On October 15, 2023, India received a huge security threat when Resecurity, an American cybersecurity company, claimed that personally identifiable information of 815 million Indian citizens was being sold on the dark web. They mentioned in their blog, that the threat actors, going by the name pwn0001, were willing to sell the data, which included Aadhaar numbers and passport details, for $80,000. This data was apparently sourced from the Indian Council of Medical Research (ICMR) which has faced numerous cyber-attack attempts, with 6,000 incidents being reported in 2022 alone.
Therefore, the Digital Personal Data Protection Act of 2023 came as a huge relief for many. Enacted on the 11th of August, 2023, it is:
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
This blog is targeted at informing you about the compliance requirements of the act and how it can affect your organisation.
Compliance Requirements Under the DPDP Act, 2023
The DPDP Law, which has been enacted after more than half a decade of deliberations, enables organisations to include and process personal data only with explicit consent from the individual, unless specific circumstances pertaining to national security, law, and order require otherwise. Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action” and for a specific purpose. The data collected should only be limited to what is necessary for the specified purpose.
Requirements for seeking consent
Before seeking consent, your organisation will be required to send a notice to users, that contains details about the data to be collected and its purpose. This includes personal data like name, address, contact and financial information, biometric data, and online activity data. The notice should also mention the rights of the concerned individual and the grievance redress mechanism.
💡 What are the exceptions in seeking consent?
Consent may not be required for specified legitimate uses that include voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services. This act gives an individual the right to access, rectify, delete their data, file a complaint, withdraw their consent or nominate another person to exercise their rights.
What is your organisation expected to do?
Organisations are expected to take accountability and liability for penalties if sensitive personal information (PII) is shared. Failing to comply with this Act can result in heavy fines being imposed on the offender that could reach up to two hundred and fifty crore rupees. Organisations are required to report any data breach to the Data Protection Authority of India (DPAI) and affected stakeholders within 72 hours of becoming aware of the breach.
Let us dive deep into some other elements of the DPDP Act 2023:
Scope
What makes this act stand out is how its applicability is not limited to the Indian territory alone. It also extends beyond its borders which implies that it applies to non-citizens living in India and non-Indian organisations that offer goods or services to individuals in India. This means it has implications on, say, a U.S. citizen residing in India, being provided digital goods or services within India by a non-Indian enterprise.
Data Localisation
The government’s version of the bill that was introduced in the parliament, the Personal Data Protection Bill, 2019, restricted the cross-border flow of certain categories of data. However, the 2023 law only states that the government may restrict flows to certain countries by notification. Thus, it provides the government with necessary legal powers for national security purposes.
Child Data Processing Obligations
The DPDP Act 2023 does not permit the processing of any data that might have a detrimental effect on a child (An individual under the age of 18). It requires Data Fiduciaries (i.e., any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data – your organisation) to obtain parental consent and prohibits the tracking, monitoring, and targeted advertising of data that is directed at children. The government, however, can prescribe exemptions from these requirements for specified purposes.
📌 The government has established provisional timelines for organisations to comply with the DPDP Act 2023. This is 6 months for large enterprises but extends up to 1 year for smaller ones.
Penalties Under The DPDP Act 2023
The Data Protection Board of India (DPB) was established under the same act and its role is to ensure compliance with the Act, failing which, it can also levy huge penalties on the offender. It is vested with the responsibility of protecting the rights of the Data Principals and handles complaints and violations as well.
The Board has the power to impose fines in cases of significant breach, with the severity and categorisation of the fines being defined in the Act’s Schedule. The maximum penalties for the various types of breaches are:
- Personal Data Breach: Up to 250 crore rupees.
- Failure to Notify a Data Breach: Up to 200 crore rupees.
- Breach of Additional Obligations (e.g., for children or significant data fiduciaries): Up to 150 crore rupees.
- Breach of Duties under Section 16: Up to 10,000 rupees.
- Breach of Voluntary Undertakings: Penalties corresponding to the relevant breach.
- Other Breaches: Up to 50 crore rupees.
Does this Act Apply To Your Organisation?
While complying with the DPDP Act 2023 is mandatory for organisations, whether or not your enterprise falls under that category is subject to a few prerequisites. Some of the factors to consider are:
- Is your organisation involved in processing the personal data of individuals residing in India, regardless of the location of your headquarters?
- Does your organisation process this data for commercial purposes or for profiling individuals?
- Does your organisation engage in processing a significant volume of personal data, even if it is for non-commercial purposes?
If the answers to these questions are in the affirmative, your organisation will be subject to the Act.
Steps To Take To Comply With The DPDP Act 2023
Ensuring compliance with the Act and its policies and laws might seem quite intimidating. Despite coming into force, some of its provisions are complex and open to interpretation. This ambiguity can lead to legal disputes and challenges, especially in cases where the law is not entirely clear about specific requirements or definitions. However, you can facilitate ease in the process by doing the following:
- Identify and Map Data
The first step in this process is for you to track all the personal data that is collected, stored and processed in your organisation so that you can gain an insight into its journey.
- Establish Data Policies and Procedures
The next step is to develop & document actionable data privacy policies and procedures that align with the requirements of the Act.
- Implement Data Privacy Impact Assessments (DPIAs)
Here you should conduct DPIAs and their outcomes and properly document them. This would help identify high-risk data processing tasks and minimise privacy risks.
- Implement Appropriate Data Security Measures
Next, you should implement robust data security measures like access controls, data encryption, and incident response plans.
- Calculate the Potential Financial Impact
This is about determining the impact of data loss risks in financial terms and assessing its impact on your organisation.
- Conduct Regular Audits and Reviews
Conducting regular internal audits and reviews to assess the effectiveness of data privacy compliance practices is an important step in the process.
- Determine Cyber Insurance Limits
You should scientifically determine the required policy value to cover potential losses from data breaches, regulatory fines or malicious interruptions.
These steps might seem easy yet can be a little challenging to employ. The main question here is, is your organisation prepared to handle it all?
Navigating through the mayhem of the compliance laws under the DPDP Act 2023 might seem overwhelming, yet it is vital for you to adopt its policies because even a small error can cost your organisation a fortune.
How RankSecure Can Help
Our aim at RankSecure is to
for your establishment. With our understanding of the requirements, obligations, and exemptions of the Law for your organisation, we actively follow through with the execution as well. We are adept at:
- Conducting data privacy audits & assessments
- Developing a data privacy framework
- Data discovery and mapping
- Third-party risk management
- Introducing privacy-enhancing technologies
- Implementing technical safeguards
- Cyber risk financial quantification
- Training and awareness
You can book a free consultation with our experts who can assist you in the process of DPDP compliance that will keep your enterprise safe from numerous legal penalties, investigations, and reputational damages. Let us help you before you run out of time.
