With the impending implementation of the Digital Personal Data Protection Act, 2023 (Act), companies are on the verge of a paradigm shift in their data protection obligations. Although the Act's effective date is yet to be announced, companies must now initiate strategies to meet the new privacy requirements.
Rainmaker, in its commitment to protecting companies from the pitfalls of non-compliance, breaks down the critical provisions that corporates must know about and prepare for:
Key terms:
- Data Fiduciary: A data fiduciary is a person who, alone or jointly with others, determines the purpose and means of processing of personal data.
- Data Principal: A data principal is an individual to whom the personal data relates.
- Data Processor: A data processor is a person who processes personal data on behalf of a data fiduciary.
Here are some examples to understand the differences better:
- Data Fiduciary: A social media company that collects and uses user data to show them targeted ads.
- Data Principal:A user of the social media company.
- Data Processor: A cloud computing company that stores the social media company's user data.
Applicability:
The Act applies solely to personal data stored in a digital format. The scope also extends to handling personal data beyond India's borders when such processing is “in connection with an activity related to offering goods or services to data principals within the territory of India.”
Collection and Processing of Data:
The primary legal basis for processing personal data is obtaining consent. However, the following conditions must be met – “freely given,” “’specific,” “informed,” “unconditional,” an “unambiguous indication of consent” through a “clear affirmative action,” and the consent donor must be able to withdraw it as and when necessary.
Note: The Act permits a data principal to use a consent manager to manage the process. Data processed without consent must be within the following categories of legitimate uses, i.e. in compliance with law, court orders, in connection with medical emergencies or public safety matters. Additionally, processing personal data for employment purposes or to protect an employer from liability also constitutes a legitimate use under the Act.
Notice:
A Data Fiduciary must inform data principals through a notice regarding the personal data to be processed and the reasons for processing the same. Data principals should also be made aware of their right to revoke consent and the procedure for addressing grievances provided by the data fiduciary. This notice must be accessible in English and all 22 languages listed in the Eighth Schedule of the Constitution.
Obligation of Data Principals:
The Act gives Data Principals several rights over their personal data, including: The right to know what personal data is processed: Data principals have the right to know what personal data about them is being collected, stored, and used by data fiduciaries.
The right to data deletion: Data principals have the right to delete their personal data, with certain exceptions, such as when the data is needed for legal or public interest purposes.
The right to correct or update inaccurate personal data: Data principals have the right to correct or update their personal data if it is inaccurate or incomplete.
Applicability to Children:
The Act categorizes a person below 18 years of age as a child. Therefore, gathering personal data from children necessitates obtaining verified parental consent. The Act also forbids specific practices, such as targeted advertising directed at children and processing activities that might negatively impact a child's well-being. However, it grants the government authority to grant exceptions to some of these limitations through an official notification.
Accuracy and Deletion of Personal Data:
The Act requires data fiduciaries to:
- Make sure that personal data is complete, accurate, and consistent: This is especially important when the data will be used to make a decision that affects the data principal or when the data will be shared with another data fiduciary.
- Delete personal data when it is no longer needed: Once the purpose for which the data was collected has been served, the data fiduciary must delete it unless the data is required to comply with the law.
- Use reasonable security measures to protect personal data from breaches: This includes measures to prevent unauthorized access, use, or disclosure of personal data.
Personal Data Breach:
The Act defines a "personal data breach" as any unauthorized processing or accidental disclosure, use, alteration, or destruction of personal data that compromises its confidentiality, integrity, or availability.
Under the Act, regardless of the number, all personal data breaches must be reported. If a personal data breach occurs, the data fiduciary must notify the Data Protection Board of India (DPB) and the affected data principals as the government prescribes.
Significant Data Fiduciary:
The Act introduces the concept of a Significant Data Fiduciary (SDF). SDFs are data fiduciaries that process large amounts of personal data or pose a high risk to the privacy rights of data principals.
The government will determine which data fiduciaries are SDFs based on factors such as:
- The volume of personal data processed by the data fiduciary
- The sensitivity of the personal data processed by the data fiduciary
- The potential impact of the data fiduciary's processing activities on the rights of data principals
SDFs are subject to additional compliance requirements, including:
- Appointing a Data Protection Officer (DPO) who reports to the company's board of directors
- Appointing an independent data auditor to audit compliance with the Act
- Conducting privacy impact assessments for new processing activities
The DPO of an SDF is accountable to the SDF's board of directors or other governing body. The DPO shall also serve as the primary point of contact for individuals with grievances about the SDF's data processing practices.
Data Localization and Data Transfer:
The Act allows the government to create a list of countries where personal data cannot be transferred (black list). This means that personal data can generally be transferred to any country that is not on the blacklist or has not been specifically designated so by the government.
The Act does not require data fiduciaries to obtain an adequacy finding from the government before transferring personal data to another country.
The Act does not explicitly prohibit using standard contractual clauses, explicit consent, or inter-group transfers to transfer personal data to countries on the negative list.
Penalties:
The Act sets out maximum penalties for specific violations, such as failing to take reasonable security safeguards to prevent a personal data breach. This penalty can be up to INR 250 crores. However, the Act is not clear on the compensation mechanism for affected data subjects.
Key Takeaways for Organisations:
The DPDP Act is a complex piece of legislation, and companies must seek professional advice to ensure compliance. However, by taking the time to understand the Act's key provisions and taking steps to prepare for compliance, companies can avoid costly penalties and build trust with their customers.
In addition to the above breakdown, here are a few more steps a company can consider to prepare for the DPDP Act:
- Conduct a data audit: Identify all personal data your company collects and processes.
- Review your data processing practices: Ensure that your data processing practices comply with the Act's fundamental principles of consent, transparency, accuracy and deletion, and security.
- Update your privacy policies: Update your privacy policies to reflect the requirements of the Act.
- Implement new data protection procedures: Implement new strategies to ensure compliance with the Act's specific obligations, such as reporting data breaches and conducting privacy impact assessments.
- Train your staff: Train your team on the requirements of the Act and their responsibilities under the Act.
