Draft Rules for Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA), 2023, represents a major step forward in India’s approach to data protection. Recently, the Ministry of Electronics and Information Technology released the draft rules for public input. Now, let’s explore the key aspects of these proposed regulations.

1. Understanding the Scope of the Act

  • Key Activity: Familiarize yourself with the Act’s extent, especially how it applies to different entities, including those outside India processing data of individuals within India.
  • Explanation: The Act has a broad reach, affecting not just local entities but also international organizations handling data of Indian residents. A thorough understanding of its scope is essential for determining its applicability to your organization.
  • Key Activity: Establish mechanisms for obtaining clear, informed, and voluntary consent for data processing.
  • Explanation: Consent is a cornerstone of the Act. It’s imperative to design consent forms and processes that are transparent, easily understandable, and provide a clear indication of the data subject’s approval.

The Digital Personal Data Protection Act (DPDPA) of 2023 in India signals significant shifts in digital data management. For individuals in compliance and legal roles, comprehending and implementing this Act’s guidelines is paramount. Accordingly, this article aims to elucidate the essential steps and requirements for adhering to the DPDPA’s draft rules, thereby providing a thorough guide for effective adaptation to these changes.

Furthermore, the DPDPA Act sets out new rules that are important for businesses to follow. First, it explains how to handle and keep personal data safe. Then, it requires organizations to get clear permission from people before using their data. This move to stricter data handling rules shows the Act’s focus on data privacy and safety.

3. Upholding Data Principal’s Rights

  • Key Activity: Implement systems to enable data principals to access, correct, and erase their personal data.
  • Explanation: The Act empowers individuals with several rights over their data. Organizations must have procedures to respond to requests for data access, correction, and deletion within stipulated time frames.

Rights of Data Principals

  • Right to Access Information: Individuals can request details on how their data is being processed.
  • Right to Correction: They can update or correct any inaccuracies in their personal data.
  • Right to Erasure: Individuals can request the deletion of their data.
  • Right to Grievance Redressal: They have the right to address grievances related to data processing within 72 hours.
  • Right to Nominate: Individuals can appoint others to exercise their rights on their behalf​

4. Establishing Data Fiduciary Accountability

  • Key Activity: Develop a governance framework that ensures data fiduciaries adhere to principles of transparency, accountability, and fairness.
  • Explanation: As data fiduciaries, organizations must handle data responsibly. This involves setting up policies and practices that are in line with the Act’s requirements, including data minimization and purpose limitation.

Measures for Significant Data Fiduciaries

  • Data Protection Officer: A Significant Data Fiduciary must appoint a Data Protection Officer to handle inquiries about personal data processing.
  • Contact Information: They must publish contact details, including a toll-free number and an email address, for reaching the Data Protection Officer.
  • Impact Assessments and Audits: Regular Data Protection Impact Assessments and audits must be conducted at least annually.

5. Formulating Breach Notification Procedures

  • Key Activity: Create protocols for immediate breach notification and response.
  • Explanation: In case of a data breach, the DPDPA Act mandates prompt reporting. Having a rapid response plan in place is crucial to comply with this requirement and to mitigate potential damages.

6. Special Handling of Sensitive Data

  • Key Activity: Identify sensitive personal data and apply enhanced security and processing measures.
  • Explanation: Sensitive data categories, such as financial or health information, require additional safeguards. Compliance teams should ensure stricter controls and consent requirements for such data.
  • Key Activity: Appoint and train Consent Managers to handle consent-related processes.
  • Explanation: Consent Managers play a pivotal role in managing consent lifecycle. They should be well-versed with the Act’s provisions and capable of ensuring compliance in consent processes.

Consent Managers must:

  • Ensure transparency and interoperability in managing consents.
  • Avoid conflicts of interest to maintain fairness and integrity.
  • Implement robust data security measures.
  • Conduct regular audits to evaluate technical and organizational controls.

Appointment and Service of Board Members

The draft rules outline the formation of a Search-cum-Selection Committee to appoint the Chairperson and Board members. Key points include:

  • Committee Composition: Includes the Cabinet Secretary, experts in relevant fields, and secretaries from various government departments.
  • Eligibility Criteria: Members should have expertise in data governance, law, consumer protection, etc.
  • Terms of Service: Includes salary, allowances, leave, and other terms

8. Reporting and Documentation

  • Key Activity: Maintain detailed records of data processing activities, consent records, and compliance measures.
  • Explanation: Documentation is key for demonstrating compliance. Regular audits and records of consent practices, data processing activities, and breach response protocols are essential.

9. Training and Awareness

  • Key Activity: Conduct regular training sessions for employees about the Act and its implications.
  • Explanation: It’s crucial to emphasize staff awareness for effective compliance. By continuously conducting these training sessions, employees become well-informed about the DPDPA Act, ensuring that they understand and actively participate in upholding its principles.

10. Adherence to Specific Processing Standards

  • Key Activity: Consistently complying with defined standards for processing data, especially for activities like research, archiving, and statistics.
  • Explanation: This aspect of the Act introduces unique standards for select data processing activities. It’s essential to first grasp these detailed nuances and then accurately apply the relevant standards to the corresponding data processing scenarios.

Detailed Provisions and Schedules

The Act includes several schedules detailing various aspects of data processing:

  • Schedule I: Model Notice – Templates for consent notices.
  • Schedule II: Processing by State – Standards for state data processing.
  • Schedule III: Classes of Data Fiduciaries – Outlines different classes, their purposes, and data retention periods.
  • Schedule IV: Exemptions – Lists exemptions for certain classes of data fiduciaries.
  • Schedule V: Research and Archiving Standards – Details for processing data for research, archiving, and statistics.
  • Schedule VI: Terms for Board Members – Specifies terms and conditions for the Chairperson and Board members.
  • Schedule VII: Service Conditions for Officers – Terms and conditions for officers and employees of the Board.

For compliance managers and legal professionals, the Digital Personal Data Protection Act(DPDPA), 2023, presents both challenges and opportunities. By diligently implementing the above-mentioned activities, organizations can not only comply with the DPDPA Act but also build a robust framework for data governance, enhancing trust and transparency with their data subjects. As digital data becomes increasingly integral to business operations, embracing these practices is not just a regulatory mandate but also a strategic asset.

Discover ‘Concur‘ your ally in this journey. It’s more than a tool, it’s your partner in building a future of trust and compliance in the digital world.

Leave a Comment