DPDP India

What is DPDP India?

The Digital Personal Data Protection Act (DPDP) 2023 is a landmark legislation aimed at safeguarding personal data in India. It applies to online and offline data collected and used by companies within India, even by foreign firms serving Indian customers. DPDP outlines key principles such as data minimization and transparency with stringent compliance requirements and penalties for non-adherence. Enacted to ensure the lawful and fair processing of personal data, DPDP India shares similarities with global counterparts like GDPR, emphasizing the protection of personally identifiable information (PII).

Overview of DPDP India

• Law: Digital Personal Data Protection Act
• Region: India
• Signed On: 11-08-2023
• Industry: All industries that do business in India

Personal Data Under the DPDP India

It encompasses any information that relates to a natural person, who can be directly or indirectly identified, alone or in combination with other information. Here’s a breakdown of the type of personal data typically covered by the law:

• Basic Identifiers: Name, address, phone number, email address, and unique identifiers
• Demographic Data: Date of birth, gender, marital status, and information about dependents.
• Financial Information: Bank account details, credit card information, and income data
• Geolocation Data: Physical location data obtained through GPS or IP address
• Online Identifiers: Usernames, passwords, browsing history, and social media profiles.
• Opinions and Beliefs: Political views, religious beliefs, and personal opinions
• Sensitive Personal Data: This includes information like biometric data, genetic data, health information, caste, religion, and sexual orientation

Key Components

• Data Principles: DPDP lays down nine data protection principles, including transparency, purpose limitation, data minimization, and accountability, serving as guiding lights for data processing.
• Data Fiduciaries: Organizations handling personal data are categorized as “Data Fiduciaries” and have specific obligations under the Act.
• Consent and Rights: Individuals have the right to access, correct, erase, and transfer their data, requiring robust consent mechanisms from Data Fiduciaries.
• Data Governance: The Act establishes the Data Protection Board (DPB) to oversee compliance and enforce regulations.

Data Protection Principles

• Fairness and Transparency: Personal data must be processed lawfully and fairly, and individuals must be provided with clear information about its usage.
• Purpose Limitation: Limit data collection and processing to specific, explicit, and legitimate purposes.
• Data Minimization: Only the minimum personal data necessary for stated purposes can be collected and processed.
• Storage Limitation: Limit data retention periods to what is necessary for processing purposes.
• Integrity and Confidentiality: Protect data against unauthorized access, modification, or disclosure.
• Accountability: Data Fiduciaries are accountable for complying with the Act and ensuring data security.

Who Needs to Comply?

The DPDP applies broadly to any entity processing the personal data of individuals within India, regardless of the entity’s location or nationality. This means the following must comply:

• Government Agencies
• Third-Party Processors
• Non-Profit Organizations
• Startups and Small Businesses
• Indian companies and subsidiaries of global companies

Exceptions

Key exemptions include government processing for national security, defense, public order, sovereignty protection, law enforcement, legal functions, research, archiving, and statistical purposes. Other exemptions cover personal and domestic use, journalistic purposes, and processing data of deceased individuals for specific purposes such as legal claims or public interest.

Noncompliance Fines

Violations of the DPDP can attract significant fines, with penalties ranging from ₹ 10000 to ₹ 250 crore, and imprisonment for up to three years for serious offenses. Following are the different types of DPDP non-compliance fines:

Breach of Duty by Data Principles: Individuals violating their obligations under DPDP face fines of up to ₹10,000.

Breach of Duty by Data Fiduciaries: Data Fiduciaries responsible for various offenses can be penalized:

• Failure to take reasonable security safeguards: ₹150 crore fine.
• Non-compliance with consent requirements: ₹50 crore fine.
• Failure to notify DPB and affected individuals of a data breach: ₹200 crore fine.
• Non-compliance with obligations for children’s data: ₹200 crore fine.
• Other violations: Fines ranging from ₹ one crore to ₹250 crore depending on the severity.

Compliance Authority

Overseeing DPDP compliance rests with the independent Data Protection Board (DPB). This statutory body registers data fiduciaries, promotes data protection awareness, conducts audits, and enforces the Act by imposing penalties for non-compliance. From investigating complaints to issuing guidelines, the DPB plays a critical role in upholding individuals’ data rights and holding organizations accountable.

In an era where data privacy is paramount, DPDP India is a pivotal framework in safeguarding individuals’ personal information. With its robust principles and regulations, DPDP India underscores the importance of responsible data handling and processing. As organizations navigate the complexities of compliance, adopting proactive measures such as data masking to mitigate risks and uphold data privacy standards becomes imperative.

FAQ