Mastering Data Protection: Roadmap to DPDPA 2023 Compliance
An organization’s unwavering vigilance regarding the collection and processing of digital personal data of its stakeholders strongly influences its position in the marketplace. This practice is essential for safeguarding the fundamental right to privacy, as pronounced in the 2017 K.S. Puttaswamy case. In alignment with constitutional recognition, India’s privacy regime has seen several developments over the years. In the absence of standalone legislation, personal data was governed by the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules). The Digital Personal Data Protection Act (DPDPA) was officially gazetted on August 11, 2023. This Act lays down provisions for the lawful processing of personal data, whether collected online or digitized after offline collection with consent. Data Principals (individuals whose data is processed) have the right to access information, request corrections, data erasure, and grievance redressal, among other rights. To ensure these rights, entities responsible for determining the purpose and means of data processing, known as Data Fiduciaries, must fulfill various obligations, including ensuring data accuracy, implementing measures to prevent data breaches, notifying the Data Protection Board of India and affected parties in the event of a breach, and adhering to data storage limitations.
Individuals affected by a data breach can approach the Data Protection Board for grievance redressal, which will guide data fiduciaries in complying with the provisions of the DPDP Act 2023. To align with this evolving regulatory landscape, organizations must understand its provisions and take effective actions to achieve compliance.
An effective data protection and privacy program can be developed by following a step-by-step approach. This process should begin with an analysis of the organization’s current data privacy framework and the creation of a customized system while adhering to the directives of the new legislation. This system should encompass the incorporation of relevant policies and procedures, automated governance actions, and external certifications to demonstrate the adaptation of the privacy management system.
Chapter II of the DPDP Act 2023 outlines the obligations of Data Fiduciaries. Businesses and organizations engaged in personal data processing are subject to these provisions due to their independent or collaborative capacity to determine the purpose and methods of data processing. Key compliance steps that can transform an organization’s data management system, especially for significant data fiduciaries, include:
◉ Consent Regime: Organizations must obtain free, specific, and unconditional consent while providing information about processing activities and third-party access before obtaining valid consent. As per Sec. 6(4) of DPDPA 2023, organizations must ensure that data principals can withdraw consent as easily as it was given initially.
◉ Proposal to Process: Data fiduciaries must accompany requests for consent with a notice outlining the purpose of seeking consent and the mechanism for exercising rights and filing complaints during data processing.
◉ Grounds of Processing: Organizations must adhere to data processing for legitimate purposes permitted by law, aligning with the purpose for which consent was obtained. This may include medical, legal, and employment-related requirements.
◉ Risk Assessment and Management: High-risk businesses must conduct Data Protection Impact Assessments (DPIAs) to identify potential risk exposures.
◉ Technological Safeguards: Privacy-enhancing technologies should be utilized to reduce manual data governance while extending technological safeguards for processing large volumes of data in critical business operations.
◉ Redressal Mechanism: Organizations must establish systems for reporting, management, and response, as well as policies for data retention and breach notifications. Fiduciaries are directed under the act to publish details of Data Protection Officers and corresponding authorities for communication and grievance redressal. Instances of breaches must be promptly reported to affected persons and the Data Protection Board.
◉ Sensitization: Training sessions and workshops should be conducted for employees, management personnel, and third parties to cultivate a privacy-inclusive culture within the organization.
In special circumstances, such as processing the personal data of a child, parental consent is required, with restrictions on monitoring the child’s behavior in compliance with the Act. Significant data fiduciaries classified under Sec. 10 of the Act must fulfill additional obligations, including the compulsory appointment of a Data Protection Officer (DPO), timely compliance assessments, and other prescribed measures.
India’s path toward the development of Artificial Intelligence and the increasing need for businesses to interact and expand globally necessitate a robust framework for governing the processing of personal data of all stakeholders. The Act awaits a set of Rules to streamline its applicability, along with the establishment of a Data Protection Board to oversee implementation. This framework will not only promote data protection but also foster strong user connections and responsible innovation. Ultimately, it’s crucial to strike a balance between protecting an individual’s personal data and processing it lawfully, ensuring that the underlying mandate of upholding the right to privacy under the Constitution remains intact.