In a monumental move, India enacted the Digital Personal Data Protection (DPDP) Act in August 2023. This groundbreaking legislation marks a significant stride in addressing personal data protection across various sectors in the country. The primary objective is to strike a delicate balance between safeguarding individuals’ right to protect their personal data and the imperative need for lawful data processing. In this blog post we will cover the main aspects about the new DPDP Act. Here’s what know:
What Are Key Features of the New Act?
Building upon its 2019 predecessor, the DPDP Act, 2023, has made some upgrades regarding its approach. It strategically reduces regulatory burdens on businesses while upholding robust protections for consumers. This evolution includes the introduction of discretionary powers for the central government in specific cases.
- Data principal: The term ‘data principal’ refers to the individual to whom the personal data relates. The Act strongly emphasizes empowering data principals with rights and control over their information.
- Data fiduciary: Entities that are data processors are termed data fiduciaries. The Act establishes obligations and responsibilities for data fiduciaries, promoting ethical and accountable data processing practices.
- Significant data fiduciary: The DPDPA introduces the concept of significant data fiduciaries, indicating entities engaged in large-scale data processing. These entities bear additional responsibilities, acknowledging the potential impact of their operations on a broader scale.
What Does it Cover (Scope)?
Material Scope: The DPDP Act applies to personal data, whether in digital form or subsequently digitized from non-digital sources. However, certain exclusions exist, such as non-digital data, personal or domestic data processing, and data made publicly available under legal obligations.
Territorial Scope: The legislation applies within the geographical bounds of India and extends its reach beyond if associated with offering goods and services to Indian data principals.
What Are the Grounds for Data Collection and Processing?
The DPDP Act, 2023, permits the processing of personal data for any lawful purpose. This necessitates explicit and informed consent or processing for legitimate uses, as explicitly defined within the legislation. Consent must be unconditional, accompanied by a clear affirmative action. Individuals maintain the right to withdraw consent. Legitimate uses encompass voluntary data provision, government service provisioning, legal obligations, and more.
What is a Consent Manager and Do You Need One?
A consent manager serves as a central point of contact for individuals to provide, oversee, assess, and retract their consent for the processing of their personal data. The appointment of a consent manager requires registration with the Data Protection Board of India (DPB) and adherence to the DPB’s specified requirements.
Primary functions of a consent manager:
- Act on behalf of the data principal, safeguarding their interests.
- Ensure the consent process is fair, transparent, and easily accessible.
- Maintain comprehensive records of all consents granted, managed, reviewed, and revoked.
The decision to appoint a consent manager depends on a company’s specific circumstances and the nature of its data processing activities. Nonetheless, it is generally recommended for companies to designate a consent manager to ensure compliance with the India DPDPA.
What Are Obligations of Data Fiduciaries?
Entities handling digital personal data, termed data fiduciaries, bear specific obligations. These include maintaining security safeguards, ensuring data accuracy, reporting breaches to the Data Protection Board of India, erasing data upon consent withdrawal, appointing a data protection officer, and obtaining parental consent for minors. Notably, significant data fiduciaries (SDFs) shoulder additional responsibilities.
What Are the Rights of Data Principals?
Data principals have the following rights:
- To be informed about the processing of their personal data.
- To access their personal data.
- To have their personal data corrected.
- To have their personal data updated.
- To have their personal data erased.
- To nominate another person to exercise their data privacy rights.
- To submit a grievance to the Data Fiduciary.
Data principals can exercise their rights through the designated procedures provided by the data fiduciaries. Upon submission, the data fiduciary is obligated to acknowledge and fulfill the request. Furthermore, the data fiduciary must institute an efficient system for addressing grievances raised by data principals.
Exemptions From Obligations Under the Law
The legislation incorporates exemptions for specific scenarios, including legal enforcement, data processing by courts, and processing personal data of non-Indian residents in India. Certain purposes and entities, such as those linked to India’s sovereignty, research, and startups, are also exempted.
How Tarya Fintech’s End-to-End Solution Can Assist
India’s DPDP Act 2023 poses challenges for businesses, particularly financial companies. These challenges can be mitigated through strategic partnerships with technology providers. Tarya Fintech’s unified platform seamlessly integrates data controls across security, privacy, compliance, and governance. This alignment with India’s DPDP Act 2023 and global privacy standards positions it as a reliable solution for businesses seeking compliance. Learn more about Tarya Fintech’s solution here.