Understanding India’s Digital Personal Data Protection Act (DPDPA)

The Digital Personal Data Protection Act is the most comprehensive data regulation in Indian history, confirming privacy rights for nearly 1.5 billion people. It replaces the country’s former patchwork of data protection laws, which included:

• Section 43A and 87(2)(ob) of the Information Technology Act, enacted in 2000.
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, enacted in 2011.

Before the DPDPA, India didn’t have a single legislative framework to govern data privacy and protection. That began to change in 2017 when the country’s Supreme Court ruled that privacy is a fundamental right, leading to years of deliberations and negotiations on a corresponding bill.

Ultimately, on August 11, 2023, India’s House of Parliament passed the DPDP Act after just over a week of final approvals. It covers all entities that process “digital personal data” within India, regardless of size or private status.

What is digital personal data?

The DPDPA notably includes the term “digital” in its name, and that’s by design. Unlike other regulations, it specifically focuses on digitized personal information, which the act defines as “data regarding an individual that can be used to identify them either by or in relation to such data.” That includes:

• Names
• Addresses
• Phone numbers
• Birthdates
• Email addresses
• Education
• Financial details
• Medical records
• Passwords

There are several exemptions, such as data made publicly available under a legal obligation and data processed for research purposes.

Who must comply with the DPDPA regulation?

The DPDPA applies to any organization that processes personal data within the territory of India if that information is collected:

• In digital form, or;
• In non-digital form but digitized subsequently

In addition, like other major regulations, the bill is extraterritorial. This means it also applies to any business that processes personal data to offer goods or services in India, regardless of where the data collection occurs.

Failure to comply with the DPDPA can result in significant penalties, including fines of up to 4% of global annual turnover or INR 250 Crores (approximately $30 million), whichever is higher.

Let’s break down the DPDPA’s key concepts, rights, and requirements:

Definitions under the DPDPA

The DPDP Act has several unique terms that are similar but different from other major regulations. These include:

• Data fiduciary: This includes any entity that’s responsible for data collection and processing activities. This concept is borrowed from the General Data Protection Regulation (GDPR), which refers to this entity as the “data controller.”
• Significant data fiduciary (SDF): SDFs are fiduciaries that the Indian government specifically identifies based on data volume, sensitivity, risk, and national security impact. SDFs must meet additional data protection requirements.
• Data principal: As the equivalent to a “data subject,” this refers to the individual whose personal data is collected by a fiduciary.
• Consent manager: A consent manager is a third-party organization with the authority to independently manage, review, and withdraw the data principal’s consent through a transparent platform. These entities make it easier for fiduciaries to comply with their legal requirements.

Privacy rights

The DPDPA establishes standardized rights that give citizens control over their personal data. These rights also set the primary legal baseline for data processing rules and requirements. They include:

• The right to access personal information: Organizations must provide a means for data principals to request access to their personal information, thus ensuring transparency.
• The right to request deletion: Individuals can also request that fiduciaries delete their digital personal data at any time.
• The right to correct inaccuracies: Data principals can request corrections or updates to incomplete or inaccurate information.
• The right to consent to data collection: Data fiduciaries must obtain clear and informed consent, ensuring individuals are aware of and agree to data collection and processing.
• The right of grievance redressal: Individuals can file complaints and seek redress if they believe their rights have been violated.

Compliance requirements

According to a January 2024 report, 85% of data fiduciaries had begun preliminary steps to prepare for DPDPA compliance, which has yet to come into effect. However, “their preparation is hindered by the absence of rules that make up the substance of implementation for many provisions” of the regulation.

Put simply, the exact requirements are yet to be determined. That said, some high-level obligations are already definitive:

• Obtain consent: Organizations must get clear, specific, and informed consent from individuals before collecting or processing their data. That involves notifying them about what data will be collected, why it’s being collected, and how it will be used.
• Limit data collection: Fiduciaries can only collect data necessary for the specified purpose and nothing more.
• Ensure data accuracy: Businesses must keep collected data accurate and up to date, correcting any inaccuracies when notified by the individual. Critically, this also means they must implement mechanisms that allow data principals to request updates.
• Implement security measures: Fiduciaries are legally required to protect personal data from unauthorized access, breaches, and other security risks by implementing appropriate technical and organizational measures. That includes encryption, public key infrastructure (PKI), and similar protections.
• Data breach notification: Covered entities must notify the Data Protection Board and the affected individuals in case of a data breach. Under the DPDPA, a breach includes unauthorized data processing, disclosure, alteration, loss, or any action compromising data confidentiality, integrity, or availability.
• Limit data retention: Fiduciaries cannot keep personal data longer than necessary for the specified purpose unless required by law and must delete information accordingly.

General Data Protection Regulation. However, it deviates from the GDPR in several ways:

Scope

• GDPR: Applies to the processing of personal data of individuals within the EU, regardless of where the processing occurs.
• DPDPA: Applies to the processing of digital personal data within India and has an extraterritorial effect if the processing is related to offering goods or services to individuals in India.

Sensitivity

• GDPR: Differentiates between personal data and special categories of data, which require higher protection. It also defines children under different age limits (generally under 16) with specific provisions for their data protection.
• DPDPA: Doesn’t differentiate between personal data and sensitive personal data. However, it defines children as individuals under 18 and imposes stricter obligations, including prohibiting tracking or behavioral monitoring of children and targeted advertising directed at them.

Data transfer

• GDPR: Requires specific transfer mechanisms like standard contractual clauses for transferring data outside the EU.
• DPDPA: Permits cross-border data transfers except to countries restricted by the Indian government.

Entrust offers a wide range of products and solutions to help you simplify DPDPA compliance and safeguard personal data throughout the organization.