After years of debates, discussions, and negotiation delays, the Central Government of India published its Digital Personal Data Protection Act, 2023 (DPDP) on August 11, 2023. In its last week before being enacted, the Act rapidly passed throughout both houses of Parliament and was ascended into publication by President Droupadi Murmu.
India is the 19th country within the Group of 20 (G20) to pass a comprehensive data protection law. Borrowing from the EU’s General Data Protection Regulation (GDPR), the DPDP broadly defines “personal data” and carries a wide scope of applications.
This article will analyze the scope of the DPDP, define who the act applies to, and discuss essential terms, provisions, and exemptions in more detail.
What is the Indian Digital Personal Data Protection Act?
The Indian Digital Personal Data Protection Act (preceded by the Digital Personal Data Protection Bill) establishes a national framework for protecting personal data.
The framework protects the personal data of data principals and restricts the activities of data fiduciaries. In many ways, the DPDP replaces the limited data protections afforded by the Indian Information Technology Act of 2008 and bolsters India’s overall privacy laws.
In addition to providing guidelines for data security and data privacy, the DPDP also established the Data Protection Board of India to help enforce its protocols. This supervisory board has the power to investigate complaints and issue fines but cannot issue guidance or impose new regulations. All regulatory powers related to the DPDP remain with the Government of India.
Who Does the Indian Digital Personal Data Protection Act Apply To?
The DPDP’s scope of application is extensive. The act protects the personal data of all data principals and restricts the activities of all data fiduciaries regardless of private or corporate operating status.
Under the DPDP, “data principal” refers to individuals whose personal data is being collected, stored, or otherwise interacted with. This term is essentially the same as a “data subject” under the EU’s GDPR.
Note: The act explicitly states that it considers parents and lawful guardians to be data principals when a data fiduciary is processing the data of children or a disabled individual.
Data fiduciaries are data controllers or any other type of entity that determines the purpose of a data principal’s personal data. This definition includes startups and entities working alongside processors or other third-party service providers who store or otherwise use personal data.
Significant Data Fiduciaries
The Central Government of India also used the DPDP to outline a new class of data fiduciaries. The government determines significant data fiduciaries based on assessments of relevant factors such as:
- The volume and sensitivity of personal data
- Risk to the rights of a data principal
- Potential impact on the sovereignty and integrity of India
- Risk to electoral democracy
- Security of the territory of India, and
- Public order
After the Central government classifies a fiduciary as a significant data fiduciary, the data processor must complete additional obligations and appoint a data protection officer.
While the DPDP only applies to digital personal data or personal data that a data fiduciary has subsequently converted to digital form after collection, the act’s definition of personal data is expansive.
Under the act, personal data includes any information related to an individual that entities could use to identify the individual.
What Rights Does the DPDP Grant to Data Principals?
The Indian government enacted the DPDP to prevent personal data breaches and extend data privacy rights to all applicable data principals. Under the act, data principals possess the following fundamental rights:
- The right to give consent for the processing of personal data
- The right to withdraw consent for the processing of personal data
- The right to access information about personal data
- The right to erasure and the right to correct, update, and complete personal data
- The right to readily available grievance redressal in the event a data fiduciary fails to carry out their obligations under the act
- The right to nominate any other individual to carry out their data principal rights in the event of death or incapacity
Under What Circumstances Can Data Fiduciaries Process Personal Data?
In Chapter II, the DPDP explicitly outlines the legal grounds for processing personal data. To begin their data processing procedures, data fiduciaries must first request and obtain verifiable consent from each data principal.
When a data fiduciary requests consent from a data principal, it must also include the following information in the request:
- The type of personal data that the fiduciary will process and the specified purpose for which the fiduciary will process such data
- An explanation of the process a data principal can follow to withdraw their consent
- An explanation of how the data principal can pursue grievance redressal, including the contact information of any relevant POC or consent manager that can assist with the process
- The process the data principal can follow to submit a formal complaint to the Data Protection Board of India
The accepted circumstances for processing digital personal data of children (or persons with disabilities) are very similar to the events listed above. However, the data fiduciary must obtain verifiable parental consent from a lawful guardian before processing any data.
Data fiduciaries processing children's data must also take reasonable measures to ensure their actions do not cause detrimental effects on the well-being of the child or direct targeted advertising towards the child.
What Obligations Does the DPDP Apply to Data Fiduciaries?
The DPDP outlines its obligations for data fiduciaries in Chapter II, Section 8. To achieve compliance with the act, data fiduciaries must:
- Only appoint or involve third-party data processors who are obligated to follow DPDP procedures by a legal contract
- Ensure personal data is complete and accurate before using the data to make a decision that affects the data principal or before participating in the transfer of personal data
- Implement necessary organizational measures and technical protocols to ensure ongoing compliance
- Implement reasonable security safeguards and audits to protect personal data and prevent personal data breaches
- Notify all affected data principals and the Data Protection Board of any and all known data breaches
- Safely erase and destroy all personal data upon a data principal withdrawing their consent (unless retention of such data is required by law)
Obligations of Significant Data Fiduciaries
If the Central Government classifies a data fiduciary as a significant data fiduciary, the entity must comply with additional DPDP obligations. Under the law, significant data fiduciaries must appoint data protection officers and independent data auditors to ensure ongoing compliance and low cyber risk.
Data protection officers must meet the following criteria:
- Be able to represent the significant data fiduciary under the provisions of the DPDP
- Be based in India
- Be on the board of directors or similar governing body of the significant data fiduciary
- Be the first point of contact for grievance redressal
Independent data auditors must carry out the following actions:
- Conduct periodic data protection impact assessments, and
- Conduct regular risk audits.
Note: Under the DPDP, periodic data protection impact assessments are to include processes that ensure several obligations, including that a data fiduciary is meeting the rights of data principals, only processing data for legitimate use, managing the risk associated with data processing, and meeting the ongoing compliance demands of such processing.
Exemptions Under the DPDP
While carrying a broad scope of application, the DPDP also outlines several exemptions, notably for government organizations and other entities that enforce legal rights and laws.
The DPDP denotes exemptions for the following entities:
- The Supreme Court of India or other judicial bodies
- Financial institutions that process personal data after a person has defaulted on a loan or other payment
- Entities that process personal data to pursue the prevention, detection, investigation, or prosecution of any legal offense
Penalties For Non-Compliance
If the Data Protection Board determines a data fiduciary has violated the DPDP, they may impose a monetary penalty for each violation committed. The exact penalty a data fiduciary may receive will be determined by the DPDP official schedule and by the board based on the following factors:
- The nature, gravity, and duration of the breach
- The type of personal data affected by the breach
- Repetitive nature of the breach
- Gains or loss avoidance achieved through the breach
- Acts taken to mitigate the impact or consequences of the breach
According to the official DPDP schedule, data fiduciaries who experience a data breach after failing to install security safeguards will encounter the most severe penalties, extending to a maximum of 250 crore (million) rupees.
How Can UpGuard Help Organizations Comply with India’s DPDP?
UpGuard Vendor Risk empowers organizations to ensure DPDP compliance across their entire supply chain. By using Vendor Risk, your organization will have access to flexible security questionnaires, powerful vendor assessment tools, and seamless remediation workflows that allow it to safeguard personal data 24/7.
UpGuard Vendor Risk will also allow your organization to:
- Increase visibility across its supply chain
- Automate its vendor risk assessment process
- Receive real-time risk updates
- Tier vendors based on their criticality and vulnerability levels
- Calculate the impact of remediated risks
- Generate instant reports
- Stayed informed on relevant data breaches and industry information
- Monitor all third-party risks in one centralized dashboard
Organizations that process personal data can also utilize UpGuard BreachSight to manage their external attack surface. This comprehensive cybersecurity tool enables organizations to monitor security risks, identify vulnerabilities, and make informed decisions regarding risk remediation based on real-time notifications.