A Look at Upcoming Compliance Regulations in Digital Personal Data Protection Act (DPDPA)
India’s rapidly evolving technology landscape has reached a significant milestone with the introduction and enactment of the Digital Personal Data Protection (DPDP) Act in 2023. This crucial legislation, which complements the Digital India Bill and the draft Indian Telecommunication Bill, focuses on governing personal data in an era of digital transformation.
The rapid progress of the DPDP Act was highlighted during the inaugural Digital India Dialogues session on September 20, 2023, where key industry stakeholders, including representatives from major companies like Meta, Netflix, Dell, Paytm, Microsoft, and Lenovo, gathered to discuss its implementation. The Union Minister for Electronics and Information Technology, Rajeev Chandrasekhar, announced that the rules essential for DPDP Act compliance would be released within the next 30 days, open for public consultation. He stressed the importance of all Data Fiduciaries adhering to the compliance requirements outlined in the DPDP Act.
The DPDP Act introduces several mandatory compliance requirements, emphasizing the delegation of these requirements through upcoming DPDP Rules. Here, we examine key compliance prerequisites for organizations under the DPDP Act and forthcoming DPDP Rules:
Consent Requirements: Section 6 of the DPDP Act mandates the appointment of a Consent Manager to manage, review, and withdraw consent on behalf of Data Principals. Organizations must ensure that their Consent Managers are registered with the Data Protection Board, adhering to the rules prescribed by the central government. Technical, operational, financial, and other conditions related to this registration will also be specified in the DPDP Rules.
Data Breach Incident Compliance: Section 8 of the DPDP Act requires Data Fiduciaries to promptly inform Data Principals and the Data Protection Board in the event of a data breach. Entities must adhere to the form and manner prescribed by the Central Government for notifying the Data Protection Board and Data Principals about data breach incidents.
Contact Details of Data Protection Officer: According to Section 8(9) of the DPDP Act, Data Fiduciaries are obligated to publish the contact details of the Data Protection Officer or any other person responsible for handling queries from Data Fiduciaries regarding data processing. The manner and modes of publishing this information will be determined by the forthcoming DPDP Rules.
Processing of Personal Data of Children: Section 9 of the act necessitates obtaining consent from parents or legal guardians before processing children’s data. The DPDP Rules will specify how verifiable consent is to be obtained, and certain Data Fiduciaries may be exempted based on these rules.
Data Protection Impact Assessment: Section 10 of the DPDP Act mandates that Significant Data Fiduciaries conduct a Data Protection Impact Assessment and periodic audits. The DPDP Rules will outline the methods, manner, and description of the DPIA, audit procedures, and other relevant matters.
Data Principal Rights: The DPDP Rules will provide guidance on how Data Principals should exercise their rights concerning the processing of personal data. This will include the process for Data Principals to make requests, how Data Fiduciaries or Consent Managers should respond, and the timeframe for responding to such requests.
Data Protection Board: The DPDP Rules will detail the establishment and functioning of the Data Protection Board, including the appointment of a chairperson and other members, as well as their salaries. The procedures, orders, directions, and instruments of the board will also be specified in accordance with the forthcoming rules.
Penalty for Noncompliance: According to Section 33(1), the Data Protection Board may impose monetary penalties for noncompliance or breaches of the DPDP Act. The penalties will vary based on the nature and gravity of the breach, its duration, repetitiveness, mitigating actions taken, and timeliness and effectiveness of post-breach actions. Penalties will range from 50 crores INR to 250 crores INR.
In conclusion, the DPDP Act and its associated rules aim to ensure trust and security among India’s digital citizens by fostering a culture of behavioral change among entities handling personal data. This transformation necessitates expert guidance and compliance management.
How Tsaaro Consulting Can Help:
Tsaaro Consulting, a pioneer in security and privacy compliance in India, boasts a team of experienced professionals with expertise in technical and legal aspects of compliance. Tsaaro Consulting is well-equipped to assist business entities in navigating the complexities of compliance with the Digital Personal Data Protection Act and other data privacy and cybersecurity regulations. To learn more about Tsaaro Consulting, visit our website at tsaaro.com.
By staying informed and seeking expert assistance, organizations can ensure smooth compliance with the DPDP Act and safeguard the privacy and security of personal data in India’s evolving digital landscape.