Introduction:                  

After 6 years of the Supreme Court of India recognizing the Right to Privacy as a fundamental right enshrined in the Right to Life i.e. Article 21 of the Indian constitution, on August 11, 2023, the Indian Government officially published the digital Personal Data Protection Act, 2023 on its official Gazette and reserving it enforcement for a future date. The Act contains 44 provisions which mandate the processing of personal data on a legitimate and legal basis, apart from the compliance requirements under the DPDP Act, the  Minister of State for Electronics and Information Technology Honorable Mr. Rajeev Chandrasekhar during a press conference informed that the Indian Government will notify the DPDP Rules within the mid of October and according to a government official source it is being expected that at least 25 rules have been formulated by the government to implement the DPDP Act and the draft of the said rules are being completed and awaiting official release for public enforcement. It is also being mentioned by the IT Minister that no more than 12 months will be provided as a grace period for transition and in the case of Multinational companies who were already in compliance with other Privacy regulations including GDPR etc. will not be provided with additional time extensions for DPDP compliance.

It doesn’t mean that the corporations who were in the journey of GDPR compliance will have negligible work to do, but in reality, the compliance requirements of the DPDP Act 2023 are unique and require a specific implementation plan than other international data protection compliance requirements.

Compliance Requirements under the Digital Personal Data Protection Act 2023:

According to Section 8 of the DPDP Act, there are nine main duties of data fiduciaries:

• To comply with provisions of DPDPA irrespective of the actions of the data principal.
• Employ Data Processor through a valid contract.
• Ensure completeness, accuracy, and consistency when the processing of data is used to make a decision that affects data principals or if it is being disclosed to other data fiduciaries.
• Shall implement technical and organizational measures to comply with provisions of DPDPA. (Technical measures including setting up firewalls, VPN, encryption etc. and organizational measures comprised of internal policies, methods, practices for ensuring retention, access control, backup, quality control, information security management etc.)
• Adopt reasonable security safeguards to prevent data breaches ( including data processed by the data controller) ( reasonable security safeguards including security like ISO / IEC audit certifications, implementing comprehensive information security policy like Governance and risk compliance team etc.)
• Shall report the data breach to the data protection board and affected data principals.
• Ensure erasure requirements when it is being requested or the specified purpose for which the Personal Data is being collected is no longer being served or whichever is earlier and mandate the Data Processor to do the same.
• Shall publish the contact details of the Data Protection Officer or other representative to address the requests of data principals on behalf of data fiduciaries.
• Shall set up an effective grievance redressal mechanism for data principals.

According to Section 10 of the DPDP Act, the central government may notify a data fiduciary as a significant data fiduciary based on 6 factors and the said Significant Data Fiduciaries are obliged to:

• Appoint a Data protection officer based in India to represent the said Significant Data Fiduciary.
• Appoint an independent data auditor to evaluate the compliance requirements of the said fiduciary.
• Shall conduct periodic data protection impact assessments, data audits and other such measures as prescribed.

Consent and Notice requirements:

According to section 6, the Data fiduciary shall obtain free, specific, unconditional, informed, unambiguous consent with a clear affirmative action signifying an agreement to the processing of personal data and every such request for consent shall be accompanied by a notice informing the Data Principal about:

• Purpose in which the personal data is collected.
• How the Data Principal can exercise their rights (including the right to make complaints to the Data Protection Board)

Setting up a Data Principal Rights Framework:

Chapter III of the DPDP Act has empowered the Data principals to exercise six inherent rights in case the personal data is being processed based on the consent of the Data Principal. They are:

• Right to withdraw consent and the said mechanism shall be easily done comparable to the method deployed for obtaining consent.
• Right to access: Summary of Personal Data Processed and processing activities undertaken, Identities of third parties to whom the Personal Data has been shared and the description of the shared Personal Data.
• Right to correction, erasure, completion, and updating of Personal Data
• Right to Grievance Redressal: Through a readily available and easy, effective redressal mechanism established by the Data Fiduciary.
• Right to nominate other individuals who shall act on behalf of the Data Principal upon death or incapacity of the Data Principal.
• Right to complain to the Data Protection board after exhausting the grievance redressal framework established by Data Fiduciary.

Apart from the exceptions provided in Chapter III or other provisions of this act, the Data Fiduciary is not eligible to refuse the request of the Data Principal and unlike other regulations like GDPR which provides options for rejecting requests of a repetitive nature, the act indirectly implies that utmost compliance to honour the request of the Data Principal.

Penalty for Non-compliance:

In case of non-compliance with any provisions of the act or the rules made in, according to section 33 of the DPDP Act, the Data Protection Board shall impose a monetary penalty based on the schedule specified.

According to the Schedule, the penalty for data fiduciaries shall be ranging from Rs. 50 crores to Rs. 250 crores depends upon the breach of concerned provisions.

The amount of the penalty as mentioned in the Schedule shall be determined based on the:

• Nature, gravity, duration of the personal data breach
• The repetitiveness of the breach
• Type, nature of persona data affected by the breach
• Whether the person has realized gain or avoided any loss due to the breach
• Action taken and its nature, effectiveness, timeliness of the action taken.
• Likely impact of the monetary penalty imposed on the said person.

Conclusion:

Apart from the monetary penalty for non-compliance, the said entity who was not serious about the compliance of the data breach shall be prone to reputational damage and such damage can cause a catastrophic impact on the business of the said entity. For instance, a research report showcases that one-third of customers in finance, retail and healthcare will stop doing business with an organization that has experienced a data breach and around 33.5 per cent of them will use social media to vent out their opinion about the damage that occurred due to the breach.

According to a news report the awareness about the mishandling of personal data has increased in recent times and the Data Principals are actively involved in Data Activism to enforce their Data Protection rights as a result, most of the big business firms are actively involved in the Journey of compliance with DPDP Act and it is the right time that the companies should pay attention to the compliance requirements of DPDP Act 2023.