In an era dominated by digital transformation, the protection of personal data has become a critical concern. India’s Digital Personal Data Protection Act of 2023 (DPDP Act) is a significant legislative milestone in this regard. This is an overview of the DPDP Act, its application, key rules, consent requirements, obligations of data fiduciaries and processors, exemptions, data localization, and other essential considerations for IT/ITeS sector entities.
Application of the DPDP Act:
The DPDP Act is designed to safeguard digital personal data within India. It applies to all digital, or subsequently digitized, personal data processed within the country. Additionally, if personal information (PI) is processed outside India, concerning goods or services offered to data principals within India, the DPDP Act’s jurisdiction extends to such cases as well.
Significant Definitions under the DPDP Act:
The DPDP Act outlines essential roles in the data protection landscape. A Data Fiduciary, either alone or in collaboration with others, determines the purpose and means of processing personal data. On the other hand, a Data Processor processes personal data on behalf of a Data Fiduciary. The individual to whom the personal data relates is termed a Data Principal.
To illustrate, consider a scenario where a healthcare services company (X) collects personal data of an individual (Y) for health-related services. This data is stored and processed by a cloud data storage company (ABC) based on instructions from X. In this instance, X is the data fiduciary, Y is the data principal, and ABC is the data processor.
Consent Requirements:
The DPDP Act emphasizes the importance of consent in data processing. Consent must be free, specific, informed, unconditional, and unambiguous. Ideally obtained through an opt-in manner, consent should be given for each specified purpose of data collection or processing. The notice of consent should be written plainly, available in English or listed languages under the Constitution’s official languages schedule. Importantly, consent should be capable of withdrawal at any time, with the withdrawal process comparable to the process of giving consent.
Significant Obligations of Data Fiduciaries and Data Processors:
Data Fiduciaries are entrusted with ensuring the completeness, accuracy, and consistency of the data they maintain. Consent notices should ideally be in an opt-in manner, with clear mapping of data points against the purpose of PI collection. They must determine the legal grounds for processing, identify data retention periods, and delete data upon achieving the processing purpose or receipt of consent withdrawal.
Data Fiduciaries establish grievance redressal mechanisms, implement robust security safeguards, and facilitate the rights of data principals. Handling consent withdrawals is also a crucial obligation.
In contrast, Data Processors have no direct statutory obligations under the DPDP Act. Their responsibilities are defined contractually with Data Fiduciaries.
Exemptions from the Applicability of the DPDP Act:
The DPDP Act includes exemptions for specific classes of data fiduciaries, such as startups, based on the volume and nature of PI processed. Processing PI in India of foreign data principals under a contract with an entity outside India is exempt from certain requirements, like obtaining consent or providing notice to the data principal.
Identification of Role as Data Fiduciary vs. Data Processor:
Entities in the IT/ITeS sector must determine their role as a data fiduciary or processor based on their activities. For instance, a cloud data storage provider (X) may be a data fiduciary for employee data but a data processor when processing data on clients’ instructions.
Data Localisation:
While the DPDP Act does not impose data localisation restrictions, the Central Government can issue notifications to restrict the transfer of PI by data fiduciaries to countries outside India. Sector-specific regulators’ guidelines, such as RBI’s payment data localisation norms, must also be followed.
Other Key Considerations for IT/ITeS:
Given that data processors operate under contractual obligations, establishing Standard Operating Procedures (SOPs) for data handling, security, and retention is crucial. Both data fiduciaries and processors should formulate SOPs for steps before data deletion or transmission and for incident management, including reporting security breaches to the Data Protection Board of India.
Data processors must have technical and organisational measures, safeguards, and restrictions in place to prevent unauthorized data usage or access. Clear documentation of instructions received from data fiduciaries, especially regarding data principals’ rights, is essential.
Other Considerations:
CERT-IN Guidelines mandate reporting cyber incidents to CERT-IN within six hours. Compliance with sector-specific regulations from entities like RBI, IRDAI, and SEBI is essential.
Conclusion:
The DPDP Act marks a significant step towards ensuring the protection of digital personal data in India. For IT/ITeS sector entities, navigating the intricacies of the Act is paramount. By understanding their roles, complying with consent requirements, and implementing robust security measures, these entities can not only ensure compliance but also build trust in the digital ecosystem. As the digital landscape evolves, staying abreast of updates and guidelines is essential to foster a secure and responsible data environment.
