Decrypting the Digital Personal Data Protection (DPDP) Act, 2023 of India

23-05-2024 | 6 min read | GDPR Compliance, IT Trends

Data privacy is quintessentially one of the most crucial aspects of an organisation. Knowing what data to store, how to store them securely, protecting customer data from threats, and so on, are a part of an organisation’s strategic checklist. Thankfully, several data protection and privacy laws in place help ensure the right usage and integrity of the data. For example, the EU has the General Data Protection Regulation (GDPR), CCPA in the US, Loi 25 in Canada, and very recently – the Digital Personal Data Protection (DPDP) Act in India. 

In today’s fast-paced digital landscape, especially with most financial transactions being digital in India, the Digital Personal Data Protection Act happens to be quite a momentous stride, protecting the privacy rights of individuals while promoting responsible data management practices. As a matter of fact, the act recognises the growing significance of protecting personal data, and therefore, aims to strike a balance between the rights of an individual and the lawful data processing requisite of an organisation.

Simply put, the Digital Personal Data Protection (DPDP) Act of 2023 applies to any digital personal data processing within India, whether collected online or offline and later digitalised. The act also applies to any digital personal data processing out of India if it involves goods or services offerings to the data principals within the territory of India. 

Primarily, the objective of the DPDP Act is to regulate digital personal data processing while respecting the individual’s right to protect their data, recognising the essentiality of processing, and their usage for lawful purposes. Not a major pro, but still can be counted as one – the language used in the official documentation of the Act is simple and straightforward, thereby ensuring a seamless and effective understanding for all. The Digital Personal Data Protection Act also aims to set up a comprehensive legal framework that will help govern the protection of data in India. 

An interesting fact of the matter is that the DPDP Act in India shapes and streamlines the data management process. Hence, it is imperative that organisations oversee the implementation of the privacy act, data governance, and improvement to ensure better operations. 

What falls under DPDP
What falls under DPDP

One of the factors that falls under the Digital Personal Data Protection Act is the Significant Data Fiduciary (SDF), which the Indian government will identify based on the volume and sensitivity of the processed personal data and its associated risks. There are some specific obligations under the Significant Data Fiduciary (SDF) that include an appointment of a data protection officer (DPO) based in India, an independent data auditor, and frequent data protection impact assessments (DPIA).   

Furthermore, the Digital Personal Data Protection Act will empower Indian citizens as the data principal rights allow –

As per the act, individuals will have the right to seek more information on the processing and usage of their data. As a matter of fact, the Significant Data Fiduciary (SDF) will make this information more visible and documented in a much more understandable manner. 

The Digital Personal Data Protection Act makes it more favourable and easier for individuals to correct any inaccuracies or incomplete information in their personal data. Having said that, the act also gives individuals the right to erase data that is no longer necessary for processing. 

One of the salient features of the DPDP Act is that it gives individuals the right to grievance redress. According to the law, individuals will have the right to use any readily available means of registering their grievances, issues, and so on with a data fiduciary.

Lastly, the right to nominate feature of the act enables individuals to nominate any other person to exercise data privacy in the event of any incapacities or death.

One of the significant features of the Digital Personal Data Protection Act is the penalty clause. There are penalties of up to INR 250 Cr for non-compliance of the provisions by the data fiduciaries. Some of the cases in which penalties can be levied are –

  • Any breach in the observance of duty of the data principals may lead to a fine of INR 10,000
  • Any breach in the observance of additional obligations related to children may result in a fine of INR 200 Cr
  • Any failure to notify the data protection board and affected data principals in the event of a personal data breach may lead to a fine of up to INR 200 Cr. 

Under the Digital Personal Data Protection Act, non-automated personal data, offline personal data, and personal data that have existed for at least 100 years are excluded. Additionally, the maximum penalty limit of INR 500 Cr has also been removed. 

Apart from this, the 72-hour timeline within which a data breach must be reported to authorities has also been excluded. Also, at present, the act doesn’t prescribe any specific timeline for implementing the grievance redressal and data principal rights.

The Digital Personal Data Protection Act is expected to have an impact on major organisational sectors like information security, IT, legal, sales and marketing, human resources, finance, and procurement, to name a few. This is because of the type and volume of personal data collected, stored, processed, retained, and disposed of in India. Therefore, organisations in the aforementioned sectors as well as their related ones, must develop a robust and effective data privacy and protection policy keeping the DPDP Act of 2023 in mind. 

The fact of the matter is that approximately 70% of worldwide business transactions take place through SAP; majority of the organisations use SAP systems, including India, which outlines the importance of aligning privacy in SAP with the DPDP Act. Here are some key things about DPDP that organisations using SAP systems must ensure –

Legal use of information: Organisations in India have to ensure that they follow the Digital Personal Data Protection rules when handling individual personal information like getting clear permission; using the information only for lawful and authenticated reasons, and so on.

Data security: As per the rules of the DPDP Act, organisations ensure steps that protect personal information from being accessed, changed, shared, and destroyed without authorised consent or permission. SAP systems have several built-in features that can help organisations ensure data security.

Individual’s rights over information: As two of the salient features of the Digital Personal Data Protection Act are the right to information and the right to correction, organisations must take measures to ensure that individuals can see the information that is being stored, fix errors in their data, and erase data that are no longer needed.

Ensure DPDP Compliance
Ensure DPDP Compliance

Here’s what businesses can do to prepare their SAP systems for DPDP compliance:

Find all the information: Identify and document all personal information stored in SAP systems, including where they come from, why the data is used, and their legal usage conformity.

Check how the information is used: As organisations, it is imperative that the usage of the information is reviewed, and how they are handled in SAP to make sure it follows DPDP rules, like getting consent, using only the minimum information needed, and only using it for specific purposes.

Adhere to rules: Apply data deletion rules or legal hold rules on SAP systems, as required, to ensure data privacy is enforced on the system.

Make data more secure: Another step is to strengthen security measures within SAP to protect information from unauthorised access, breaches, or misuse.

Train employees: Train people who use SAP and handle information to understand and follow DPDP rules and best practices.

The DPDP Act signifies India’s commitment to data protection and privacy in the digital age. As organisations adapt to regulatory changes, they pave the way for a future where data is not just protected but used responsibly to drive innovation and improve lives.

Apart from the Digital Personal Data Protection Act in India, there are other data privacy laws like GDPR, Loi 25, etc., as aforementioned. In the upcoming blogs, we will talk and discuss about them in detail.  Stay tuned for further blog articles as part of our data privacy series!

Till then, if you have any concerns about data volume management, you can connect with our experts here!

Data privacy series

Data privacy series

This article is part of the data privacy series. Check out other related articles that might be of your interest: