The Digital Personal Data Protection Act, 2023 will require organizations to review their existing data collection and process mechanisms to make sure they comply with the new law. We have prepared this document to answer frequently asked questions about compliance with the DPDP Act so that you and your organization can understand the law and your obligations under it.
1. Does my organization have to comply with the Digital Personal Data Protection Act 2023?
Ans – The Digital Personal Data Protection Act, 2023 (DPDP Act) expressly applies to any organization that processes personal data in a digital form of individuals within India, regardless of where the organization is located. It also applies to the processing of digital personal data outside India if such processing is in connection with an activity related to offering goods or services to individuals within India.
Here are some examples of organizations that would be subject to the DPDP Act:
◉ Social media companies
◉ E-commerce companies
◉ Banks and financial institutions
◉ Healthcare providers
◉ Educational institutions
◉ Government agencies
2. What kind of data will constitute personal data? What is consent, and will it be collected?
Ans – Under the DPDP Act, personal data is defined as any information that relates to an identified or identifiable individual, either directly or indirectly. This includes direct identifiers such as name, address, and date of birth and indirect identifiers such as IP address, device ID, and location data.
This definition is expansive and encompasses a wide range of information, including:
◉ Name, address, and contact information
◉ Financial information, such as bank account numbers and credit card numbers
◉ Medical information, such as health history and treatment records
◉ Online activity data, such as IP addresses, cookies, and browsing history
It is important to note that data fiduciaries must provide data principals with a notice that must include the following before the data is processed:
◉ The purpose of processing personal data
◉ The rights of data principals
◉ Manner of making complaints to the Data Protection Board of India (DPBI)
Data fiduciaries must also ensure that the notice is clear, concise, easy to understand, avoids using technical terms, and, most importantly, is available in the 22 languages listed in the Eighth Schedule of the Indian Constitution.
Here is an example of what a notice regarding data processing may look like:
Notice of Data Processing
To provide you with a seamless service, we will collect your name, email address, and phone number to use our services, such as the pages you visit and the products you purchase.
This data will be used to communicate with you about our services and to improve our services. We will not share your data with any third parties without your consent.
You have the right to access, correct, and delete your personal data. You also have the right to withdraw your consent to processing your personal data at any time.
To exercise your rights, please contact us at [dataprocessing@xyz.com]
If you have any complaints about how we are handling your personal data, you can contact the Data Protection Board of India at [website address].
3. Can an organization process data without obtaining consent from a data principal?
Ans – Yes, however, it can only be done under any of the following categories:
◉ For specific purposes where the individual has voluntarily provided their personal data and has not indicated that they do not consent to the use of their personal data.
◉ For employment purposes or to protect the employer from loss or liability, such as to prevent corporate espionage, maintain the confidentiality of trade secrets, intellectual property, or classified information, or to provide any service or benefit sought by an employee.
◉ To fulfill an existing legal obligation to disclose information to the state or any of its instrumentalities, subject to the processing being per the information disclosure requirements under any law in force.
◉ To respond to a medical emergency involving a threat to life or immediate threat to health.
◉ To take measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health.
◉ To take measures to ensure the safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.
4. My organization qualifies as an MSME/Start-up. Do I have to follow these rules, too?
Ans – Irrespective of the organization being an MSME or a Start-up, the obligations of a data fiduciary will apply unilaterally. However, the Union Government may exempt certain types of start-ups from certain requirements of the DPDP Act, depending on how much and what kind of personal data they process.
5. I suspect there has been a data breach in my organization. What should I do?
Ans – In the event of a data breach, your organization must notify the DPBI and the information on the nature of the leaked personal data. Your organization shall also be responsible for contacting each of the affected data principals of the breach and informing them of the same.
6. What kind of penalties are levied for non-compliance with the Act?
Ans – The penalties imposed depend on the severity of the issue. Here is a breakdown:
1 | Failure of data fiduciary in implementing adequate data security measures to prevent personal data breaches | Up to ₹250,00,00,000 |
2 | Failure to inform the DPBI or the affected data principals about the personal data breach | Up to ₹200,00,00,000 |
3 | Failure to adhere to any voluntary undertakings made to the DPBI | To the extent relevant to the breach that prompted proceedings under the DPDP Act |
4 | Breach of any other provisions of the Act | Up to ₹50,00,00,000 |