The Digital Personal Data Protection Bill (DPDP) Bill 2023 was recently passed by both houses of the Indian parliament, the Lok Sabha and the Rajya Sabha. This means all enterprises, regardless of turnover or nature of business, need to comply with the Bill which is about to be a mandatory law. It is intended to improve and unify data privacy practices with respect to the data of Indian citizens. The DPDP Bill uses easy-to-understand language and globally used she/her pronouns, which is a positive step towards gender equality and women empowerment. This small but significant change can have a big impact on the lives of women in India.
The DPDP Bill is a landmark piece of legislation that aims to strengthen the fundamental right to data protection across India. It empowers people to gain control over their personal data and set the standard for safer data flow regulations. The Digital Personal Data Protection Bill (DPDP Bill) 2023 sets out a few requirements for data fiduciaries that collect and process personal data in India. The DPDP Bill also includes a provision for a Data Protection Authority (DPA) that will be responsible for enforcing the law within the enterprise in alignment to the bill. The DPA will be independent of the government and will have the power to investigate and punish organizations that violate the law.
The DPDP Bill sets out several rules for data fiduciaries (entities that decide the purpose and means of processing) to follow. These rules include granting data principals (individuals whose personal data is being processed) several rights and freedoms, such as the right to consent to data collection, the right to request deletion of their data, and the right to access their data. To meaningfully respond to these rights, many companies now must put systems and processes into place that previously did not exist.
Since there is no one-size-fits-all blueprint for DPDP compliance, businesses must start by asking themselves, “What do the rules mean for my business?” The answer will vary from company to company, but there are some basic steps that all businesses can take to get started. DPDP compliance is not a snapshot in time; It is an ongoing process that requires businesses to constantly assess their compliance posture and to make changes as needed. Businesses also need to be prepared to respond to data breaches and other incidents that could impact the privacy of personal data. The DPDP bill is a complex piece of legislation, but it is important for businesses to understand the basics of DPDP compliance.
Every business must start with the following consideration when working toward DPDP compliance:
Data Fidicuary Disclosure: Companies must offer a clear description of what data they collect, why they collect it, and how they store and process it. This includes explanations of whom the data is shared with, how long the data is stored and how the data is protected.
Principal control: Companies must grant data principal more control over what happens to their data. data principals are entitled to a copy of their data, if requested. They can also request that their data be deleted, or that amendments be made to incorrect data. Data principal also has the right to consent to whether their data is shared with a third-party company for any purposes other than outsourcing processing.
Third-Party Processors: Any third-party companies and service providers must be compliant with the DPDP as well; otherwise, the Data Fidicuary collecting the data can be held liable. In other words, if you collect user data by the book but outsource processing to a noncompliant company, you could remain on the hook for violations. This includes consideration of third-party cookies and how they might collect and track general data.
Principles underlying the DPDP Bill
The DPDP Bill is designed to protect the privacy of individuals and to ensure that personal data is collected and used in a lawful and transparent manner. The principles underlying the DPDP Bill are designed to strike a balance between protecting user rights and enabling innovation and investment.
Principle of lawful, fair and transparent usage of personal data: This principle states that personal data can only be processed if it is lawful, fair, and transparent. This means that data fiduciaries must have a legitimate reason for collecting and processing personal data, and they must inform individuals about how their data is being collected and used.
Principle of purpose limitation: This principle states that personal data can only be used for the purpose for which it was collected. This means that data fiduciaries cannot use personal data for any other purpose without the consent of the individual.
Principle of data minimization: This principle states that only the minimum amount of personal data necessary for the specified purpose should be collected. This means that data fiduciaries should not collect more personal data than they need.
Principle of data accuracy: This principle states that personal data must be accurate and up to date. This means that data fiduciaries must take reasonable steps to ensure that the personal data they collect is accurate and up to date.
Principle of storage limitation: This principle states that personal data should only be stored for as long as it is necessary for the specified purpose. This means that data fiduciaries should delete personal data when it is no longer needed.
Principle of reasonable safeguards: This principle states that data fiduciaries must take reasonable security safeguards to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. This means that data fiduciaries should use appropriate security measures to protect personal data.
Principle of accountability: This principle states that data fiduciaries must be accountable for their compliance with the data protection principles. This means that data fiduciaries must be able to demonstrate that they are complying with the law and that they are taking steps to protect personal data.
Digital Personal Data Protection Bill Checklist
It is important for significant data fiduciaries (SDFs) that collect and process large amounts of personal data to take steps to comply with the DPDP Bill to protect personal data and avoid the consequences of non-compliance. Here are some of the specific steps that SDFs can take to comply with the DPDP Bill:
Appoint a data protection officer (DPO): The DPO is responsible for ensuring compliance with the DPDP Bill and for protecting the privacy of individuals. The DPO must be an individual who is independent of the SDF and who has expertise in data protection law.
Appoint an independent data auditor: The independent data auditor is responsible for conducting audits of the data protection practices. The auditor must be an independent organization that is not affiliated with the SDF.
Conduct data protection impact assessments (DPIAs): DPIAs are required for certain processing activities that are likely to have a high risk to individuals' privacy. For example, DPIAs are required for processing activities that involve the collection of sensitive personal data or the use of personal data for automated decision-making.
Implement periodic audits of its data protection practices: SDFs must implement periodic audits of their data protection practices ensuring that they are complying with the law. The audits must be conducted by an independent organization that is not affiliated with the SDF.
Technical security measures: Implementing appropriate technical and organizational security measures to protect personal data.
Notifying data DPA: Notifying data DPA and data principal case of any data breaches.
Additional Obligation for Processing of children’s data
The DPDP Bill places additional obligations on data fiduciaries when processing the personal data of children. These obligations are designed to protect the privacy and interests of children. Some of the additional obligations that data fiduciaries must comply with when processing the personal data of children include:
- Data fiduciaries must obtain parental consent before processing children’s data.
- Data fiduciaries cannot track, target, or process children’s data in a way that is harmful.
- The government may grant exemptions or allow for processing without consent for certain purposes.
- Data fiduciaries must protect children’s data and provide clear information.
- Children must be able to opt out of processing and data fiduciaries must respect privacy.
- In short, data fiduciaries must take special care to protect children’s data and avoid collecting or using it in ways that are not necessary or appropriate.
Transfer of Data outside of India
The transfer of personal data outside of India is a complex issue, and there are several factors that need to be considered. The DPDP Bill provides a framework for regulating the transfer of personal data outside of India, but it is important to note that the government may issue notifications that restrict the transfer of personal data to certain countries. Data fiduciaries can transfer personal data outside India, but only if they meet certain conditions. These conditions include:
- Obtaining consent from the data principal.
- Entering a contract with the recipient of the personal data that includes provisions that ensure the adequate protection of the personal data.
- Not transferring personal data to a country that the government has notified as not having adequate privacy protections in place.
- The government may issue notifications restricting the transfer of personal data to any country or territory outside India. However, this does not restrict the applicability of any other law that provides for a higher degree of protection for personal data or that restricts the transfer of personal data.
Understanding DPDP Bill Violations: Fines and Penalties
The DPDP Bill imposes a few obligations on data fiduciaries, including the need to obtain consent from individuals before processing their personal data, to take reasonable security measures to protect personal data, and to notify individuals of any data breaches. The penalties for failing to comply with DPDP are potentially steep. Here are some additional details about the penalties for non-compliance with the DPDP Bill:
Civil penalties: The Data Protection Authority of India (DPAI) can impose civil penalties of up to ₹250 crore (approximately US$300 million) for non-compliance with the DPDP Bill.
Criminal penalties: The DPDP Bill also provides for criminal penalties for certain types of non-compliance, such as wilful or negligent breaches of security safeguards that lead to a data breach. The penalties for criminal offenses under the DPDP Bill can include imprisonment of up to three years and/or fines of up to ₹1 crore (approximately US$1.3 million).
Damages: Individuals who suffer harm because of non-compliance with the DPDP Bill may be able to sue for damages. The number of damages that can be awarded will depend on the specific circumstances of the case, but it could be significant.
Loss of reputation: Non-compliance with the DPDP Bill could damage the reputation of a data fiduciary and make it more difficult to do business.
Tips for DPDP compliance
Compliance with the Digital Personal Data Protection Bill (DPDP) can be daunting, but it is important for businesses to take steps to protect the personal data of their customers and employees. By following the tips in this article, businesses can make the process of compliance more manageable and achievable. Data governance is an ongoing process that requires constant monitoring and improvement. By following the steps outlined below, enterprises can set up data governance in their organization and protect their data from unauthorized access, use, or disclosure.
Here are the steps involved in the implementation process for the Digital Personal Data Protection Bill 2023 (DPDP Bill):
As-is analysis: The first step in the implementation process is to conduct an as-is analysis of your organization data protection practices. This means understanding what data you collect, how you collect it, and how you use it. This will help you to identify any gaps in your current practices and to develop a plan for remediation.
- Data discovery : Once you have a good understanding of your current data protection practices, you need to conduct a data discovery exercise. This means identifying all the personal data that you collect, store, and process. This can be a complex and time-consuming process, but it is essential to have a good understanding of your data before you can start to comply with the DPDP Bill.
- Data flow : Once you have identified all your personal data, you need to understand how it flows through your organization. This means understanding who uses the data, how they use it, and where it goes. This will help you to identify any risks to your data and to put in place controls to mitigate those risks.
- Impact assessment : Once you understand your data flows, you need to conduct an impact assessment. This is a process of identifying the risks to personal data and assessing the impact of those risks on individuals. This will help you to prioritize your remediation efforts and to make sure that you are taking the necessary steps to protect personal data.
To-be analysis: Once you have completed the as-is analysis, data discovery, data flow, and impact assessment, you need to develop a to-be plan. This is a plan for how you will comply with the DPDP Bill in the future. This plan should include the following elements:
- People: You need to identify the people who will be responsible for implementing and maintaining your data protection program.
- Process: You need to develop processes for collecting, storing, using, and disposing of personal data.
- Technology: You need to implement technologies to protect personal data.
Operate & Refine: Once you have implemented your to-be plan, you need to operate and refine it on an ongoing basis. This means monitoring your compliance with the DPDP Bill and making changes as needed.
Operations : The operations phase of the implementation process involves the following activities:
- Awareness/Training: You need to train your employees on the DPDP Bill and your organizations data protection policies and procedures.
- Encryption/Anonymization: You need to encrypt personal data where possible and anonymize it where necessary.
- Activity Monitoring: You need to monitor your organization activities to ensure that they are compliant with the DPDP Bill.
- Data Subject Request: You need to respond to data subject requests in a timely and accurate manner.
- Incident Management: You need to have a plan for managing data breaches and other incidents.
Remediation : The remediation phase of the implementation process involves the following activities:
- You need to update your privacy policies to comply with the DPDP Bill.
- You need to implement a consent manager to obtain consent from individuals before collecting their personal data.
- You need to implement a data governance program to ensure that personal data is managed in a secure and compliant manner.
- You need to appoint a data protection officer (DPO) to oversee your organizations data protection compliance program.
Towards Excellence: The towards excellence phase of the implementation process involves the following activities:
- You need to have your data protection program audited and certified by a qualified auditor.
- You need to implement privacy enhancement technologies to protect personal data.
- You need to stay up to date on changes to data protection laws and regulations.
All industries are not much different with respect to data privacy. Therefore, it is important for institutions in general to adopt systems and processes that minimize impulsive decision-making when addressing data breaches. Automation and well-planned and communicated responses are key in dealing with a potential data breach. The ScikIQ data platform is specifically designed to improve data governance and management by providing actionable insights. By incorporating ScikIQ into their operations, enterprises can stay ahead of the regulatory curve and start building better relationships with their customers. To do this, you can start by investing in your data infrastructure and governance.
Data breaches can be costly and damaging to businesses. In addition to the financial costs, data breaches can also damage a business’s reputation and customer trust. By automating data governance processes, businesses can reduce the risk of data breaches. ScikIQ can help businesses automate data governance processes by providing a single platform for managing data quality, security, compliance, and lineage.