Implications of DPDP Act on Companies

India’s Digital Personal Data Protection Bill was tabled in 2022, and was finalized as India’s Digital Personal Data Protection Act (DPDP Act) when it received approval from both houses of Parliament and the assent of the President in August 2023. The law came into effect August 11, 2023 and covers personal data collected in digital format, or collected by other means and later digitized. The law aims to strike a balance between the recognized need to process personal data for various purposes, and individuals’ right to control and protect it.

The DPDP Act has its roots in the early 2000s. With the Information Technology Act of 2000, India took its first formal step into cybersecurity laws. However, as technology evolved and the amount of digital data expanded, the need for a more comprehensive data protection framework became evident.

Data Protection Laws exist to prevent fraud and cybercrimes, as well as enforce rights regarding privacy. Applying strong data protection measures and safeguards not only protects individuals’ or customers’ personal data, but also an organisation’s data. Therefore, avoiding considerable problems, which may damage your reputation or your organisations’ confidential information. The DPDP Act grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.

Key Provisions

Scope and Applicability: The DPDP Act applies to the processing of digital personal data within the territory of India collected online or collected in a non-digital and later digitised. It is also applicable to processing digital personal data outside the territory of India, if it involves providing goods or services to the data principals within the territory of India.

Definition of “Personal Data”: Defined under Section 2(t) of the Act, it refers to any data about an individual who is identifiable by or in relation to such data. This includes an individual’s name, address, date of birth, government identity proof, phone number, email address, etc, which most organisations would require from a user or a customer, especially if they conduct their business through the internet.

Consent Requirements: The new Act mandates that organisations, both existing (i.e., having already collected personal data prior to the passing of the Act) and new, must have robust consent mechanisms which satisfy all the requirements under Section 6 (free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose).

Obligations of Data Fiduciaries and Date Processors: Data Fiduciaries (any person who determines the purpose and means of processing personal data) and Data Processors (any person who processes personal data on behalf of a Data Fiduciaries) have a higher set of standards to adhere to in the collection, storage and processing of data. The primary obligations of a Data Fiduciary include:

1. Appointment of a Consent Manager;
2. Legality of collection and processing of data;
3. Issuing of notice on usage of data;
4. Providing consent revocation mechanisms;
5. Take reasonable measures to prevent personal data breaches;
6. Implementation of an effective Grievance Redressal Mechanism regarding the users’ personal data

The obligations borne by Significant Data Fiduciaries are even higher, such as:

1. Appointment of a data protection officer to serve as a point of contact for grievance redressal;
2. Conducting of Periodic Data Protection Impact Assessments;
3. Appointment of an Independent Data Auditor to carry out period audits to evaluate compliance with the Act.

Implications for Businesses and Organisations (Data Fiduciaries)

One of the most notable features of the Act is the high penalties imposed, extending up to two hundred and fifty crores. In light of this, entities which qualify as Data Fiduciaries must take the provisions of the Act seriously and begin the enforcement of the same as soon as possible. Some implications for Data Fiduciaries are:

1. Increased focus on cybersecurity measures: In order to prevent the breach of personal data, organisations must ensure that they protect the data they collect in a more robust manner. This can entail enforcing a seniority-level based access system to personal data, implementation of firewalls and higher encryption standards, etc..
2. Timely updation of privacy policies: Any move made by the organisation must also include the step of assessing their privacy policy. For example, if an organisation were to introduce a newsletter delivered to their users’ email inboxes, this would require the Data Fiduciary to update their privacy policy and their consent mechanism to reflect the collection and storage of users’ email addresses, and the purpose for which such email address is collected, i.e, sending newsletters.
3. Ensuring non-processing of personal data of minors: Data Fiduciaries are prohibited from processing the data of children under 18, including targeted advertisements based on analytics without obtaining the verifiable consent of their lawful guardian.
4. Issuance of consent and notice to new and existing users: Data Fiduciaries must issue a notice describing the details and use of individuals’ personal data in English and 22 other languages, as well as implement a clear, informed and detailed mechanism of obtaining consent from its users.
5. Review contracts and agreements with Data Processors: Data Fiduciaries bear the primary accountability in case of any personal data breach, rather than the Data Processor. In order to ensure that user is given full disclosure regarding the processing of their personal data, agreements between the Data Fiduciaries and Data Processors must be clear, comprehensive, and exhaustive in terms of due diligence, risk assessment, transferring liability, indemnification, confidentiality, data security, business continuity and disaster recovery.
6. Investment in compliance, technology and personnel: The nature of penalties would naturally require organisations to invest in lawyers to ensure that they are in compliance with the act and avoid any breaches under the Act, or to ensure that even in the event of a personal data breach, they had conducted due diligence to reduce any impact or penalties arising from the same. Investment into higher security measures is also under the purview of due diligence and compliance, as well as technology to ensure automatic deletion mechanisms, consent management mechanisms, and grievance redressal portals. Furthermore, organisations can ensure compliance by increasing training and awareness among staff on the handling of personal data and confidentiality, as well as the mandatory appointment of personnel under the Act such as a Data Protection Officer, a Consent Manager, and an Independent Data Auditor.

As a result, the legal framework for the protection of personal data in India has advanced significantly with the passage of the Digital Personal Data Protection Act of India. The Act aims to promote responsible data use and respect for individual privacy rights by imposing high standards and legal obligations on data fiduciaries and processors. Businesses will need to maintain transparency and accountability in their data practices in addition to strengthening their cybersecurity safeguards as they adjust to these new responsibilities. The DPDP Act, which emphasizes the value of consent, data security, and the protection of personal information in an increasingly digital age, is a critical step towards establishing a safer digital environment, and will ultimately result in an increased amount of trust between consumers and businesses.

Author:  Sumedha Vadhulas

Please contact us at info@origiin.com to know more about our services (Patent, Trademark, Copyright, Contract, IP Licensing, M&A of companies)

Subscribe to YouTube Channel HERE

Join LinkedIn Group: Innovation & IPR

WhatsApp: +91 74838 06607