What do companies need to change for compliance with data protection law (DPDP)?

The Digital Personal Data Protection Act (DPDP) Act, 2023, is a comprehensive data privacy law that aims to protect the personal data of Indian citizens.

?

Relevant Comments from Rajeev Chandrasekhar, MoS-IT, in different interviews:

• The purpose of this bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes.
• The upcoming DPDP Bill will create a category? called 'high-risk significant data fiduciaries', and regulations on firms that process a large quantum of user data or critical user data will be much more detailed compared with regular data fiduciaries
• In the DPDP, we have a category of higher risk significant data fiduciaries, and they will be regulated much more granularly with much more closer attention. The regulations and the compliances for them will be a lot more than a normal data fiduciary.
• Data Protection Board (DPB) will be an independent body and it says so in the bill - 'independent of the government'. DPB is not a regulator. DPB will have an oversight of the high court because all of its decisions will be scrutinised by the court system.
• Centre is likely to exempt new age start-ups from complying with norms under proposed DPDP for a limited period.

This law applies to all companies that process "digital personal data" of Indian residents, regardless of whether the company is located in India or not. Even If data collected offline and digitised, DPDP is applicable.

The DPDP Act includes a number of requirements that companies must comply with, including:

Users’ Rights

• Right to erasure:?Individuals have the right to request that their personal data be erased from a company's records.
• Right to access:?Individuals have the right to access their personal data that is held by a company.
• Right to rectification:?Individuals have the right to request that inaccurate personal data be corrected.
• Right to?portability:?Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
• Right?to restrict processing:?Individuals have the right to restrict the processing of their personal data in certain circumstances.

Data collection from Users

• Obtaining consent:?Companies must obtain clear and informed consent from individuals before collecting their personal data.
• Data minimization:?Companies must only collect the personal data that is necessary for the purpose for which it is being collected.

Data Storage

• Data storage:?Companies must store personal data securely and take steps to prevent unauthorized access or disclosure.

Data Processing

• As per current IT law

Data Breach

• Data breach notification:?Companies must notify the Data Protection Authority and affected individuals of any data breaches within 72 hours of becoming aware of them.

Organisational changes

• A Data Protection Officer will be appointed by the Significant Data Fiduciary (company which processes data). Contact of this personal will be made publicly available, in plain language, to respond to any communication from the Data Principal (say user). This person will report to board of the company or of similar stature. This means s/he should be supported by CISO, Tech& Product, and Legal. Relevant tools would be required. Product should me made compatible. Consent manager is mandatory. User should be given a place to exercise her rights. Data capture should be minimal, so Product managers should be cognizant of design and ask. Communications will have a legal bearing so support by legal team will be required. Data audit should be periodically done.

Fine and Penalties

Penalties are incidence-specific, it means every single breach/failure will attract different fines.

• Non-Compliance of the provisions by Data Fiduciary – up to INR 250 crore (approx. USD 30 million)
• Non-fulfilment of obligations by significant data fiduciary- up to INR 150 crore
• Failure to notify the breach to the Board and affected Data Principals– up to INR 200 crore.
• Non-fulfilment of obligations while processing Children's data - ?up to INR 200 crore.
• Miscellaneous non-compliance with provision of the Act – up to INR 50 crore.

·?? ??Breach in observance of duty as a Data Principal- INR 10,000.

·?? ??Breach of any terms of voluntary undertaking liable for the penalty of underlying contravention

Here are some specific examples of how companies will need to change their practices in order to comply with the DPDP Act:

• Social media companies:?Social media companies will need to obtain clear and informed consent from users before collecting their personal data.?They will also need to provide users with more control over their data settings and make it easier for users to delete their accounts.
• E-commerce companies:?E-commerce companies will need to obtain clear and informed consent from customers before collecting their personal data.?They will also need to take steps to prevent unauthorized access to customer data and notify customers of any data breaches.
• Financial institutions:?Financial institutions will need to obtain clear and informed consent from customers before collecting their personal data.?They will also need to take steps to protect customer data from fraud and identity theft.
• Telecommunications companies:?Telecommunications companies will need to obtain clear and informed consent from customers before collecting their personal data.?They will also need to take steps to protect customer data from unauthorized access and use.

These are just a few examples of the many companies that will need to change their practices in order to comply with the DPDP Act. Companies of all sizes should take steps to familiarize themselves with the new law and to implement the necessary changes to their data collection and processing practices.