What is India’s Digital Personal Data Protection (DPDP) Act, 2023?

Are you aware of India’s Digital Personal Data Protection (DPDP) Act?

India’s Digital Personal Data Protection (DPDP) Act is crucial legislation in today’s data-driven world.

It serves as a shield for individuals’ digital footprint and aims to protect their rights while regulating data processing.

The law, enacted in 2023, is not just a piece of legislation but a comprehensive framework establishing a strong and effective system for protecting personal data in India.

This article will discuss India’s Digital Personal Data Protection Act and its business obligations to whom it applies.

What is India’s Digital Personal Data Protection Act?

Early in August 2023, the Digital Personal Data Protection Act was passed. The act is anticipated to take effect in July 2024 after being notified by the government. The law lists the responsibilities and rights of data fiduciaries and data principals. 

The Digital Personal Data Protection Act also establishes fines for data breaches and introduces a new category of data fiduciaries called major data fiduciaries. The DPDP Act recognizes checkable consent for children and people with disabilities.

The India DPDP Act does not specify the specific requirements for each processing contract. It only states that there needs to be a legitimate contract.

On the other hand, the GDPR specifies many items that a well-drafted Data Sharing Agreement  (DSA) must have. These include the agreement’s purpose, data transfer, storage, and protection, among many others.

India’s DPDP opening text explains that the law aims to protect individuals’ rights and provide a framework for organizations processing digital personal data.

Basic Terms Related to the DPDP Act

The DPDP Act uses terminology distinct from global data protection regulations, such as GDPR. To fully comprehend the new law, one must familiarize oneself with its essential language.

1. Digital Personal Data

Digital information that can be used to identify a specific person is known as digital personal data. This can include names, email addresses, mailing addresses, bank account information, and many other pieces of information.

2. Data Fiduciary

Anyone who chooses how and why to process (use) personal data is a data fiduciary. Comparable to a “data controller” under the GDPR is a data fiduciary.

An instance of a data fiduciary would be an Indian food ordering app that uses third party to handle sales and gathers personal data from users to fulfill orders.

According to India’s DPDP, a data fiduciary is any individual or group that determines the purposes and means of processing personal data:

3. Data Principal

The people to whom personal data belongs are known as data principals, including guardians of the disabled and parents of minors.

A “data subject” as defined by the General Data Protection Regulation (GDPR), the primary consumer privacy law of the European Union (EU), is similar to a data principal.

For instance, the eight-year-old and his mother could be considered data principals if their information was used to access an online app.

In India, the DPDP’s first chapter outlines the legal definition of a data principal as follows:

4. Data Processor

Anyone who collects, records, organizes, stores, shares, adapts, discloses, destroys, or uses personal data in any other way is called a data processor. Under India’s DPDP, anyone who handles personal data on behalf of a data fiduciary is considered a data processor.

For example, a data fiduciary could be a retail store proprietor who gathers consumer phone numbers for follow-up correspondence. If the business buys software to arrange and store the phone numbers, the software provider might be regarded as a data processor.

A data processor is defined in Chapter 1 of the India DPDP as an individual who processes personal data at a data fiduciary’s request.

5. Significant Data Fiduciary

A significant data fiduciary is one whose data processing operations satisfy specific requirements.

If an organization participates in any of the following data processing activities, the Indian government may designate it as a significant data fiduciary:

• Handles substantial volumes of personal data
• Handles delicate personal information
• Handles data that puts the data principals’ rights in danger
• Poses a possible threat to public order, democracy, state security, and the integrity or sovereignty of India

6. Data Protection Officer

The data protection officer (DPO) is the person in charge of ensuring that an organization’s data protection procedures comply with applicable laws.

A DPO is in charge of answering data principle inquiries on processing their personal data under the terms of the India DPDP.

A data protection officer is somebody designated by a large data fiduciary who serves as a point of contact for grievance redressal, according to Chapter 10 of the DPDP Act.

Who Must Comply With The Digital Personal Data Protection Act?

The Digital Personal Data Protection Act applies to data processors and fiduciaries handling digital personal data in India, including substantial data fiduciaries. 

It also applies to businesses that handle digital personal data outside of India and provide goods or services to data principals.

For instance, the India Digital Personal Data Protection Act would apply to a US-based business that markets its services to Indian citizens, offers digital courses, and handles their personal data.

According to Section 3 of the DPDP Act, it is applicable to any outside firm that provides goods or services to Indian data principals and processes their personal data outside of India, as well as any organizations that process digital personal data within India:

What Are The Data Fiduciary Rights Under The India DPDP Act? 

Following are the Data Fiduciary rights under India’s Digital Personal Data Protection Act.

1. Data Minimization

Only gather the information needed for that particular goal. If the data principal withdraws consent or the data is no longer needed, delete it. Take action to have the processor erase the personal information as well.

2. Purpose Limitation

Data controllers must restrict the use of personal information to the particular use for which consent was sought. However, suppose the data principal voluntarily provided the personal data and did not indicate that they did not consent to its processing. In that case, they may treat the personal data without getting express consent.

If the data principal has given prior consent or if the personal data is already in their database, data fiduciaries are permitted to use personal data for a variety of purposes, such as following legal requirements and court orders, processing by the state or its agencies to provide benefits, subsidies, certificates, licenses, or permits, among other uses. 

Additionally, they may utilize personal information to carry out official duties, preserve public order, respond to medical crises, and safeguard India’s sovereignty, integrity, and security.

3. Privacy Notice

Requests for permission and privacy notices must be available in all of the languages listed in the Indian Constitution’s eighth schedule, in addition to English. They ought to be presented in an understandable and accessible way, and the privacy notice ought to be clear and concise.

Data fiduciaries are required by the DPDP Act to include a privacy notice with their request for consent. Both the request and the notice ought to contain

Details regarding the following:

• Kinds of personal information gathered and the particular uses of that information
• The procedure for using consumer rights
• The process for withdrawing consent
• How can you make complaints to the Data Protection Board?

4. Consent

Data fiduciaries cannot process personal data without the individual’s consent unless they have a legitimate purpose or are exempt from the law. Individuals have the right to change their minds and revoke their consent at any time. 

It’s important to provide a simple and convenient way to withdraw consent. Minors or individuals with disabilities should obtain consent from their parents, legal guardians, or legal representatives. The law defines a child as a person under the age of eighteen.

5. Data Affecting Data Principals

Suppose you are going to share personal information with another data fiduciary or process it in a way that could be used to make decisions impacting the data principal. In that case, the data fiduciary must guarantee its accuracy, completeness, and consistency.

6. Implement Security Measures

To avoid any data breaches, data fiduciaries must implement appropriate safety measures. Include organizational and technical safeguards to ensure adherence to this privacy law’s requirements and other regulations.

7. Redressal Mechanisms

Data fiduciaries need to establish practical and efficient channels for redress. The privacy notice should indicate how customers can exercise their rights and designate a grievance coordinator. They should also respond to customer inquiries in a timely manner.

Publicize the identity of the Data Protection Officer or any other person with the authority to respond to inquiries or address issues on behalf of the data fiduciary.

8. Prohibitions Concerning Children

Children cannot be tracked, their conduct monitored, or their advertising aimed at them unless approved by the national government. A child is a person who is younger than eighteen.

The law requires data fiduciaries to refrain from processing children’s data if it could have negative consequences.

9. Report of Bbreaches

Data fiduciaries must report all data breaches in a timely manner to both the impacted party and the Data Protection Board.

10. Other Obligations

Businesses must comply with any notifications made by the Indian government that limit data transfer to other nations. Establish a contract with your data processors and any other relevant third parties.

Ascertain each party’s rights and ensure that the DPDP Act is being followed by them. Fulfill customer demands in a timely manner.

What Are The Data Principal’s Rights Under The India DPDP Act? 

The rights of the data principals are listed in Chapter III of the DPDP Act. 

1. Right to Access

The data principal can obtain the activities of the data fiduciaries, a summary of the processed personal data, and any other information about the processing of such data. 

Additionally, they have the right to know the identities of all data processors and fiduciaries with access to their personal information.

2. The ability to Rectify

The following actions can be taken in relation to personal data that the data fiduciaries have obtained on behalf of a data principal:

• Make any errors or corrections.
• Update their personal information.
• Finish their personal information.
• When a data fiduciary receives one of these requests, they have a deadline of sorts to meet.

3. Right to Erasure

A data principal is entitled to the deletion of their personal information. However, if erasing personal data is required to comply with legal requirements or to satisfy the specific purpose for which it was gathered, the business or data fiduciary is not required to do so. 

4. Right to Grievance Redressal

Data principals are entitled to an easily available grievance redressal system to address concerns about an act or omission of data fiduciaries’ duty or enforcing the data principal’s rights. 

The data principal is not permitted to file a complaint with the Data Protection Board until their dispute has been resolved through this method. 

5. Right to Nominate

If a data principal passes away, becomes mentally or physically ill, or both, they can designate a person to execute their rights under this legislation.

6. Right to Revoke Consent

The consent is revocable at any moment by the data principal. Nonetheless, the data principal is responsible for any fallout from this revocation. 

If consent is revoked, the data fiduciaries must cease processing the principal’s personal information and direct the data processors to do the same.

Business Obligations Under the DPDP Act 

The following are the business obligations under the DPDP Act

Data Fiduciaries:

• Transparency and Consent: Businesses that determine the purpose and means of processing personal data (Data Fiduciaries) must be transparent about their data practices and obtain user consent before processing their data (with some exceptions).
• Security: Data Fiduciaries are responsible for implementing reasonable security safeguards to protect personal data from unauthorized access, disclosure, modification, or destruction.
• Data Breach Notification: In case of a data breach, Data Fiduciaries must promptly notify the Data Protection Board and affected individuals.
• Right to Access & Erasure: Individuals can access their personal data held by a Data Fiduciary and request its erasure (with some exceptions, like data required for legal purposes).

Data Processors:

• Compliance with Instructions: Data Processors who process data on behalf of Data Fiduciaries must comply with the Fiduciary’s instructions and applicable regulations.
• Security Measures: Similar to Data Fiduciaries, Data Processors must also implement security measures to protect personal data.

Additional Points:

• Significant Data Fiduciaries: Businesses processing a large volume of sensitive personal data might have additional obligations, such as conducting data protection impact assessments.
• Exemptions: The Act might not apply to some government entities, depending on the specific circumstances.

How Business Organizations Can Comply with India’s DPDP Act?

In order to comply with India’s PDPA Act, you must obtain consent from your users before placing cookies on their devices to track their online behavior. To obtain user consent, you can use a plugin that will help you request and keep track of the user’s approval.

Along with getting consent, you should also have a privacy policy that explains to your users why you are using cookies and how they can request the deletion of their information. You can use a tool to create a privacy policy quickly.

Creating a Cookie Banner for Your Business Website

WP Cookie Consent is a free WordPress plugin that will help you create cookie banners for your website. The plugin can greatly assist in maintaining compliance with the DPDP Act.  Here’s how:

• Obtaining explicit consent for data processing.
• Raising user awareness about cookie usage.
• Offering granular consent options.
• Recording and storing user consent preferences.
• Generating compliance reports for accountability.

This approach ensures transparency, user rights protection, and adherence to the India DPDP Act’s requirements.  

Creating a Privacy Policy for Your Business Website

WP Legal Pages is a legal policy generator that can help you quickly create legal pages for your website. The plugin provides more than 35 legal templates. It also provides customizable privacy policy templates that cater to the specific requirements of the DPDP Act. 

This ensures that businesses have a detailed and compliant privacy policy in place. The plugin  helps in maintaining compliance with India’s Data Protection and Privacy Laws (DPDP Act) in the following ways:

• Providing customizable privacy policy templates.
• Inclusion of comprehensive user rights information.
• Facilitating the creation of an explicit cookie policy.
• Outlining detailed disclosures regarding data processing activities.
• Offering consent mechanisms for data processing.

This approach ensures transparency, user rights protection, and alignment with the DPDP Act’s requirements in India.  

FAQ 

Conclusion 

Businesses that comply with India’s Data Protection and Privacy Law (DPDP) are responsible for protecting the personal data they process and granting data principals certain rights over their data.

The act applies to entities that process digitalized personal data within India and businesses outside the country that supply goods or services to data principals located in India.

To comply with the India DPDP, we recommend that you use the WP Legal Pages Compliance platform . These plugins will help you comply with all the data protection regulations in one place.

If you liked reading this article, don’t forget to read our other engaging articles:

• Consent Management Platform (CMP) – A Guide For Compliance
• Why Data Privacy Is Important For Business – Crucial Reasons
• How to Add a Cookie Banner To Blog Website – A Beginner’s Guide

Are you excited to comply with data privacy law? Grab WP Cookie Consent and WP Legal Pages now!