Data Compliance Requirements under the DPDP Act, 2023 

Update- 9th October, 2024: DPDP Rules to come out soon.  

Update- 23rd  July, 2024: Budgetary allocation made for the Data Protection Board of India, learn more about it here.  

Introduction   

Data has become the centre of innovation and business. For any successful business to thrive, data is necessary. The latest technologies, from Artificial Intelligence to the Metaverse, all require data to function efficiently. With the abundance of data available online and the countless data extracted from individuals, the question of the importance of Privacy has been raised time and again around the world. Data compliance has become very important The European Union attempted to answer this problem of Data Privacy through the General Data Protection Regulation (GDPR) and several other countries have adopted various legislations in pursuance of Data Privacy. But what about data privacy in India? 

The Digital Personal Data Protection Bill, which is going to be India’s privacy act was passed by the Lok Sabha on August 7 and in Rajya Sabha on August 9. Subsequently, President Draupadi Murmu gave her assent to the Digital Personal Data Protection Bill on August 11, 2023. This gave India specific legislation that addresses the protection of a citizen’s data. Now that the law has been enacted, the government will initiate the rule-making process for the DPDP Law. This Act has the power to drastically impact businesses and organizations in India and outside. The DPDP Act consists of heavy compliance requirements for businesses and failure to comply with the DPDP Act can result in fines up to Rs. 250 Crores. In this blog, we shall examine the applicability of India’s first comprehensive data protection act and break down the complexities of the compliance requirements under the DPDP Act for businesses. 

Applicability of the DPDPA 

Before diving into the complexities of the new DPDPA, it is essential to determine the applicability of the Act and whether your business can be affected by the new Act. This Act shall apply to the processing of Personal Data in the territory of India. The term ‘Personal Data’ is defined under the DPDP Act as any data about an individual who is identifiable by or about such data. 

Similar to the previous draft version of the bill, the DPDPA shall apply to the processing of Personal Data in the territory of India. However, it is important to highlight that the Personal Data has to be either collected in a Digital Form or must be subsequently digitized if collected in a non-digital form. Hence, the DPDP Act shall apply to Personal Data in the Digital form only. 

Additionally, the applicability even extends beyond extra-territorially wherein the DPDP Act can apply to the processing of Personal Data irrespective of the location of the processing provided that the processing is about any activity offering goods or services to Data Principals within the territory of India. These entities shall also be thus mandated to adhere to data compliance under the DPDP Act. 

The applicability of the DPDP Act is very large and has the power to impact several businesses in India. Hence, it is becoming increasingly important for businesses to be aware of the compliances under the bill. 

Business Compliance under the DPDP Act 2023 

Chapter II of the DPDP Act 2023 outlines the responsibilities of a Data Fiduciary. In this context, a Data Fiduciary is defined as an individual or entity that, independently or in collaboration with others, determines the purpose and methods of processing personal data. Consequently, businesses or organizations that control the processing of personal data fall under this category, and they must adhere to several obligations as stipulated by the new data protection act of India. 

The Basis for Processing Personal Data 

Section 5 and 6 of the DPDP Act 2023 acknowledges the processing of Personal Data based on the Data Principal’s Grounds of Consent and Deemed Consent, provided such processing aligns with lawful purposes outlined within the Bill. 

Obligations concerning Notice and Consent of Data Principal 

A request for Personal Data necessitates an Itemized Notice under Section 5 containing a clear description of the personal data and purpose, expressed in plain and comprehensible language. Concurrently, the contact information of a Data Protection Officer (DPO) or an authorized representative must be furnished to facilitate Data Principals’ exercise of rights. Section 6 mandates that Consent granted must be voluntary, specific, informed, and unambiguous, and it can be managed, reviewed, or revoked via a Consent Manager designated by the Data Fiduciary. 

You can check out our DPO as a Service here.  

Responsibilities involving legitimate uses 

Section 7 allows Data Fiduciaries can process personal data under the umbrella of “legitimate uses”, including instances where the Data Principal has willingly provided personal data for legal compliance, benefiting the Principal, adhering to court orders, medical emergencies, safety during disasters, or employment-related purposes. 

Accountability on Behalf of the Data Processor or Another Data Fiduciary 

The DPDP Bill 2023, as per Section 8(5), allocates responsibility for compliance with the Data Fiduciary even in cases where activities are undertaken by a Data Processor or another Data Fiduciary on the Data Fiduciary’s behalf. 

Mandatory Standards for Processing 

Section 8 mandates that Data Fiduciaries ensure the data processed, either directly or indirectly, adheres to completeness, accuracy, and consistency standards. 

Safeguarding Personal Data and Addressing Data Breaches 

The Act compels Data Fiduciaries to implement appropriate security measures and safeguards to prevent data breaches. In case of a violation, the Data Fiduciary must notify the Data Protection Board and the affected individuals. 

Effective Grievance Resolution 

By Section 8(10), Data Fiduciaries must publish contact details for a Data Protection Officer or authorized representative to facilitate effective grievance redressal mechanisms for Data Principals. 

Child Data Processing Obligations 

When processing the personal data of children, Data Fiduciaries will be subjected to additional obligations under Section 9, including obtaining parental Consent and refraining from monitoring a child’s behaviour. 

Significant Data Fiduciary Requirements 

The Central Government holds the authority to classify certain Fiduciaries as Significant Data Fiduciaries based on specific criteria, imposing additional obligations under Section 10, like the mandatory appointment of a DPO, Data Auditor, periodic data protection assessments, audits, and other prescribed measures. 

You can learn more Regulatory Assessments here.  

Cross-Border Data Transfer Regulations and Data Compliance  

Section 13 of the Act allows Data Fiduciaries to transfer data across borders, provided that the Central Government notifies them of no restrictions. 

The DPDP Act 2023 places a range of responsibilities on Data Fiduciaries, as outlined above. These obligations could significantly impact business operations. Enterprises must allocate resources to comply with these regulations by appointing a DPO, implementing adequate safeguards, and more. Additionally, the DPDP Act imposes substantial regulatory penalties on Data Fiduciaries for violations, potentially placing a significant financial burden on businesses.