The Digital Personal Data Protection (DPDP) Act is a new comprehensive data protection law in India that governs how organizations process, retain, and protect individuals’ data. The law aims to protect digital personal data by providing obligations for data fiduciaries, rights for data principals, and penalties for non-compliance.

DPDP Act aims to regulate the processing of digital personal data while ensuring individuals’ right to protect their data and the need to process it for lawful purposes.

It protects digital personal data (that is, the data by which a person may be identified) by providing:

• The obligations of Data Fiduciaries (that is, persons, companies, and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
• The rights and duties of Data Principals (that is, the person to whom the data relates);
• Financial penalties for breach of rights, duties, and obligations.

Let’s look at some frequently asked questions about this important legislation:

1. What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 (DPDP Act), is a comprehensive data protection legislation that governs how organizations process, retain, and protect the digital personal data of individuals, including their own employees. It will significantly impact organizations that collect and process digital personal data within Indian territory.

2. When was the DPDP Act developed and passed in India?

The DPDP Act was introduced in August 2023. Its conceptual basis is the report of the Expert Committee set up under the “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians.” The Act was subsequently passed to provide a specialized framework for data protection in India.

3. When does the DPDP Act take effect?

The Act was introduced in August 2023, but the exact effective date is still to be announced along with the rules and regulations. Organizations should start preparing now for compliance.

4. What are the principles on which the DPDP Act is based?

The DPDP Act is based on seven principles, including the principle of consented, lawful, and transparent use of personal data, purpose limitation, and data minimization.

5. What new responsibilities will the organization need to adhere to with the enactment of the DPDP Act?

Organizations will need to adhere to new responsibilities, such as obtaining individuals’ consent before collecting or processing their personal data, providing data principals access to their personal data, enabling corrections, and reporting breaches to both the Data Protection Board and affected individuals.

6. What are the potential implications of the DPDP Act for businesses operating in India?

The DPDP Act has several potential implications for businesses, including the classification of data fiduciaries, compliance with principles-based legislation, data subject rights, data breach notification, penalties for non-compliance, and the impact on e-commerce and direct-to-consumer (D2C) businesses

7. How does the DPDP Act change an organization’s response to personal data breaches?

In the event of a personal data breach, the Act requires Data Fiduciaries to inform the Data Protection Board of India as well as the affected data principals. The manner and timeline of the reporting obligations will be prescribed in the coming months in Rules. The Act also necessitates the implementation of technical standards and a grievance redressal mechanism for data principals.

8. What are the penalties for non-compliance?

The Digital Personal Data Protection Act imposes severe fines of up to INR 250 crore for significant data breaches. Penalties range from INR 10,000 to INR 250 crore based on violation severity. Fines up to INR 500 crore or 4% of worldwide turnover, whichever is higher, apply for certain breaches. The Data Protection Board of India can impose penalties for breaches, failure to notify breaches, and breaches involving children’s data.

9. What technical standards are to be implemented under the DPDP Act?

At the time of writing, DPDP Act requires an ISO:270001 standard or its equivalent to be compliant.

10. What are the key obligations that organizations need to comply with under the DPDP Act?

Organizations need to identify a lawful basis to collect and process personal data, such as consent or legitimate use. They also need to respond to data subject access requests and ensure compliance with the Act’s key principles.

11. How will the DPDP Act impact consumer businesses, particularly e-commerce and D2C companies?

The DPDP Act will impose several regulations on e-commerce and D2C businesses, requiring them to revamp their strategic approach towards digital safety, ensure data protection, and comply with the Act’s provisions related to consent, access, correction, and deletion of personal data.

12. What are the potential challenges and opportunities for organizations under the DPDP Act?

While the DPDP Act presents opportunities for organizations to demonstrate their commitment to data protection and privacy, it also poses challenges related to compliance, data security, and educating users and staff about data privacy rights. However, overall, it is seen as a positive development for the industry in India.

13. What is the impact of the DPDP act on B2B business?

The impact of the Digital Personal Data Protection (DPDP) Act on B2B businesses in India is significant and multifaceted. The Act imposes several regulations on businesses, including B2B enterprises, that handle personal digital data. Here are some specific ways in which the DPDP Act will impact B2B businesses:

• Compliance and Data Protection: B2B businesses will need to ensure compliance with the Act’s provisions, including obtaining consent before processing personal data, ensuring data protection, and implementing new protocols to comply with the Act.
• Data Processing and Innovation: The Act will require B2B businesses to assess their readiness for data protection, including the volume, sensitivity, and level of transparency of the personal data they process. It also encourages the use of personal data for innovation and research, provided it is done in a fair, transparent, and accountable manner.
• Consent Management and CRM: B2B businesses will need to implement robust consent management processes and may need to modify their customer relationship management (CRM) platforms to record and manage consent for data processing.
• Client Engagement and Prospecting: The Act will likely lead to more structured, context-aware, and consent-driven client engagement and prospecting processes. B2B businesses will need to adapt their marketing and sales approaches to align with the Act’s requirements.

14. Does the Act present any opportunities?

Yes, the DPDP Act allows compliant businesses to demonstrate commitment to privacy. It also creates openings for startups offering compliance services.

15. Where can I access the original DPDP Act?

https://egazette.gov.in/WriteReadData/2023/248045.pdf

Key definitions under the DPDP Act

While the majority of concepts in the DPDP Act are similar to those in the GDPR, the terminology differs. Key definitions you need to get familiar with are as follows:

• Data fiduciary: A Data Fiduciary refers to any entity or individual that determines the purpose and means of processing personal data. This includes organizations that collect personal data for various purposes, such as providing services, conducting research, or marketing products. They are responsible for compliance with the DPDP Act.
• Data Processor: A Data Processor refers to anyone engaged in collecting, recording, organizing, storing, adapting, sharing, disclosing, destroying, or otherwise using personal data. Under India’s DPDP, a data processor is anyone who processes personal data for a data fiduciary.
• Data principal: A Data Principal refers to the individual whose personal data is being processed. This individual could be anyone, but there are a couple of special cases to consider: If the individual is a child, then the ‘Data Principal’ also includes the child’s parents or their lawful guardian. If the individual has a disability, then the ‘Data Principal’ includes their lawful guardian who is acting on their behalf.

The DPDP Act ushers in a new era of data protection in India. While it poses compliance challenges, the law will boost user trust and position India as a global leader in digital privacy. Organizations must start preparing now to avoid penalties and fully realize the benefits. With some strategic planning, the DPDP Act can be transformed from a challenge into an opportunity.