https://www.linkedin.com/pulse/demystifying-indias-newly-released-dpdpa-act-comprehensive-kb
Clipped from: https://www.linkedin.com/pulse/demystifying-indias-newly-released-dpdpa-act-comprehensive-kb
SabariKumar KB
CISSP, CCSP, CIPT & ISO 27001K LA Certified IT Security, Privacy, Risk Management Professional, Cyber Security Mentor & Mentee
Published Aug 13, 2023
Introduction
In recent times, data privacy and protection have become paramount concerns globally, prompting nations to enact comprehensive legislations to safeguard individual’s personal information. India has joined the ranks of such nations with the approval of the Data Protection and Privacy Act (DPDPA). Approved recently, this act aims to establish a robust framework for data protection in the country, setting guidelines for various aspects of data processing, consent management, cross-border transfers, and penalties for non-compliance.
Who are applicable?
The DPDP act applies to both government and private entities engaged in data processing activities, ensuring comprehensive coverage across sectors. Notably, it is applicable to entities operating within India as well as those processing data related to individuals within the country, even if the processing takes place outside its borders if the processing activities are related to offering goods or services to individuals within India or monitoring their behavior. This expansive scope ensures that individuals’ data rights are respected across a wide array of scenarios.
Grounds for Processing
Under the DPDPA, personal data can only be processed under specific grounds (the law provides 6 legal bases for processing), including the necessity for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, performance of a task carried out in the public interest, and legitimate interests pursued by the data controller or a third party.
Consent Management
Consent is a crucial aspect of the DPDPA. Central to the DPDPA is the emphasis on obtaining explicit and informed consent from data subjects. Consent, however, is a linchpin; it must be freely given, specific, clear, and revocable. Additionally, sensitive personal data requires explicit consent, and individuals must be informed of the purpose, nature, and consequences of data processing. Sensitive personal data necessitates even more stringent requirements, including obtaining explicit consent and transparently informing data subjects of the processing’s purpose and consequences.
Data Protection Impact Assessment (DPIA)
The DPDPA mandates data controllers to conduct a Data Protection Impact Assessment (DPIA) when processing involves high risks to data subjects’ rights and freedoms. The DPIA evaluates potential risks, assesses safeguards, and ensures compliance with the act’s provisions. The results of the DPIA must be taken into consideration when planning data processing activities.
Data Protection and Security
The DPDPA is underpinned by the principles of data protection and security. It enforces the concept of data minimization, requiring data controllers to limit the collection and processing of personal data to what is strictly necessary. Moreover, the act mandates data controllers to ensure the confidentiality, integrity, and availability of the data they process. Adequate safeguards must be in place to prevent unauthorized access, disclosure, alteration, or destruction of personal data.
Cross-Border Data Transfers
Cross-border data transfers are governed by the DPDPA, which requires data controllers to ensure that personal data transferred outside India receives adequate protection. Transfers can take place under specific conditions, including obtaining the data subject’s consent, using standard contractual clauses, or transferring to jurisdictions that are approved as having adequate data protection laws. Additionally, the DPDPA empowers the Indian government to issue orders prohibiting or restricting data transfers to safeguard national interests and security.
Penalties for Non-Compliance
The DPDPA establishes a system of penalties for violations. Depending on the nature of the breach, penalties can range from monetary fines to imprisonment for certain offenses. The Monetary fines can even go up to 50Crore INR. These penalties are designed to ensure compliance and deter non-compliance. So, the Non-compliance with data protection regulations can result in substantial financial implications, creating a strong incentive for organizations to adhere to the provisions of the act. The act also empowers individuals to seek compensation for harm caused due to data breaches or violations of their data rights, further incentivizing entities to adhere to the law’s provisions.
References
Digital Personal Data Protection Act, 2023 PDF Official
Digital Personal Data Protection Bill gets nod from President”. The Economic Times. 2023-08-12.
Digital Personal Data Protection Act 2023 TEXT
Data protection bill passed by Lok Sabha, next stop Rajya Sabha. Moneycontrol. 2023-08-07
Conclusion
The Data Protection and Privacy Act (DPDPA) is a significant milestone for India in its journey towards strengthening data protection and privacy rights. By establishing stringent conditions for data processing, introducing consent management protocols, and outlining penalties for non-compliance, the act aims to create a safer and more secure environment for individuals’ personal data. As India adapts to the new data protection landscape, it is essential for organizations to fully understand and embrace the DPDPA’s provisions to ensure compliance and safeguard the privacy of their users. As organizations and individuals adapt to the intricacies of the DPDPA, they contribute to the evolving narrative of data privacy in the digital age.
#privacy #cybersecurity #security #technology #dataprotection #compliance #infosec #techcommunity #securityawareness #dataprivacy #india
aniltikotekar4sme.com 