India's Digital Personal Data Protection Act.

The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of India's Digital Personal Data Protection Act.

Endpoint Central can help you stay compliant with India's latest privacy law.

The Constitution of India guarantees the right to privacy under Articles 14, 19, and 21, and the Supreme Court of India, in its landmark ruling K. S. Puttaswamy vs. Union of India, reaffirmed this in 2017. Since the GDPR came into force, the Indian government has been trying to enact a personal data protection law. After multiple iterations and suggestions, India finally passed the Digital Personal Data Protection Act (DPDPA) in Parliament on Aug. 9, 2023.

Before we take a deep dive into this act, here are some useful explanations for the terminologies it uses:

  • Data principal:

    The individual to whom the data relates (e.g., you are the data principal if you provide your name, email address, and phone number for a dinner reservation)

  • Data fiduciary:

    An entity, such as a business, that intends to collect personal information for various purposes (e.g., if a restaurant is collecting your personal details for a dinner reservation, it becomes a data fiduciary)

  • Data processor:

    An entity that processes personal data on behalf of a data fiduciary (e.g., a third-party app helping the restaurant enable the booking of dinner reservations)

Salient features of India's DPDPA

  • Scope:

    The scope of the act extends throughout Indian territory and when physical data is digitized. The act also applies when data pertaining to Indians is processed outside of India.

  • Cross-border data flows:

    The cross-border flow of personal data is restricted to countries notified by the Indian government. (Yet to be notified)

  • Processing of personal data:

    Personal data can be obtained and processed after receiving explicit consent from the data principal. In some legitimate cases, explicit consent is not required.

  • Duties of data fiduciaries:

    A business collects personal data for various purposes, thus assuming the role of data fiduciary. The act mandates that data fiduciaries:

    1. Maintain the accuracy of the data.

    2. Prevent data from getting breached.

    3. Ensure the data is deleted once the purpose is met.

  • Rights for the data principal:

    The data principal has the right to obtain more information and request erasure, correction, and redress for grievances.

  • The Data Protection Board of India:

    This board will judge cases of noncompliance with the bill's provisions. The board's verdict can be counter-appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

  • Significant data fiduciaries:

    The Indian government may classify a data fiduciary or a class of data fiduciaries as significant based on the:

    1. Volume and sensitivity of the data it processes.

    2. Risk of harm to the data principal.

    3. Potential impact on the sovereignty and integrity of India.

  • Penalty:

    Noncompliance will result in a penalty of up to 250 crores.

  • Objectives of the Indian government in enacting this law

    • Ensuring data protection and thus the right to privacy for individuals without much disruption to the normal conduct of businesses

    • Ensuring ease of living for individuals

    • Enabling ease of doing business for enterprises

    • Enabling the thriving digital ecosystem in India

    The importance of complying with India's personal data law

    According to IBM's Cost of a Data Breach Report 2023, "the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over three years." The report also mentions that around 51% of organizations plan to increase security investments, "including incident response (IR) planning and testing, employee training, and threat detection and response tools."

    Personal data breaches are very sensitive because the right to privacy is a fundamental right in India. Besides costing your business financially and incuring hefty penalties, a personal data breach could ruin your company's reputation.

    That is why you need Endpoint Central, the comprehensive endpoint management and security suite from ManageEngine. Bundled with multiple security features, Endpoint Central helps you keep your data safe and secure.

    Features that help you stay compliant with India's latest personal data protection law

    • A powerful data leakage prevention capability that lets you detect and classify personally identifiable information (PII) and have complete control over how data flows in your IT environment by configuring policies on data transfers through cloud and peripheral devices

    • Containerization of corporate and personal data for BYODs

    • Geofencing to define the perimeter of your devices (and thus the data on them) within your office's premises

    • Remote wiping of data to ensure your data does not get leaked, even if the corporate device is lost

    • Patented ransomware protection that alerts you about unusual file movements and helps you create an unerasable data backup

    • A Data Protection Officer Dashboard capable of giving actionable insights on the vulnerability status of your endpoints, BitLocker-encrypted devices, endpoints nearing the end of life, user access controls, firewalls, and much more

    • Role-based access controls for your IT admins to prevent accidental data leakage

    • Terms of use documents to be deployed on your employees' devices, and only on their agreement does Endpoint Central start managing the device, effectively obtaining user consent for device managements

    There is more to tell about how our solution can help you comply with India's DPDPA. That is why we encourage you to try it by downloading or signing up for our product, which is absolutely free for 30 days.




    3. Digital Personal Data Protection Act 2023