Skip to content

Data Compliance Requirements under the DPDP Act, 2023 

Article by Tsaaro

7 min read

Introduction  

Data has become the centre of innovation and business. For any successful business to thrive, data is necessary. The latest technologies, from Artificial Intelligence to the Metaverse, all require data to function efficiently. With the abundance of data available online and the countless data extracted from individuals, the question of the importance of Privacy has been raised time and again around the world. Data compliance has become very important The European Union attempted to answer this problem of Data Privacy through the General Data Protection Regulation (GDPR) and several other countries have adopted various legislations in pursuance of Data Privacy. But what about data privacy in India? 

The Digital Personal Data Protection Bill, which is going to be India’s privacy act was passed by the Lok Sabha on August 7 and in Rajya Sabha on August 9. Subsequently, President Draupadi Murmu gave her assent to the Digital Personal Data Protection Bill on August 11, 2023. This gave India specific legislation that addresses the protection of a citizen’s data. Now that the law has been enacted, the government will initiate the rule-making process for the DPDP Law. This Act has the power to drastically impact businesses and organizations in India and outside. The DPDP Act consists of heavy compliance requirements for businesses and failure to comply with the DPDP Act can result in fines up to Rs. 250 Crores. In this blog, we shall examine the applicability of India’s first comprehensive data protection act and break down the complexities of the compliance requirements under the DPDP Act for businesses.

Applicability of the DPDPA 

Before diving into the complexities of the new DPDPA, it is essential to determine the applicability of the Act and whether your business can be affected by the new Act. This Act shall apply to the processing of Personal Data in the territory of India. The term ‘Personal Data’ is defined under the DPDP Act as any data about an individual who is identifiable by or about such data. 

Similar to the previous draft version of the bill, the DPDPA shall apply to the processing of Personal Data in the territory of India. However, it is important to highlight that the Personal Data has to be either collected in a Digital Form or must be subsequently digitized if collected in a non-digital form. Hence, the DPDP Act shall apply to Personal Data in the Digital form only. 

Additionally, the applicability even extends beyond extra-territorially wherein the DPDP Act can apply to the processing of Personal Data irrespective of the location of the processing provided that the processing is about any activity offering goods or services to Data Principals within the territory of India. These entities shall also be thus mandated to adhere to data compliance under the DPDP Act. 

The applicability of the DPDP Act is very large and has the power to impact several businesses in India. Hence, it is becoming increasingly important for businesses to be aware of the compliances under the bill. 

Business Compliance under the DPDP Act 2023 

Chapter II of the DPDP Act 2023 outlines the responsibilities of a Data Fiduciary. In this context, a Data Fiduciary is defined as an individual or entity that, independently or in collaboration with others, determines the purpose and methods of processing personal data. Consequently, businesses or organizations that control the processing of personal data fall under this category, and they must adhere to several obligations as stipulated by the new data protection act of India. 

The Basis for Processing Personal Data 

Section 5 and 6 of the DPDP Act 2023 acknowledges the processing of Personal Data based on the Data Principal’s Grounds of Consent and Deemed Consent, provided such processing aligns with lawful purposes outlined within the Bill. 

Obligations concerning Notice and Consent of Data Principal 

A request for Personal Data necessitates an Itemized Notice under Section 5 containing a clear description of the personal data and purpose, expressed in plain and comprehensible language. Concurrently, the contact information of a Data Protection Officer (DPO) or an authorized representative must be furnished to facilitate Data Principals’ exercise of rights. Section 6 mandates that Consent granted must be voluntary, specific, informed, and unambiguous, and it can be managed, reviewed, or revoked via a Consent Manager designated by the Data Fiduciary. 

You can check out our DPO as a Service here.  

Responsibilities involving legitimate uses 

Section 7 allows Data Fiduciaries can process personal data under the umbrella of “legitimate uses”, including instances where the Data Principal has willingly provided personal data for legal compliance, benefiting the Principal, adhering to court orders, medical emergencies, safety during disasters, or employment-related purposes. 

Accountability on Behalf of the Data Processor or Another Data Fiduciary 

The DPDP Bill 2023, as per Section 8(5), allocates responsibility for compliance with the Data Fiduciary even in cases where activities are undertaken by a Data Processor or another Data Fiduciary on the Data Fiduciary’s behalf. 

Mandatory Standards for Processing 

Section 8 mandates that Data Fiduciaries ensure the data processed, either directly or indirectly, adheres to completeness, accuracy, and consistency standards. 

Safeguarding Personal Data and Addressing Data Breaches 

The Act compels Data Fiduciaries to implement appropriate security measures and safeguards to prevent data breaches. In case of a violation, the Data Fiduciary must notify the Data Protection Board and the affected individuals. 

Effective Grievance Resolution 

By Section 8(10), Data Fiduciaries must publish contact details for a Data Protection Officer or authorized representative to facilitate effective grievance redressal mechanisms for Data Principals. 

Child Data Processing Obligations 

When processing the personal data of children, Data Fiduciaries will be subjected to additional obligations under Section 9, including obtaining parental Consent and refraining from monitoring a child’s behaviour. 

Significant Data Fiduciary Requirements 

The Central Government holds the authority to classify certain Fiduciaries as Significant Data Fiduciaries based on specific criteria, imposing additional obligations under Section 10, like the mandatory appointment of a DPO, Data Auditor, periodic data protection assessments, audits, and other prescribed measures. 

You can learn more Regulatory Assessments here 

Cross-Border Data Transfer Regulations and Data Compliance  

Section 13 of the Act allows Data Fiduciaries to transfer data across borders, provided that the Central Government notifies them of no restrictions. 

The DPDP Act 2023 places a range of responsibilities on Data Fiduciaries, as outlined above. These obligations could significantly impact business operations. Enterprises must allocate resources to comply with these regulations by appointing a DPO, implementing adequate safeguards, and more. Additionally, the DPDP Act imposes substantial regulatory penalties on Data Fiduciaries for violations, potentially placing a significant financial burden on businesses. 

dpdp-act

 Penalties  

Penalties under the DPDP Act 2023 are imposed by the Data Protection Board of India (DPB) which is established under the same Act. The Role of the board is to ensure compliance with the Act and protect the rights of Data Principals. The DPB handles complaints and violations of the Act and is vested with the power to impose fines on any offender. 

Upon receipt of information on any Breach or Non-Compliance, the Board conducts a thorough assessment to determine whether there are substantial grounds to initiate an investigation. If the Board concludes that the complaint is valid and significant, it proceeds to launch an inquiry into the matter. Furthermore, the Board is also authorized to summon and question witnesses, inspect data and documents, and take necessary actions to conduct a comprehensive investigation. 

The Board has the power to impose fines where a significant breach occurs and the severity and categorisation of the fines are outlined in the Act’s Schedule based on the nature of the offence. The maximum penalties for different types of breaches are as follows: 

1. Personal Data Breach: Up to two hundred and fifty crore rupees. 

2. Failure to Notify Data Breach: Up to two hundred crore rupees. 

3. Breach of Additional Obligations (e.g., for children or significant data fiduciaries): Up to one hundred and fifty crore rupees. 

4. Breach of Duties under Section 16: Up to ten thousand rupees. 

5.Breach of Voluntary Undertakings: Penalties corresponding to the relevant breach. 

6. Other Breaches: Up to fifty crore rupees. 

dpdpa

Conclusion 

The new DPDP Act 2023, India’s first comprehensive privacy act is highly regarded as an important piece of legislation that can transform the entire landscape of data privacy. Safeguarding Privacy has become a paramount concern for authorities and the passing of the new DPDP Act 2023 demonstrates India’s stance towards the assurance of Data Privacy. The establishment of the DPB helps assure that the Act will be implemented effectively and that businesses will comply with the provisions of the Act. However, compliance with the new Act has brought with it several challenges for businesses. However, as businesses move towards compliance, emphasis will be laid on a Privacy-centric ecosystem with heightened cultivation of Digital Trust. Businesses will have to adapt to the new Act which will ultimately help lay the foundation for trust amongst consumers. In this ever-evolving era of technology, Data Privacy will come a long way in building consumer trust and ensuring the protection of Data Online. 

We understand that grappling with the demands of the new law might present challenges. However, it’s important to note that our skilled Privacy Experts and Consultants can aid you in complying with its requirements. 

If your organization requires expert assistance to understand these privacy regulations, Tsaaro Consulting is here for you. 

Our Privacy experts provide the guidance you seek. You can contact us at info@tsaaro.com. 

The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation!  

Learn more about the Draft Rules here:   

 

704 thoughts on “Data Compliance Requirements under the DPDP Act, 2023 ”

  1. Профессиональный сервисный центр по ремонту бытовой техники с выездом на дом.
    Мы предлагаем: ремонт крупногабаритной техники в москве
    Наши мастера оперативно устранят неисправности вашего устройства в сервисе или с выездом на дом!

  2. I’ve been exploring for a bit for any high quality articles or blog posts on this kind of space . Exploring in Yahoo I ultimately stumbled upon this web site. Reading this information So i’m glad to convey that I’ve an incredibly just right uncanny feeling I discovered exactly what I needed. I so much surely will make sure to don’t forget this website and provides it a glance regularly.

  3. It’s a pity you don’t have a donate button! I’d most certainly donate to this fantastic blog! I guess for now i’ll settle for bookmarking and adding your RSS feed to my Google account. I look forward to brand new updates and will talk about this blog with my Facebook group. Chat soon!