Understanding the Digital Personal Data Protection Act, 2023

Introduction

Given the surge in personal data collection and processing, the absence of a comprehensive data protection law, and the increasing instances of data breaches and privacy violations, there arose a necessity to enact legislation that specifically addresses these concerns. The Digital Personal Data Protection Act, 2023 (DPDP Act) was notified on August 11, 2023. It regulates the collection, storage, usage and protection of personal data in India. The act aims to protect the privacy and rights of the data subjects and to prevent the misuse of personal data by the data controllers.?It aligns global data protection standards such as European Union’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL).

Key concepts and terminologies of DPDP Act, 2023

• Personal data: Any data/documents of an individual who is identifiable by or in relation to such information.
• Data Principal: Individuals within the territory of India whose personal data is being collected and processed.
• Data Fiduciary: Any organisation/person who alone or in conjunction with other organisations/persons determines the purpose and means of processing of personal data.
• Consent: Collection and processing of personal data should be done by data fiduciary after the consent of data principal. Consent given should be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and signify an agreement to the processing of personal data.
• Notice: Data Fiduciary need to provide the details of personal data, the purpose for which it is processed and the manner in which the data principal can exercise their rights under the DPDP Act.

Rights of Data Principal and Obligations of Data Fiduciary

Rights of Data Principal: The act grants the certain rights to the data subjects regarding their personal data.

• Right to information: Data Principals can request clear and understandable information on how their data is processed.
• Right to correction and erasure: Data Principals can update or delete their data if it is inaccurate, incomplete, or unnecessary.
• Right to grievance redressal: Data Principals can file a complaint with a Data Fiduciary if their data rights are breached.
• Right to nominate: Data Principals can appoint another person to exercise these rights on their behalf in case of death or incapacity.

Obligations of Data Fiduciary: The Act imposes certain obligations on Data Fiduciary.

• Only process personal data with a Data Processor who has a valid contract
• Provide clear, concise and comprehensible notice to Data Principals
• Obtain verifiable parental consent before processing children’s personal data
• Avoid processing personal data that harms children or tracks or targets them
• Report Personal Data Breaches to Data Protection Board and Data Principals
• Implement technical and organizational measures to follow the Act
• Delete data and ensure Data Processor does the same when the purpose is over
• Take reasonable security safeguards to prevent personal data breach.

Classification of entities operating in development sector as per DPDP Act, 2023

The development sector consists of different types of entities, and the DPDP Act affects each entity type differently. Implications and applicability of the Act differ basis the nature of activity undertaken by each entity. A basic classification of entities is provided below:

Data Fiduciary

• Donors such as corporate CSRs, family foundations etc.
• Not for profits & civil society organisations
• Consulting firms and other third party agencies
• International NGOs such as PATH International etc.
• Multilateral agencies such as UNICEF, DFID etc.
• International research firms such as J-PAL, 3ie etc.

Data Principal

• Beneficiaries
• Functionaries of the organisation if they submit their personal data to donor/client or third party deputed by the donor/client organisation.

What future looks like for development sector in terms of compliance ?

Entities operating on the development sector will have to comply with the DPDP Act and ensure that the personal data of the data subjects is collected, processed, and protected in a lawful, fair, and transparent manner. The Act is likely to pose certain challenges and risks for these entities, as it requires them to adapt to the new legal and technical requirements, and to bear the costs and liabilities associated with the data protection compliance.

Path to becoming DPDP Act compliant for the entities can be divided into three following phases:

The organisations that already follow the GDPR and have established data protection systems will have less difficulty in complying with the DPDP Act. However, the organisations that operate only in India and have no experience with the EU regulations will face many challenges in changing how they collect and store beneficiary data.

Until now, various entities in the development sector (especially NGOs) have been collecting and storing personal data of beneficiaries digitally without following proper data security procedures. But with the enactment of the DPDP Act, they must follow the legal requirements for data processing. It is likely that resource-limited not-for-profit organisations will struggle to find funds for improving their systems and processes to comply with the Act. In this situation, donors and corporates may have to support the compliance of the non-profit ecosystem by providing human resources (with expertise in IT, law, etc.) and financial resources (license fee for compliant software, cost for system upgrade, assignment of dedicated servers etc.).

#DPDPAct #dataprotection #developmentsector