Categories
Blog

What is India’s Digital Personal Data Protection Act 2023? Origin, obligations, penalties & more 

Home » Blog » What is India’s Digital Personal Data Protection Act 2023? Origin, obligations, penalties & more 

What is India’s Digital Personal Data Protection Act 2023? Origin, obligations, penalties & more 

As India matches the global rhythm of growth, the Indian government passed a law that protects the fundamental right to privacy and personal data. The Digital Personal Data Protection Act 2023 encourages organizations to handle data responsibly and gives individuals more power over data.  

Let us dive deep into what compliance is about. 

Digital Personal Data Protection Act 2023: The origin  

The origin of the Digital Personal Data Protection Act 2023 goes back to 2017 when the Supreme Court of India recognized privacy as a fundamental right.  

The government introduced a draft a year later titled the Draft Data Protection Bill, to protect the right, give power to individuals, and encourage organizations to behave more responsibly and be accountable to data. 

It led to the first Personal Data Protection Bill (PDPB) in 2019. Finally, in 2023 after the approval of the Cabinet, the Digital Personal Data Protection Bill was passed. The new rules for the DPDP Act will be released and it is most likely to be enforced by the end of 2024.   

Overview: Digital Data Protection Act 2023

The Government of India passed the DPDP Act 2023 to pave the way for a secure digital process, secure digital personal data and to encourage organizations to take measures for the security and privacy of personal data.  

The measures and best practices global standard for data protection – General Data Protection Regulations (GDPR)

What are some of the primary aspects defined in the regulation? 

Here are some of the primary aspects of the DPDP Act 2023 (DPDP Act 2023, The Gazette of India Extraordinary, Aug 2023): 

Person – as per the DPDP Act, a person can be anyone, including – an individual, a Hindu undivided family, a company, a firm, an association of persons, or a body of individuals, the state and every artificial person not falling under any of the preceding categories.   

Data Fiduciary – any person who individually or collectively with other persons, determines the purposes and means of processing personal data (The Digital Personal Data Protection Act 2023) 

Data Processor – any person who processes personal data on behalf of a Data Fiduciary 

Data Principal – any individual to whom the personal data belongs or relates to, including a child (including parents or legal guardian of the child) and a person with a disability (including a person acting on the person’s behalf or legal guardian)  

Personal Data – any data used to identify an individual or any data that is related to the individual.  

To whom does the regulation apply? 

The DPDP Act applies to entities, including: 

  • Any data fiduciary  
  • All the public entities  
  • Entities offering Indian citizens either goods or services or both  
  • Entities that process personal data of citizens for profiling  

All the private entities like: 

  • Companies incorporated in India  
  • Companies abroad that deal with personal data 
  • Corporate bodies 

What kind of personal data can be subjected to DPDP Act 2023? 

  • Personal Data 
  • Sensitive Personal Data 
  • Critical Personal Data 

What are the primary obligations of DPDP Act 2023? 

The following are some of the primary requirements of the subjected entities: 

They must: 

  • Establish a mechanism for Data Principals to exercise their rights, like redressal of grievance. 
  • Ensure that they have implemented all the measures including technical measures for securing personal data. 
  • Retain and erase data as per the guidelines including deleting personal data once its purpose is expired. 
  • Ensure that data processors are aligned with the DPDP Act 2023 requirement before contract 
  • Report data breaches and incidents to the Data Protection Board (DPB) of India. 
  • Only process personal data within India with verifiable consent of the Data Principals and must issue a ‘Notice’ before processing any personal data.  
  • Ask for consent only in plain, easy-to-understand language through a notice 

There are only two grounds on which an organization can process personal data 

  • If a data principal gives free, specific & clear consent or 
  • If data is for legitimate uses recognized by the act 

Legitimate uses include: 

  • Data used under any law or judgement 
  • Voluntarily given data  
  • Medical emergencies  
  • Law enforcement and public safety 
  • Employment 
  • Common public interest 

What happens if the subjected entity/ fiduciary does not adhere to the recommendations of the DPDP Act 2023? 

The following are some of the consequences that an entity/data fiduciary can face for non-compliance: 

  • The Data Protection Board can issue a maximum penalty of ₹250 crore 
  • A penalty of ₹250 crore for a data breach 
  • A penalty of ₹10000 for each instance of non-compliance  
  • Any non-compliance to the additional guidelines for children’s data will result In a fine of ₹200 crore 

SharkStriker can help you keep up with additional rules in the DPDP Act

Start Here>

Latest Post

All
Blog

Leave a Reply

Your email address will not be published. Required fields are marked *