data Protection Board (DPB) in such manner as may be prescribed by the Central Government. However, based on global norms, the intimation may be required within 72 hours of the breach, and it may require the following information (i) the nature of the breach; (ii) the personal data that has been compromised; (iii) the number of Data Principals affected by the breach; (iv) the steps that have been taken to contain the breach and (v) the steps that are being taken to mitigate the impact of the breach. Therefore, it is important that the Data Fiduciaries and Data Processors have a plan in place for responding to personal data breaches.
How to proceed ahead?
The DPDP Act is a complex piece of legislation, and it is important to seek legal advice if you have any questions about your obligations under the Act. However, by following the steps outlined in this article, you can take the first steps towards ensuring that your organization complies with the DPDP Act.
If you need to discuss this in detail, please write to us at reetika@aristolegal.co.in