Digital Personal
Data Protection Act 2023

Secure your business from non-compliance to the DPDPA 2023 (Digital Personal Data Protection Act 2023)

CONNECT WITH OUR EXPERT
OVERVIEW

Understanding India’s Digital Personal
Data Protection Act 2023 

The Personal Data Protection Bill was passed by the Ministry of Electronics and Information Technology in 2019 to protect the fundamental right of every Indian citizen to privacy. It was amended in 2023 and relabelled as “Digital Personal Data Protection Act 2023”.  It is based on the principles of a global standard for personal data protection – GDPR. It emphasizes that entities must incorporate privacy into business processes and technologies. 

The regulation defines fiduciaries based on the volume and sensitivity of personal data they process, their turnover, and whether they have caused a risk of harm due to any ongoing processing or any processing undertaken by them or any new technology they have used for processing.  

The bill has categorized sensitive personal data, including financial data, biometric data, religion, caste, or any other category specified, and punishes non-compliance. 

SUBJECTED DATA

Types of data subjected to this regulation

As per the Digital Personal Data Protection Act 2023, personal data is
categorized in the following manner: 

  • Name 
  • Contact Details 
  • Address  
  • Education Details
  • Work Place
  • Profession
  • Financial data
  • Biometric data
  • Generic data
  • Health data
  • Official identifier
  • Sexual orientation
  • Transgender status
  • Caste or Tribe
  • Religious or Political belief
  • Any data that may be defined
  • Any data announced as critical personal data by the Central Government of India 
APPLICABILITY

To whom does Digital Personal Data
Protection Bill India apply?

The Personal Data Protection Bill 2019 applies to the following entities: 

  • Private Companies 
  • Companies that were incorporated in India or have
    a registered place of business within India 
  • Data Processors
  • Any Corporate bodies 
  • An entity that offers goods or services or both to individuals in India 
  • Government organizations, including state entities 
  • Foreign companies that deal with the personal data
    of Indians 
  • Partnership firms 
  • Data Fiduciaries
  • An entity that profiles individuals in India 
REQUIREMENTS

What are the requirements of DPDPA 2023? 

  • All the data labelled critical personal data can only be processed in India. The bill has provisions of punishment for entities that transfer personal data outside India (with data continued to be stored in India) without any explicit consent of the people to whom the data belongs to.   

  • It requires every fiduciary to have a Privacy by Design (PbD) certification and to display certification on their website. Additionally, it mandates that all the complaints made by the DPA Data Processing Authority must be resolved within 30 days. 

  • As per the DPDPA 2023, Data controllers must adhere to the following requirements, they are required:

 

  1. Provide data subjects with notice that describes the kind of data that is processed, the purpose of processing, and the method used to exercise data subject rights and make complaints to the regulator and contact details of the data protection officer. 
  2. Erase personal data when they have found that the consent has been withdrawn by the respective individuals and must retain data as per the government guidelines.
  3. Report data breaches and other cyber incidents to CERT-In (Computer Emergency Response Team- India), with at least two reports per incident.  
  4. Must ensure that processors implement measures to secure personal data and erase data based on government’s guidelines.
  5. Only process a child’s personal data after obtaining parents’ verifiable consent. 

NON-COMPLIANCE RISKS

What are the consequences of non-compliance? 

The following are the consequences of non-compliance with Indian Personal Data Protection 2019 

₹15 Crore or 4% of annual turnover

Any form of processing or transfer of personal data

₹5 Crore or 2% of the annual turnover

Failure to conduct data audit

₹5 Lacs or 3 years imprisonment

Re-identification and processing of de-identified personal data without any consent of the individual/individuals

₹10 lacs penalty

Failure to comply with the requests of data principals

SOLUTION

How can SharkStriker help you become Digital Personal 
Data Protection Act 2023 compliant?  

Organizations that are subjected to the Digital Personal Data Protection Act 2023 regulations are struggling to keep up with the updates due to a limited team and having to deal with multiple experts for cybersecurity and compliance.
  
SharkStriker solves this by offering compliance-centric cybersecurity services that address the gaps in the posture with the best practices recommended in Digital Personal Data Protection Act 2023. Its platform STRIEGO is designed to make adherence to compliance smoother with automated features for vulnerability
management and compliance.  

APPROACH

SharkStriker Approach 

SharkStriker follows a systematic approach for compliance. It includes multiple steps including:

Risk Assessment

The process starts with assessing the security posture for security weaknesses and loopholes using real-world techniques with Vulnerability Assessment and Penetration Testing. Based on the assessment, we categorize the risks as per their severity and prepare a detailed report with suggestions to treat risks across the posture. 

The next step is to look for cybersecurity and compliance gaps across the posture against the recommended guidelines.

Gap Assessment

Risk Treatment Plan

Based on the cybersecurity and compliance risks identified in the gap assessment, we prepare a detailed risk treatment plan with the expertise, security controls, processes, and technology required to treat the risks.   

We implement the risk treatment plan with the planned expertise, processes, and technology.

Implementation

Post Implementation Audit 

To identify errors in the implementation (if any), we conduct a post implementation audit and address all the gaps found in the audit.  

We identify conduct an awareness assessment across the organization and prepare training programs/modules that address the gaps in awareness.  

Training & Awareness

Get security and compliance experts to meet your DPDPA compliance goals

SPEAK WITH OUR TEAM