On September 20, 2023, During a key industry stakeholders discussion on the implementation of the Digital Personal Data Protection Act 2023 during the inaugural Digital India Dialogues session which included key industrial representatives from Meta, Netflix, Dell, Paytm, Microsoft, Lenovo etc., the Union Minister for Electronics and Information Technology (MeitY), Rajeev Chandrasekhar stated that ” the necessary rules prescribed under the act will be released within next 30 days and it will be open for public consultation. The Union Minister further emphasized all the Data Fiduciaries under the act must adhere to the compliance requirements under the DPDP Act.
According to another news report, The Union Minister has informed the reporters that eight rules will be formulated by the government, including those related to consent management. The Minister expected that the time extension for entities for compliance requirements may only be granted based on compelling justifications, and companies that are already in compliance with rules similar to the General Data Protection Regulation (GDPR) should not seek a grace period of extension.
The Union Minister emphasised that the implementation of DPDP rules should occur seamlessly and expeditiously. Organizations that are on the journey or wish to start the journey of compliance with the DPDP Act should take in care certain mandatory requirements into consideration.
Key compliance requirements for Organizations under the DPDP Act and DPDP Rules:
In the newly enacted Digital Personal Data Protection Act the notion of delegating the compliance requirements is highly prevalent, for instance, the act repeats the term “as may be prescribed” 26 times which indicates that the key compliance requirements including consent, processing children’s data, Data Principal Rights etc. requires additional compliance requirements mandated by the upcoming DPDP Rules. For instance, in the case of cross border transfer data transfer, according to section 16 of the DPDP act the central Government shall by notification mandate the restrictions for the transfer of personnel to countries or territories outside India.
According to Section 6 of the DPDP Act, the consent Manager shall act on behalf of the Data Principal to review, withdraw, and manage consent and the consent manager should be registered with the Data Protection Board according to the prescribed rules by the central Government.
Organizations shall address the compliance requirements for the Registration of the Consent Manager with the Data Protection Board subject to the Technical, operational, financial, and other conditions which are to be prescribed by the upcoming DPDP Rules.
Data Breach Incident Compliance:
According to Section 8 of the DPDP Act, in case of a data breach the Data fiduciary shall inform the Data Principal and Data Protection Board as soon as the Data fiduciary as soon as possible.
Entities in the process of complying with the DPDP Act shall follow the form and manner stipulated by the Central Government for alerting the Data Protection Board and its principals about an unexpected data breach occurrence.
Contact Details of Data Protection Officer:
According to section 8 (9) of the DPDP Act, the Data fiduciaries are obliged to publish the contact details of the Data protection officer or any other person who is responsible for queries raised by the Data fiduciaries regarding the processing of their data.
In case of data fiduciaries publishing contact details of DPO or other persons, the manner and the modes of publishing are to be mandated by the upcoming DPDP Rules and the fiduciaries shall comply with such mandates.
Processing of Personal data of children:
According to Section 9 of the act, the Data fiduciaries must obtain the consent of the parents or legal guardian before processing children’s data and the upcoming rules prescribe how verifiable consent is to be obtained and certain data fiduciaries are exempted from the above requirement based on the upcoming DPDP Rules.
Data Protection Impact Assessment:
According to section 10 of the DPDP Act, Significant Data Fiduciary shall conduct a Data protection impact Assessment, and periodic audit and the methods, manner, and description of DPIA, Audit and other such matters are to be prescribed by the DPDP Rules.
Data principal rights:
Chapter III of the DPDP Act, the Data Principals shall exercise their rights regarding the processing of personal data how the Data principal shall make the request how the Data fiduciary or consent manager shall respond to such request and the time frame in which the said requests shall be responded is being notified by the DPDP Rules.
Data protection board:
The Central may by notification appoint a Data protection board and appoint a chairperson, and other members and prescribe the salary of the members and chairperson in the upcoming DPDP rules.
Further the proceedings of the board, the orders, directions, and instruments will be presented in a manner as prescribed by the upcoming rules.
Penalty for Noncompliance:
According to Section 33(1), for any noncompliance or breach of the provisions of the DPDP Act, the Data Protection Board after conducting an inquiry with an opportunity to hear both sides and impose a monetary penalty.
The Schedule mentioned at the end of the act prescribes seven different types of monetary penalties. Based on the nature and gravity, duration, and repetitiveness of the breach and based on the mitigated actions and timeliness and effectiveness of the action after the breach, the Penalty amount shall extend from 50 crores INR to 250 crores INR.
In the Inaugural Digital India Dialogue Session, the Union Minister accentuated that the core objective of the DPDP Act is to ensure trust and security among all the digital citizens and the Minister stressed that the act and upcoming rules aim to instill a culture of behavioural change among all the entities that were handling personal data. This behavioural change can be implemented by encouraging all the entities to comply with the responsible practices that align with the trust that the Data Principals have agreed upon. To comply with the said act and adjacent rules, a mere checklist from the internet will not suffice, it essentially requires the expertise of personnel who are well-equipped to handle such situations.
How can Tsaaro Consulting help you?
Tsaaro Consulting is a pioneer in security and privacy compliance in India, with a team of experienced professionals ranging from technical to legal backgrounds, Tsaaro Consulting will empower business entities to manage their compliance with the Digital Personal Data Protection Act and other Data Privacy and cyber security regulations. To connect with Tsaaro Consulting, visit our website at www.tsaaro.com or get in touch with us at email@example.com to know more.