An Introduction to DPDP
The Data Protection Act (DPDP), a sweeping piece of legislation intended to safeguard citizens' personal information, has been approved by the Indian government. The DPDP outlines the rules for collecting, using, and handling personal data in India.
Here are some facts and figures about the DPDP:
- The DPDP was introduced in the Indian Parliament in 2021.
- The DPDP was passed by the Indian Parliament on August 11, 2023.
- According to the Act, it would take effect on the date set by the Central Government in the Official Gazette, with varying dates for different provisions.
- The DPDP will apply to all organizations that collect, use, or process personal data in India.
- The DPDP has been hailed as a landmark piece of legislation that will help to protect the privacy of individuals in India.
Data Privacy Bill | GDPR | CCPA | DPDP |
---|---|---|---|
Applicability | Businesses that process the personal data of EU citizens | Businesses that collect or sell the personal data of California residents | Businesses that collect or process the personal data of Indian residents |
Scope | Broad scope, covering all personal data, regardless of where it is processed | Narrower scope, covering only personal data that is collected or sold | Broad scope, covering all personal data, regardless of where it is processed |
Data subject rights | Strong data subject rights, including the right to access, rectify, erase, and restrict processing of personal data | Strong data subject rights, including the right to know what personal data is collected about them, to opt out of the sale of their personal data, and to delete their personal data | Strong data subject rights, including the right to access, rectify, erase, and restrict processing of personal data |
Data protection by design and default | Requires businesses to implement data protection by design and default | Requires businesses to implement reasonable security measures to protect personal data | Requires businesses to implement data protection by design and default |
Data transfer requirements | Requires businesses to obtain consent from data subjects before transferring their personal data outside of the EU | Requires businesses to provide data subjects with the right to opt out of the transfer of their personal data outside of the US | Requires businesses to obtain consent from data subjects before transferring their personal data outside of India |
Enforcement | Strong enforcement mechanisms, including fines of up to 4% of global annual turnover | Strong enforcement mechanisms, including fines of up to $2,500 per violation | Strong enforcement mechanisms, including fines of up to Rs. 5 crore per violation |
Why was the legislation needed?
The DPDP was needed to handle the growing problems with data protection in India. Some of these problems are:
- Lack of a comprehensive data protection law: India did not have a comprehensive data protection law before the DPDP was passed. This meant that there wasn't a clear legal system in place for the protection of personal data.
- The amount of data breaches is going up: In recent years, India has had several high-profile data breaches, owing to use of many sophisticated technologies. Concerns have been made about the security of personal data in the country because of these breaches.
- Personal data is being used more and more for marketing and advertising: Personal data is used more and more for marketing and advertising. Concerns have been made about people's privacy and their ability to decide how their data is used. There is also considerable lack of transparency when it comes to sharing of data with third parties.
- Lack of Data Protection Awareness Among Individuals and Organisations: In India, many people and businesses are unaware of the significance of data protection. The protection of personal data from unauthorised entry, use, or disclosure has become challenging as a result.
What does the new law say?
The bill says that "personal data" is any information that can be used to find out who a person is, like their name, address, phone number, or email address. The bill also says what "sensitive personal data" is. This is information that is more private, like a person's financial or health information.
The DPDP gives people a number of rights about their personal data, such as the right to see their data, the right to change their data, and the right to delete their data. In addition, the bill says that personal data can't be processed without the person's consent, except in certain situations.
The DPDP sets the following rules for how personal data can be collected, used, and processed in India:
- Before gathering, utilising, or processing a person's personal data, organisations must obtain their consent.
- Organisations can only use personal data for the reasons they were gathered.
- To protect personal data, organisations must use the right security methods.
- People have the right to see their personal data, to change their personal data, and to get rid of their personal data.
- If a person thinks that their personal data has been misused, they have the right to make a complaint with the Data Protection Authority (DPA).
Organization’s Key takeaways from the DPDP Act
The key takeaways from the DPDP are:
- Establishing a Data Protection Authority (DPA): The DPDP creates a Data Protection Authority (DPA) to enforce the law, investigate complaints, and issue fines,
- Review how they collect and process data: This includes naming the personal data they collect, why they collect it, and how they use it.
- Consent Managers: The DPDP Bill of India.2022 introduces the idea of consent managers. The Data Protection Board of India (DPBI) must register consent managers. Consent managers must answer to the person who owns the data and act on their behalf.
- Designate a data protection officer (DPO): Organisations with more than 10,000 workers or that handle large amounts of sensitive personal data must name a DPO. The DPO's job is to make sure the organisation is following the DPDP.
- Consent from Individual: Before collecting, utilising, or processing personal data, organisations need consent. Freely granted, specific, informed, and unambiguous consent is required. This is only in the case where data is not used for legitimate purposes. There are "legitimate uses" that are listed in the Act for which consent is not needed.
- First-time post-mortem rights are introduced: Individuals can view, correct, and remove their personal data. These requests must be met quickly by organizations.
- Right of individuals to file a complaint with the DPA: Individuals have the right to register a DPA complaint if they believe their data has been exploited. The DPA will investigate and act on the complaint.
- Implement appropriate data security measures: Organisations must implement appropriate security measures to safeguard personal data. This includes taking steps to stop personal data from being accessed, used, shared, changed, or deleted without permission.
To meet with the DPDP, organisations can take some of the following security measures:
Data encryption: Organisations should encrypt personal data both when it is at rest and when it is in motion. This will keep unauthorised people from getting to the data, even if it is stolen or lost. Organisations should also protect Data in Use by adopting Privacy Enhancing Technologies (PET).
Access control: Organisations should put in place access control tools to limit who can see personal data and who can't. This might include using passwords, multi-factor authentication, and role-based access control.
Data breach prevention: Organisations should use security tools like firewalls, intrusion detection systems, and vulnerability scanners to avoid data breaches.
Incident Response: Organisations should have a plan in place to react to data breaches quickly and effectively. This plan should include steps to stop the breach, tell people who are harmed, and find out why the breach happened.
- Train their employees: Companies should teach their employees about the DPDP and why data protection is important. This training should cover how the organisation collects and uses data, what people's rights are, and what security measures are in place to protect personal information.
How can Fortanix help?
Fortanix is a leading provider of data security solutions. We can help organizations to prepare for complying with the DPDP by providing:
Here are some details about how Fortanix's products and solutions can help organisations follow the DPDP:
- Fortanix Data Security Manager Platform: The Fortanix Data Security Manager is a complete solution that can help organisations deal with the DPDP. The platform has many features, such as data encryption, access control, and tracking, that help organisations keep personal information safe.
- Data encryption: The Fortanix Data Security Manager can be used to encrypt personal data at rest, in transit, and while it is being used. This helps keep the data from being accessed, used, or shared by people who shouldn't be able to.
- Fortanix Key Management: Fortanix Key Management is a safe way to store and handle encryption keys. This helps make sure that the keys can't be stolen after breach and that the data they protect stays safe.
- Auditing: The Fortanix Data Protection Platform can be used to check who has access to personal data. This lets you keep track of who has looked at the data and when.
- Fortanix Confidential Computing: Fortanix Confidential Computing is a hardware-based security system that can help organisations protect personal data in use. Confidential Computing keeps private data separate from the rest of the system. This makes it much harder for attackers to get to the data.
Conclusion
For India's data protection, the Data Protection (DPDP) is a big step forward. The bill covers a lot of ground and gives people strong rights over their personal data. The DPDP is also likely to be good for the growth of the country's digital economy.
The DPDP says that organisations in India that gather, use, or process personal data should take steps to be in line with it. Fortanix can help companies get ready to follow the law by giving them a complete data protection platform and set of options.
Related read: The Hustle to Stay Away from Whistle
By working together, we can help make it safer and easier for people in India to protect their privacy.
I hope this blog has been informative and helpful. If you have any questions or suggestions, please do not hesitate to contact us.
About the Authors:
Niti Paul, Regional DPO - APAC, Capgemini. As an In-house corporate practitioner, Niti has been an instrument in carrying out regulatory compliance responsibilities globally. She has extensive experience advising clients in matters of misappropriation of confidential business information. She has assisted clients in conducting privacy impact assessments, security risk assessments, defining data classification norms, and laying down comprehensive GDPR compliance procedures.
Nikhil is an innovative avant-garde information security leader & technology evangelist, currently working as Senior Architect with Fortanix & leading large-scale projects focused on Confidential Computing technology, helping clients solve their data security challenges.