Six years and four iterations later, the Digital Personal Data Protection Act, 2023 (DPDP Act) in its present form seeks to overhaul the present legal framework governing personal data.

The data privacy regime in India has been based on Section 43A of the Information Technology Act, 2000 and the IT Rules, until now. The need for a separate codified data law has been felt for a while especially when we are all becoming increasingly obsessed with data.

Data is the new oil of the digital economy. Thus, data protection compliance has become a necessary burden. The DPDP Act creates additional and burdensome obligations on data fiduciaries aka the businesses collecting and processing the data.

Contrary to the IT Rules and the EU GDPR, the DPDP Act does not categorise data into ‘sensitive’ or ‘special’ groups. It extends the ambit of the legislation to any digital personal data. This comes with a number of caveats – the dos and don’ts. Luckily for the businesses, the DPDPA will likely come into force in 2024. This transition period may be utilised by the businesses to adapt their compliance with the regulatory directives.

According to DPDPA, businesses need to ensure the accuracy, completeness and consistency of the digital personal data collected. Once the purpose for which the data was collected, stored and retained is completed, the businesses shall have to erase the same at the earliest.

Data Breaches
There is an underlying stern intention of the Government that is very clear from the DPDP Act. The government wants the businesses to ensure that there are no breaches. Not only are there strict penalties, but the government has also left no scope for interpretation or exception. All breaches are to be reported to the data protection board and the individuals so impacted. This is an added obligation upon the fiduciaries who are already required to report any data breach to the Indian Computer Emergency Response Team (CERT-In) within six hours of the breach.

In the event of failure to comply with the said compliances, the organisation could be sanctioned with fines ranging between INR 10,000 to INR 2.5 billion. The said monetary penalty shall be imposed regarding certain factors such as – nature, type, causation, impact, duration, repetition and gravity of the breach. This is a major departure from the extant directive-based regime.

It appears that the authorities have put their foot down that all efforts must be made by the fiduciary to avoid data breaches. If it so happens, the breach must be promptly reported and the failure to do so shall attract hefty fines.

Obtaining consent
As a first step, businesses shall have to screen the vast volumes of information on their repository and map the data that may be considered ‘personal’. Accordingly, the businesses that collect, process and monetise personal data need to ascertain where, how and whose personal information is lodged within their systems.

Thereafter, the notice and consent formalities are to be completed. The data fiduciaries shall need to identify and provide the information as to the purpose of collection and processing of the data in addition to the record of previous consent given by the data principal.

In such a scenario it appears that seeking fresh consent may prove to be a better alternative for organisations with huge databases. The process is indeed taxing but vital to ensure the data principal’s right to privacy is protected and the data is utilised for a lawful purpose, in a lawful manner.

One may note that the organisations are required to apprise the data principals that they have the right to access their data, correct it, modify it, erase it and appoint a nominee on their behalf to exercise these rights. The data fiduciary is obliged to inform the data principals of the manner in which such rights may be exercised. The data principals also have the right to be briefed about the grievance redressal mechanism.

It is pertinent to mention that certain entities or classes of organisations may be notified as Significant Data Fiduciary (SDF) on the basis of the volume and sensitivity of data processed and the risks associated. The SDFs are tasked with additional obligations such as undertaking periodic data protection assessments by an independent data auditor and appointment of a data protection officer who shall be answerable to the Board of Directors.

Thus, businesses shall need to revisit and revise their present policies and user interfaces to comply with the higher compliance burdens. While the DPDP Act places an onerous responsibility on businesses to ensure the highest levels of data protection, it is necessary.

As a result, multiple automated operations that organisations have been performing routinely in regard to digitised data is likely to be regulated as per the DPDP Act. While the Act is yet to be enforced, the businesses can use this transitional phase to align themselves to meet the obligations laid out in the new act, consider improving their IT & cybersecurity systems, and monitor their supply chains and contractual arrangements to meet the new compliance requirements.

Authors: Divya Sharma, Counsel & Trisha Shreyashi, Consultant.