The rundown on the New Digital Personal Data Protection Act

The DPDP Act's primary focus is on digital personal data. This includes identifiers like name, phone number, email address, postal address and Aadhaar number (i.e. national ID). The DPDP Act will replace the current data protection laws encapsulated under the Information Technology Act (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”). Individuals can approach the Board if a data fiduciary doesn’t comply with the law. The Board can award penalties up to INR 250 crore (USD 30 million) for some breaches. Compared to the GDPR, our Indian law is more consent-centric, allows for lesser flexibility in breach reporting obligations and has a higher age of consent.

How does this Impact your Business?

• Data Handling Changes- Businesses must re-think how they gather and store data to comply. This may mean getting permission before collecting personal data, reducing data collected, and erasure of unnecessary data.
• New Obligations- Businesses get new duties under the DPDPA. Ensuring data accuracy and security, plus responding to data subject requests, become priorities. Setting up data security measures and response procedures is a must.
• Increase in Compliance Costs-Adhering to the DPDPA can increase costs. Establishing data security measures, hiring data protection officers, and managing data subject requests can be a costly affair.

Under the new DPDP Act, if your website currently has privacy policies, it's essential to update them to comply with the latest regulations. This involves clearly communicating to your customers how their data is collected, stored, and used. On the other hand, if your website lacks such policies, it's crucial to establish them. Website policies are not just a legal requirement; they serve as a direct channel for informing your customers about their data rights and your data handling practices.

What are the mandatory provisions to now include in your website policy?

Consent is the approval given by the data principal to collect and process their data for specific purposes. Your Business should seek consent by creating a clear and itemised notice and request for consent to be made available in all 22 languages. However, consent may not always be needed as some data fiduciaries may process data for certain legitimate uses such as employment, or judicial obligations. Create a transparent privacy notice that clearly outlines what data is collected, why it is collected, how it is used and with whom it will be shared. This will help users to make an informed decision.?

Building a Withdrawal Mechanism: The DPDP affords Indian citizens the ability to request the complete erasure of their personal data by online entities that process it. Hence, All your website policies are expected to include a mechanism that makes it easy for visitors to opt out of having their data processed by them. This can be in the form of a button, link, or other feature visible on their website.

Furnishing contact details for a Data Protection Officer (DPO) or authorized representative to facilitate effective grievance redressal mechanisms for Data Principals. A Data Protection Officer, or DPO, is responsible for monitoring the organisation’s activities related to personal data and is tasked with making sure that all operations are fully compliant with guidelines and is a requirement for them to be in? ‘significant data fiduciaries’ organisations.

Fiduciaries must regulate Data Processors- In the absence of specific legal obligations on processors under the DPDPA, fiduciaries engaging processors will have to ensure that their contracts are water-tight because the ultimate liability under the law will rest on them alone. Data fiduciaries must evaluate if their contracts with processors sufficiently capture their obligations and indemnify them from lapses on the latter’s part.

Consent of Children- Children are given additional protections under India’s data privacy law, which means that websites must adhere to special rules when requesting access to or using their personal information. Verifiable parental consent is required when a data subject is less than 18 years of age. In addition to requiring confirmation of age and special consent when applicable, the DPDP prohibits online entities from targeting advertising (through?tracking cookies) to children and taking part in processing activities with the potential to detrimentally affect them.

The Indian government can designate any data fiduciary or class of data fiduciaries as Significant Data Fiduciary (SDFs) based on certain factors, including the volume and sensitivity of the personal data they process. SDFs also need to carry out data protection impact assessments, and this gradation of data is an important part of these exercises.

The primary step that organisations should focus on for the next 3-6 months is to start data mapping and evaluating the processes in every department of the Business. For instance, for what purpose and for how long are you storing the personal data this enables you to understand the gaps in your systems. Having important talks with your team about what the UX/UI is going to look like would also be beneficial as well as mapping out the customer journey and making sure that the Data Principal is given.

Article written by - Krishma Merchant and supported by Shannon Delilah Doctor (Intern at I.V Merchant & Company )

?