Home
>
Blog
>
DPDP Act

What is DPDP Act in India?

November 7, 2023

Anahad Narain

Founder's Office

Summary

  • The Digital Personal Data Protection Act is India's first comprehensive data protection law.
  • In most cases, personal data can be processed only based on customer’s consent.  
  • Consent must be clear, explicit and specific, with local language options.
  • Personal data cannot be processed if purpose is completed or consent is withdrawn.
  • Businesses to ensure that their systems and vendors comply with data protection requirements.

What is DPDP Act in India?

The Digital Personal Data Protection Act (DPDP Act) is India’s first comprehensive data protection legislation.  It puts power in the hands of the users, imposing obligations on businesses on how to collect, store and use personal data. 

Why was the DPDP Act needed?

With growing technological developments, businesses rapidly scaled. However, this growth came at a great risk. A lot of personal data was being processed without any strict regulations in place. With the introduction of the DPDP Act and regulators mandating compliance, how data is processed will change.

What is the impact of the DPDP Rules?

The DPPD Draft Rules were published in January this year. The Rules are likely to be enforced soon. The Draft DPDP Rules provide clear guidance for businesses on how to handle personal data.

The rules give extensive rights to the users to access, erase, and control their data, set out clear processes for businesses to follow and clarify the roles and responsibilities of the Data Protection Board. The rules also mandate parental consent for children’s data. 

What are the 6 key features of the Data Protection Act?

While the government is yet to release the detailed DPDP Rules, these are the key features arising from the text of the Digital Personal Data Protection Act and the Draft Rules:

A.  Consent as Primary Ground of Processing: Consent is the main requirement for processing personal data under the DPDP Act, with other grounds being rare exceptions.To process data, there must either be a legitimate use or lawful consent. You can read more on the grounds for processing personal data here. 

B.  Data Fiduciaries' Responsibility: The DPDP Act holds Data Fiduciaries accountable for all data processing, including that done by third-party vendors. There are higher obligations for Significant Data Fiduciaries.

C.  Data Security and Breach Notification: Data fiduciaries must ensure strong data security and promptly report breaches to the Data Protection Board and affected individuals.

D.  Data Protection Board (DPB): The Data Protection Board shall oversee the enforcement of the Act, impose penalties, and handle complaints with considerable discretion in levying monetary penalties

E.  Cross-Border Data Transfers: Data can be transferred to any jurisdiction unless specifically prohibited by the government. Read more about restrictions on cross border data transfers and data localization.

F.  Protection of Children's Data: The Act gives special consideration to children's data, requiring verified parental consent for processing and banning certain practices like targeted advertising. Read more about DPDP law on children's data on our consent blog.

What is personal data as per the DPDP Act?

Personal data is any data about an individual who is identifiable by or in relation to such data. 

Some examples of personal data are– a person’s name, mobile number, bank account, photograph, signature, Aadhaar details, etc. You can read more about personal data in our blog on the applicability of the DPDP Act. 

Scope of personal data

Who needs to comply with the DPDP Act?

The DPDP Act impacts everyone, but the key stakeholders defined in the Act are:

  1. Data Principals: Individuals to whom the data belongs, such as customers opening bank accounts or users registering on websites. 
  2. Data Fiduciaries: Entities like banks, telecom providers, and social media platforms that process personal data. They face the highest level of compliance obligations.
  3. Data Processors: A person who processes personal data on behalf of a Data Fiduciary. 

The critical difference between Data Processors and Fiduciaries is that only the Fiduciaries determine the means and purpose of processing data.

Personal Data originates from Data Principals,
Data Fiduciaries collect and process data of multiple Data Principals
Data Processors process data on behalf of Data Fiduciaries

What are the 7 steps to DPDP Compliance?

The following 7 steps provide a structured and practical guide for compliance, ensuring your business not only adheres to the new regulations but also thrives under them:

1. Understand and Assess

2. Audit and Map

3. Define Internal Policies

4. Manage Consent

5. Provide For User Rights

6. Manage Third Parties

7. Enhance Data Security

Here is a detailed blog on how businesses can comply with the DPDP Act

What are the penalties under the DPDP Act?

The Digital Personal Data Protection Act imposes significant fines for breaches which are calculated by the Data Protection Board based on the nature, duration, and severity of the breach, the Board has considerable discretion in levying monetary penalties. Penalties can go up tp 250 crores per violation. 

Read our blog on DPDP Penalties for more details.

Penalties for dpdp act

What are the exemptions under the DPDP Act?

The government has the power to exempt certain businesses from some obligations. There are exemptions to the DPDP Act's provisions in certain cases like investigation of offences, enforcement of legal rights or claims, and processing outside Indian territory. 

We have detailed out the exemption in our DPDP Act Exemption blog

What to do with data collected before DPDP Act?

Even for consents collected prior to the enactment of the DPDP Act, the Data Fiduciary must send a one-time notice in a fixed format. If the Data Principal withdraws their consent after this notice, the data processing will have to stop. 

This is a significant obligation on many industries, especially the data heavy industries  like BFSI, telemarketing, aggregators, healthcare, ecommerce and the likes. A customized notice must be sent to all the existing customers detailing their data, purpose of use, right to withdraw consent and method of grievance redressal.

What is the difference between GDPR and DPDP?

The General Data Protection Regulation (GDPR) of the European Union and India's DPDP Act are both landmark legislations in their respective regions for data protection and privacy. Here are some key differences between GDPR and DPDP Act.

Category GDPR DPDP
Geographical Scope Applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location. Primarily applies to Indian entities or those processing data of individuals in India.
Consent Requires explicit, informed consent for data processing, with consent being one of several legal bases. Consent is central and often the primary basis for processing personal data.
Data Protection Officer (DPO) Mandates the appointment of a DPO for organizations that process large amounts of sensitive data or regularly monitor individuals. May have similar requirements, but the specifics could differ.
Cross-Border Data Transfer Allows transfer of data outside the EU to countries deemed to have adequate data protection, or through mechanisms like Binding Corporate Rules or Standard Contractual Clauses. Allows data transfers except to jurisdictions barred by the Indian government.
Penalties for Non-Compliance Fines up to €20 million or 4% of the company's annual global turnover, whichever is higher. The penalty structure may be different, potentially involving both fines and other legal consequences.

Conclusion/Next Steps

The DPDP Act is changing the data privacy landscape in India. Companies need to adapt quickly and reimagine how they collect and process personal data. Failure to do so will invite penalties up to 250 crores, legal consequences and reputational damage. 

Wondering where to start? Get in touch with us for more information.

Download Blog as PDF
Content

Related articles

Sector Reckoner
November 6, 2023
How will DPDP Act impact the Indian BFSI sector?

Anahad Narain

4
min read
Sector Reckoner
November 3, 2023
How does the DPDP Act affect Telemarketing?

Pushkal Dubey

10
min read
Legal Explainer
December 3, 2023
Why is DPDP Act 2023 needed

Anahad Narain

8
min read

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.