Introduction & Background

On August 24, 2017, privacy became a fundamental right under the Indian Constitution, (Article 21 [Right to Life & Liberty]). This led to the formulation of a comprehensive Personal Data Protection Bill 2019 (the PDP Bill, which did not succeed and the PDP project Bill was withdrawn in August 2022.

Later on November 18, 2022, the Ministry of Electronics and Information Technology (MeitY), released a draft of the Digital Personal Data Protection Bill, 2022 (the DPDP Bill), which has been passed in Lok Sabha during the recent monsoon session of the Indian Parliament. Minor changes have also been made to the draft bill, further solidifying India's stance on personal data collection and processing.

The now DPDP Act 2023 does not provide a prescriptive approach to the appropriate measures an organization should take as each and every organization faces unique security and data privacy challenges.

Key Elements of the DPDP Act

The DPDP Act 2023 has been passed, and here is a summary with some insights from our team.

1. Collection

The Data fiduciary or company processing personal data shall be the data compliance officer in the collection of personal data for personal processing, where data processing is understood as any automated or non-automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, pooling, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

Further, the Act shall apply to the processing of digital personal data within the territory of India, where the personal data collected in digital or non-digital format shall also apply to the processing of digital personal data outside the territory of India.

2. Processing

The draft DPDP bill from November 2022 does not state a specific retention period or policy that organizations must abide by. However, retention policies are often a part of privacy policies, and should be included for a comprehensive and well-written policy.

With the removal of “deemed consent” from the the Act, data can now be processed on the grounds of consent or 9 types of legitimate uses that are listed out in the Act.

As retained from the draft bill, a data principal may withdraw her consent and cease the processing of personal data unless authorised or required by this Act or other laws in India.

3. Consent

Data Principals have the right to withdraw consent at any time, and should be made as easy as providing consent. The Data Fiduciary shall also, within a reasonable time, cease data processing. Data Principals may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

4. Data Protection Officer (DPO)

Data Fiduciary to appoint a Data Protection Officer (DPO) who shall represent the Significant Data Fiduciary under the provisions of this Act and be based in India. The DPO shall be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. The DPO shall also be the point of contact for the grievance redressal mechanism under the provisions of this Act, and their designation shall be mandatory for the Significant Data Fiduciaries.

5. Breach Notification

In the event of a data breach, the DPDP Act imposes an obligation on Data Fiduciary and Processor to notify each affected Data Principal.

This is a welcome move since the Data Principals whose personal data has been compromised would be informed about all kinds of data breaches irrespective of the severity of risk to them.

Recently, the Government of India has recommended a 6-hour notification period for security incidents from the time they become known.

6. Data Transfer

The DPDP Act has eased the cross-border data transfer requirement where the Data Fiduciaries can transfer the personal data to other countries, unless as notified by the Central Government. This further eliminates the requirement to store sensitive personal data only within India. This came as a big relief for the Data Fiduciaries who maintain their servers in foreign nations and startups who will not be compelled to invest in local storage solutions.

7. Data Transfer

A corporate entity possessing, dealing or handling any sensitive personal information is required to implement and maintain reasonable security and procedures. The Privacy Rules provide that in the absence of such security and procedures, corporate entities will have to comply with the ISO 27001 standards or codes of best practices that will be issued along with the Act.

8. Penalties

The DPDP Act has introduced certain non-compliance obligations, which will result in the following financial penalties for companies:

• Penalty up to Rs 250 crore: Failure of the processor or fiduciary to take reasonable security measures to prevent a personal data breach.

• Penalty up to Rs 200 crore: Failure to notify the Board and the Data Controllers concerned in case of a personal data breach in the time and manner they have established.

• Penalty up to Rs 200 crore: Failure to comply with additional obligations in relation to children's data (having parental consent, not processing data that causes harm to children, not tracking or monitoring children's behaviour or advertising to children)

• Penalty up to Rs 150 crore: Non-fulfilment of additional obligations of Significant Data Fiduciary.

• Penalty up to Rs 10 thousand: Non-compliance with obligations such as the Data Principal.

• Penalty up to Rs 50 crore: Failure to comply with the provisions of the Act and any regulations made under it.

Guidelines on how to proceed at this stage

1. Understand your sensitive data footprint, at risk data and data policies

2. Appoint a DPO and publish the business contact information

3. Draft a Privacy Notice to inform the data principal

4. Inform Data Principals about types of personal data and the purpose of the collection, even if the processing commenced before enforcement of the Act

5. Design and implement Privacy Policies and Procedures

6. Enforce templates for responding to Data Principal Rights Requests

7. Implement a procedure to redress the Grievances of Data Principal

8. Implement technical and organisational measures (TOM’s) and reasonable security safeguards

9. Involve a Data Processor (if required) pursuant to a valid contract

10. Maintain Personal Data Breach notification template for Board and Data Principal

11. Undertake Data Protection Impact Assessment (DPIA)

12. Appoint independent Data Auditor, perform periodic audits in relations to the objectives

How can Borneo help you achieve compliance?

Do reach out to us via our demo form to learn how our team of practitioners with hands-on domain experience can help accelerate your DPDP compliance journey.