GDPR Won’t Cut It: How DPDP Reshapes Data Handling for Indian Companies (Key Differences)

how-dpdp-reshapes-data-handling-for-indian-companies-key-differences

The Digital Personal Data Protection Act (DPDP Act) marks a unique moment in the landscape of Data Protection & Privacy in India. Unlike the previous fragmented data protection measures, this Act comprehensively governs the use of personal data by all businesses in India, both foreign and domestic. It fills a previously unregulated space in the legal landscape, establishing a much-needed framework for responsible data handling. But how does it hold up in comparison to the revered gold standard of data protection legislation, the EU – General Data Protection Regulation (GDPR)? The answer to that is not a simpliciter yes or no. Let us understand why and how these changes are important for businesses to be cautious about.

Category of Data: The DPDP Act adopts a non-tiered approach to data categorization unlike GDPR and its own predecessor Section 43A of the IT Act, 2000 and the SPDI Rules, 2011. It neither defines a specific category of “sensitive” data nor differentiates between personal and sensitive personal information. Therefore, the Act mandates identical security measures for all types of data, regardless of whether it encompasses personal data such as names, addresses, telephone numbers or potentially sensitive personal data such as biometrics, health data, etc.

Processor’s Role: Unlike the GDPR, which holds Data Processors directly accountable for their actions and liable for potential data breaches, the DPDP Act places primary responsibility and liability on the Data Fiduciary. While Data Processors remain subject to contractual obligations under the data processing agreement, only the Data Fiduciary faces direct penalties from the Data Protection Board of India. This shift in liability structure increases the compliance burden and potential financial risk for Data Fiduciaries under the DPDP Act, requiring them to carefully craft contractual terms that mitigate their exposure to processor-related failures.

Data Transfer: GDPR allows data transfer outside the EU through various mechanisms, including the EU Adequacy Decision (formal recognition of adequate data protection in a non-EU country), Binding Corporate Rules (internal data handling policies approved by the EU), and Standard Contractual Clauses (pre-approved data transfer agreements). On the other hand, the DPDP Act adopts a “black list” approach, permitting cross-border transfer unless the destination country or entity is explicitly restricted by the Act or other sectoral laws limiting data transfer.

Child Data: The DPDP Act takes a stricter stance on child data protection compared to the GDPR. While the GDPR defines a child as anyone between 13 and 16, the DPDP Act encompasses all individuals under the age of 18. This broader definition triggers stricter compliance requirements for Data Fiduciaries. Under the DPDP Act, processing child data for behavioral monitoring or targeted advertising is categorically prohibited, and Data Fiduciaries must refrain from any processing that could negatively impact a child’s well-being. Additionally, obtaining verifiable parental or guardian consent becomes mandatory when handling any child’s data.

Breach Notification Period: GDPR mandates that businesses experiencing data breaches notify relevant authorities without undue delay and specifies a maximum time frame of 72 hours after becoming aware of the breach. In India, a circular released by CERT-In under subsection (6) of Section 70B of the Information Technology Act, 2000, stipulates a more stringent reporting timeline. It requires entities to report information security breaches within six hours of noticing or being informed about the incident. Currently, the DPDP Act has not introduced any rules that deviate from this prescribed practice.

Penalties: The GDPR takes a tiered approach to data breach penalties, imposing fines ranging from €10-20 million or 2-4% of a company’s turnover, whichever is higher. In contrast, the DPDP Act sets a maximum penalty for each breach, with the actual amount determined by factors like the severity of the breach, the type of data affected, and mitigation efforts taken. This allows for more flexibility in tailoring penalties to specific circumstances.

While the DPDP Act may appear demanding, it is important to acknowledge its relative simplicity compared to data privacy regulations in many other jurisdictions. This approach is particularly suitable for India’s current stage of development in data privacy compliance since India Inc. is embarking on this journey anew, and a less prescriptive law facilitates a smoother transition. Embrace it as an opportunity to evolve, build trust, and unlock the true potential of responsible data usage. Remember, in the present digital regime, privacy isn’t just a compliance box to tick – it’s a competitive advantage waiting to be harnessed.