The Digital Personal Data Protection (DPDP) Act is a comprehensive data protection regulation in India. The act establishes a framework for processing the personal data of residents of India.
The Central Government of India introduced the Digital Personal Data Protection Act on 09 August 2023 after receiving approval from both houses of the parliament. The act will be a milestone in India’s evolving technological landscape.
Explore this detailed guide to learn more about the law, key definitions, principles, and how to comply with it.
Let’s get started.
The Digital Personal Data Protection Act is a law designed to safeguard people’s privacy rights. It concentrates on overseeing how the personal information of Indian citizens is gathered, stored, processed, and shared.
This law establishes a strong framework to tackle the challenges of handling bulk amounts of personal data in the digital age. It aligns with the Digital India Bill and the proposed Indian Telecommunications Bill in fortifying data protection and enhancing the privacy of citizens of India.
The DPDP is mostly inspired by the EU’s GDPR; however, some terminologies are different. Here are the key definitions of the different terms used in the DPDP Act:
- Data Principal: A person whose data is collected, stored, or processed.
- Data Fiduciary: A person or a group of people who is responsible for determining the purpose and methods of data collection.
- Significant Data Fiduciary: A person or a group of people handling sensitive data that can affect broader societal and national concerns like India’s sovereignty, integrity, electoral democracy, state security, and public order.
- Data Processor: A person who processes the personal data on behalf of the data fiduciary.
- Consent Manager: A person registered with the Data Protection Board who acts as a point of contact for the Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
The DPDP Act applies to the processing of personal data collected within the Indian borders either in digital form or non-digital form that is later digitized. The law extends its applicability outside the Indian border if the data collection relates to offering goods or services to Data Principals residing in India.
The act does not apply to the processing of personal data by an individual for any personal or domestic purposes or if the data is publicly available.
The DPDPA clearly specifies the obligations of a data fiduciary when gathering personal information from citizens of India.
- A Data Fiduciary should have a lawful purpose for collecting personal data. In this context, lawful purpose means any purpose that isn’t forbidden by the law.
- A Data Fiduciary must disclose to the Data Principal about what data is collected and for what purpose.
- A Data Fiduciary should provide information on the rights of the Data Principal, along with guidance on exercising those rights and contacting the Data Protection Board.
- A Data Fiduciary is required to obtain consent from the data principal for processing their data. The consent should be informative and freely given with clear affirmative action.
DPDPA provides certain guidelines for processing the personal data of children or a person with disabilities.
- Data Fiduciaries must obtain consent from parents or lawful guardians for collecting or processing the personal data of minors or people with disabilities.
- Data Fiduciaries should refrain from collecting any personal data that could potentially harm the well-being of the child.
- Tracking, behavioral monitoring of children, or targeted advertising is strictly prohibited under any circumstances.
- If the Central Government is assured that a Data Fiduciary has established a verifiably safe method for processing children’s personal data, it may issue a notification specifying the age beyond which the Data Fiduciary is exempt from certain obligations for processing the personal data of the children
The DPDPA grants the following rights to the Data Principal regarding the processing of their personal data
- Right to access information about personal data: Data Principals have the right to obtain information about the personal data collected by the Data Fiduciaries. It includes information on what data is collected, why it is collected, and any other information related to the personal data. They also have the right to know the identities of the Data Fiduciaries involved in processing the personal data.
- Right to correction and erasure of personal data: Data Principals have the right to correction, completion, updation, or erasure of their personal data. They can request the Data Fiduciary to correct, complete, update, or delete the data for which they had previously granted consent.
- Right of grievance redressal: Data Principals have the right to file a complaint and get redressal if a Data Fiduciary or a Consent Manager mishandles your personal data or doesn’t fulfill their duties as per DPDPA. The Data Fiduciary or the Consent Manager must provide a straightforward way for Data Principals to address any concerns or complaints.
- Right to nominate: Data Principals have the right to nominate someone else to act on their behalf and exercise their rights in case of death or any inability to exercise the rights.
The DPDPA outlines certain exemptions for processing the personal data of a Data Principal if:
- the personal data is necessary for enforcing legal rights or claims.
- the processing of personal data by any court, tribunal, or other authorized body in India for performing their duties.
- the personal data is used to prevent, detect, investigate, or prosecute any offense or violation of any existing laws.
- the processing of personal data of Data Principals outside India, which is carried out based on a contract with a person outside India by a person based in India.
- the processing is necessary for schemes like compromise, arrangement, merger, amalgamation, reconstruction, demerger, or any related actions involving companies approved by a court, tribunal, or authority as per existing laws.
- the processing is for the purpose of determining the financial information, assets, and liabilities of an individual who has defaulted on loan payments to a financial institution, provided it aligns with the disclosure provisions of other applicable laws.
DPDPA is the first-ever data protection regulation in India. The law aims to protect the privacy of Indian citizens in the digital world. If you are doing business in India, you must follow the below steps to comply with India’s DPDPA.
1. Review Your Data Collection Practices
As the first step, you have to identify what are the ways in which you are gathering information from your site visitors. It might be in the form of a contact form, website cookies, login fields, and more. Analyze all the collected information and do a complete audit of how you process the information from your site visitors.
To have a better understanding, here are some questions you should consider:
- What personal information are you collecting?
- What is the purpose of the information collected?
- How long do you need this information?
- Are you using the information for any other purpose than it is intended?
- Do you collect information from minors?
- Are you sharing the information with any third parties?
After reviewing your data collection practices, conduct an analysis to determine what measures you should undertake to comply with DPDPA.
2. Inform Users About Data Collection
Inform your customers, clients, or users about the collection of their data and the specific purposes behind it. Provide clear disclosures regarding data collection, storage, and processing to ensure users understand why their data is being handled. You can create a privacy policy page on your website to disclose this information.
If you share data with third parties, disclose the entities that have access to this information. Additionally, if you handle the personal information of children or people with disabilities, share the details of data collection with their lawful guardians.
3. Obtain Consent From Users
You should obtain consent from your site visitors, users and customers for collecting, processing, and storing their personal information. You can ask for consent on different data collection source points on your website through checkboxes.
If your website uses cookies, you can ask for consent using a cookie consent banner.
Cookies are small text files that websites send to web browsers to track the website activity of site visitors. There might be chances in which your website may collect personal information from your site visitors without your knowledge.
To address this, consider using a consent management platform, such as our GDPR Cookie Consent Plugin, to handle cookie consent on your website seamlessly. We will explain further about our plugin in the later part of this article.
4. Inform Users About Their Rights
You should inform users about their rights and inform them how they can exercise their rights to ensure that their data is protected. Allow them to request editing, updating, or deleting any personal data stored on your website. Also, you may appoint a Data Protection Officer who should be able to handle any concerns people may have about their data.
5. Review Your Security Measures
You have to properly ensure that the data you have collected from your users is secure within your website. Implement necessary security measures and encryption protocols to restrict third-party access. Also, in case of any data breach, you are legally obliged to inform the concerned authorities and your users about the data breach.
Also Read: China’s Personal Information Protection Law (PIPL)
GDPR Cookie Consent Plugin is a WordPress plugin to help websites comply with major privacy laws such as GDPR and CCPA. If you are using WordPress as your CMS for your website, you can’t find a better plugin than this. This WordPress GDPR plugin is designed to work within the WordPress ecosystem, so you don’t have to create an account to access the features of this plugin.
With this plugin, you can manage cookie compliance for your website. The plugin lets you show a cookie banner to your site visitors and show Accept/Reject buttons to obtain consent from your site visitors. As the plugin is developed to meet the obligations of much more advanced data protection laws like GDPR, it can help you comply with DPDPA and any future amendments to the law.
Key features of this plugin:
- Create a cookie banner
- Works within WordPress CMS
- Customize the cookie banner
- Create a cookie policy
- Scan and list cookies on your website
- Block third-party cookies until users consent to
- Obtain explicit and implicit consent
- & more
Conclusion
The Digital Personal Data Protection Act is India’s first-ever data protection regulation. The law is aimed at protecting the privacy of Indian citizens in the digital world. Since this is a newly passed legislation, there are some obvious challenges with the law, and the nation has yet to appoint a Data Protection Board to regulate the law.
There are discussions on going about providing a year grace period for business. However, Mr. Rajeev Chandrasekhar, India’s Minister of State for Electronics and Information Technology, has said any breaches during this period will be addressed by the DPB once its members are in place.
As more information becomes available, we will update this article accordingly. In the meantime, we recommend taking necessary measures to prevent potential penalties and fines for your business.
Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.
