Email Download Link
Home Compliance DPDP Act

Building a data protection framework: Understanding the DPDP Act

 

What is the DPDP Act, 2023?

The Digital Personal Data Protection Act (DPDP Act; "The Act"), passed in August 2023 in India, aims to balance each individuals' right to safeguard their personal data with the need to process data for lawful purposes. It sets rules for organizations handling personal data and defines the rights and responsibilities of individuals. The Act also enforces financial penalties for any violations.

History of the DPDP Act

The journey towards data protection legislation in India has evolved significantly over the years. In 2017, the Supreme Court of India recognized the Right to Privacy as a fundamental right under Article 21 of the Constitution. Following this, the Indian government initiated the creation of a data protection framework. A committee of experts was formed in December 2018, to oversee the drafting of the Personal Data Protection Bill in 2018. This bill was largely shaped by the insights of the "Expert Committee on Data Protection," chaired by Justice B.N. Srikrishna, a former Supreme Court judge. This committee was formed by the Ministry of Electronics and Information Technology (MeitY) to outline data protection norms.

After multiple revisions, the Personal Data Protection Bill 2019 was approved by the cabinet, but it was later withdrawn. This was due to extensive amendments and recommendations from the Joint Parliamentary Committee, which called for a complete overhaul. The government chose to draft a new bill to address evolving digital privacy needs and support innovation. The Digital Personal Data Protection Bill, 2022, was unveiled for public feedback on August 3, 2022. Finally, the updated Digital Personal Data Protection Bill, 2023, was introduced in the Lok Sabha and received the assent of President Droupadi Murmu on August 11, 2023, becoming the Digital Personal Data Protection Act, 2023.

Official draft of bill

Who does the DPDP Act apply to?

This Act applies to organizations that:

  1. Handle personal data within India: All organizations that handle personal data—regardless of whether the data is originally gathered in digital form, or in a non-digital form and subsequently converted to digital—are under the purview of the DPDP.

    Example: A hospital records patient details on paper, later converting them into digital health records. These digitized records are subject to the Act.

  2. Process personal data outside India: Organizations that process individuals' personal data abroad but still provide goods and services to them in India are covered under the Act.

    Example: An e-commerce company based in Singapore collects names, addresses, and payment details from Indian customers to deliver products in India. These processing activities fall under the Act's jurisdiction.

Exclusions: It is crucial to understand that the Act does not provide protection for all types of personal data. Personal data is excluded if it is:

  • Managed by an individual for personal or household reasons: Data used by individuals for personal or household activities is not covered by the DPDP Act.

    Example: A parent maintains a list of their children's friends’ birthdays on their phone. Since this data is for personal and not commercial or business use, it is excluded from the Act.

  • Publicly disclosed: The data has been made public by the individual it relates to or by someone required to disclose it under Indian law.

    Example: A social media user willingly shares their phone number on their public profile. This data would not be protected under the Act. A government-mandated registry (e.g., company directors' contact details) that makes personal data public in compliance with laws is also excluded.

  • Non-digital data: Data that remains in a non-digital form, such as handwritten records or physical documents, is not covered under the Act unless it is digitized.

    Example: A business maintaining customer details in a physical ledger would fall outside the scope of the Act unless those records are converted into a digital format.

Glossary for terms within the DPDP Act (definitions)

The DPDP Act employs unique terminology and definitions that differ from those used in other compliance mandates, such as the GDPR. To fully understand the Act, it is essential to familiarize yourself with the specific definitions provided within the DPDP Act.

1. Personal data: Any data that can identify an individual or is linked to them.

2. Digital personal data: Personal data in digital form.

3. Data Fiduciary: Any person who, alone or in conjunction with other persons, determines the purpose and means of the processing of personal data.

4. Data Principal: The individual to whom the personal data relates. In some cases, the Data Principal refers to someone who has decisions regarding their data managed by someone else, such as:

  • A child: While the child remains the Data Principal, the parents or legal guardians will act on their behalf.
  • A person with disability: While the person with the disability remains the Data Principal, their lawful guardian will act on their behalf.

5. Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.

6. Processing of personal data: A wholly or partly automated operation or set of operations performed on digital personal data. This includes operations such as:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation
  • Retrieval
  • Use
  • Alignment or combination
  • Indexing
  • Sharing
  • Disclosure by transmission
  • Dissemination or otherwise making available
  • Restriction
  • Erasure or destruction

Structure of the DPDP Act

Chapter 1: Preliminary (Sections 1-3)

This initial chapter lays the groundwork for the DPDP Act, detailing its scope and key definitions. It establishes the goal of the Act, which is to ensure protection of individuals' data while enabling that data's legitimate use.

Chapter 2: Obligations of Data Fiduciary (Sections 4-10)

This chapter outlines the duties of Data Fiduciaries. It aims to manage the relationship between Data Fiduciaries and Data Principals, ensuring transparency, accountability, and strong data protection practices.

Chapter 3: Rights and duties of Data Principal (Sections 11-15)

Here, the rights and obligations of Data Principals are outlined. It also sets forth the processes and timelines for exercising these rights and addressing grievances.

Chapter 4: Special provisions (Sections 16-17)

This section addresses special provisions for the transfer and processing of personal data. It authorizes the Central Government of India to make exceptions while maintaining a focus on data protection.

Chapter 5: Data Protection Board of India (Sections 18-26)

This chapter describes the Data Protection Board of India ("The Board"), specifying its functions, structure, and salaries of the board members. The Board is established to oversee and enforce the DPDP Act, ensuring compliance and addressing grievances. It comprises a Chairperson and members appointed by the Central Government, tasked with monitoring compliance, adjudicating complaints, and imposing penalties for violations. The Board is required to maintain transparency and periodically report its activities to uphold accountability.

Chapter 6: Powers, functions, and procedures to be followed by the Board (Sections 27-28)

This chapter details the powers, functions, and procedural guidelines for the Data Protection Board of India. Operating as a digital-first entity, the Board has the authority to investigate breaches, impose penalties, and issue directions to ensure compliance. It functions with powers similar to a civil court and follows principles of natural justice (a set of principles that ensure fairness and equity in legal proceedings) while addressing complaints and conducting inquiries. Its procedures include summoning individuals, examining evidence, and issuing interim orders, ensuring efficient and fair resolutions.

Chapter 7: Appeal and alternate dispute resolution (Sections 29-32)

This section details the mechanisms for appeals and alternative dispute resolution. It aims to ensure digital efficiency and provides methods for redress and settlement for the Data Principal and the Data Fiduciary.

Chapter 8: Penalties and adjudication (Sections 33-34)

Here, penalties and adjudication procedures for data protection violations are covered. The Board will consider factors such as the severity, duration, and nature of the breach when determining penalties.

Chapter 9: Miscellaneous (Sections 35-44)

This final chapter covers important legal and procedural details. It grants legal protection to the Central Government and the Data Protection Board for actions taken in good faith. The government can request information, restrict access to certain data, and clarify how the Act works with other laws. It is also allowed to make rules for the Act, with any changes reviewed by Parliament. Existing laws are updated to align with this framework.

Responsibilities of dpdp
Rights of dpdp

Penalties for violations under the DPDP Act

  1. Personal data breach
    • Penalty: Up to INR 250 crores.
    • This substantial penalty is imposed for unauthorized access, disclosure, or leakage of personal data. The aim is to deter organizations from lapses in data security and ensure that stringent measures are in place to protect personal information.
  2. Failure to notify a data breach
    • Penalty: Up to INR 200 crores.
    • Organizations are obligated to notify the Data Protection Board of India (DPBI) and affected individuals promptly in the event of a data breach. Failure to do so can result in a significant penalty, emphasizing the importance of transparency and timely communication in data breach incidents.
  3. Breach in observance of additional obligations in relation to children
    • Penalty: Up to INR 200 crores.
    • This penalty is applied when organizations fail to comply with additional safeguards required for processing children's data. Given the sensitive nature of children's personal data, the Act mandates stricter measures to ensure their protection.
  4. Breach of additional obligations of significant Data Fiduciary
    • Penalty: Up to INR 150 crores.
    • Significant Data Fiduciaries, which are entities handling large volumes of personal data, have additional obligations under the Act. Non-compliance with these obligations can lead to substantial penalties, highlighting the need for enhanced accountability among major data handlers.
  5. Breach of duties under section 15
    • Penalty: Up to INR 10,000.
    • Section 15 outlines specific duties for Data Fiduciaries, such as obtaining consent and ensuring data accuracy. Breaches of these duties may result in a penalty—albeit lower in comparison to other violations—but still underscoring the importance of adhering to these fundamental requirements.
  6. Breach of voluntary undertakings
    • Penalty: Corresponding to the relevant breach.
    • If organizations fail to honor voluntary undertakings made to the DPBI, penalties are imposed relative to the severity of the breach. This ensures that commitments made to regulatory authorities are taken seriously.
  7. Other breaches:
    • Penalty: Up to INR 50 crores.
    • For any other violations of the Act not specifically covered by the aforementioned categories, the DPBI can impose penalties up to INR 50 crores. This broad provision ensures comprehensive enforcement of the Act's mandates.

Who enforces the Act?

The Data Protection Board of India (DPBI) is the regulatory authority responsible for ensuring compliance with the DPDP Act. It has the power to:

  • Conduct investigations into data protection violations.
  • Summon witnesses and collect evidence.
  • Impose penalties and sanctions for non-compliance.
  • Issue guidelines and regulations to detail the requirements of the Act further.

By maintaining oversight and enforcement, the DPBI aims to foster a secure and accountable data protection environment, encouraging responsible data management while safeguarding individuals' privacy.

How should CISOs prepare to comply with the DPDP Act

If you're a CISO wondering how to prepare your organization to comply with the DPDP Act, here are some policies you can start establishing for your organization as soon as you can.

1. Data privacy and protection policy: Establish a robust data privacy and protection policy that outlines the collection, processing, storage, and sharing of personal data in alignment with DPDP principles—which includes explicit consent management.

2. Data breach response policy: Develop a comprehensive data breach response policy detailing steps for detecting, investigating, and responding to breaches, as well as notifying the DPBI and affected individuals promptly.

3. Data retention and deletion policy: Define clear data retention and deletion policies, ensuring secure deletion of unnecessary data and compliance with the storage limitation principle (retain personal data only as long as necessary, then securely delete or anonymize it).

4. Third-party data processing policy: Set guidelines for selecting, managing, and monitoring third-party vendors to ensure compliance with the DPDP Act and conduct regular audits to verify their adherence to adequate security measures.

5. Data subject rights management policy:Create a data subject rights management policy that outlines procedures for handling requests to access, correct, delete, and port personal data, with clear response timelines and proper communication of data subjects' rights.

In addition to the above, it is also essential that you:

Appoint a data protection officer (DPO): If an organization qualifies as a significant Data Fiduciary, then appoint a DPO or a designated individual to oversee data protection activities, serve as the primary contact for authorities and data principals, monitor compliance, manage budgets and compliance tools, advise executives, and handle data subject requests.

Conduct DPIAs: Conduct a Data Protection Impact Assessment (DPIA) for high-risk data processing activities, including the collection of personal, biometric, and sensitive data, new data collection technologies, and large-scale profiling, while ensuring adequate measures to mitigate the risks to data principals' rights.

Metrics to track whether DPDP is being implemented successfully

Once DPDP requirements are implemented within the organization you can use the following metrics to track if you're successfully complying with the DPDP Act.

  • Compliance audit results: Regular internal and external audits to assess compliance, identify non-compliance issues, and take corrective actions.
  • Data subject request fulfillment: Track the number and types of data subject requests received and fulfilled within stipulated timeframes.
  • Incident response and breach reporting: Monitor data breaches, response times, and the effectiveness of the incident response plan.
 
In this page
  • What is the DPDP Act, 2023?
  • History of the DPDP Act
  • Who does the DPDP Act apply to?
  • Glossary for terms within the DPDP Act (definitions)
  • How is the DPDP Act structured
  • Responsibilities and rights established under DPDP Act
  • Penalties for violations under the DPDP Act
  • Who enforces the Act
  • How should CISOs prepare for the enforcement of the DPDP Act

Take the lead in data protection best practices with our unified SIEM solution!

Get personalised demo Try Log360 Get a quote

Awards & recognition

ManageEngine named in 2022 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link