Forthcoming Digital Personal Data Protection Bill, 2023 incorporates several significant amendments aimed at enhancing data protection and privacy in the digital environment. As data experts, compliance experts, and cybersecurity professionals, it is crucial to be aware of these changes, as they will have a significant impact on data protection practices and compliance requirements. This article examines all of the Digital Personal Data Protection Bill’s main provisions and their implications for various parties.
I. Definitions: Increasing Scope and Unclearness
The DPDPB’s modifies its definitions in significant ways. Notably, through notification, the age of minors can now be lowered below 18 years old, raising questions about the appropriate age limit for data protection. The inclusion of guardians of disabled individuals as Data Principals is a commendable step towards a more comprehensive protection framework. However, the lack of a precise definition of “Public Interest” leaves room for interpretation and may result in compliance ambiguity.
II. Implementation: Eliminating Exceptions
The DPDB does away with exclusions for the processing of non-automated personal data, inactive personal data processing, and data that is at least one hundred years old. With the help of this action, we will try to make sure that all methods of data processing and historical records are compliant with the same data protection requirements.
III. Deemed Consent: Restricting Processing Justifications
As a result of the elimination of “Public interest” and “Legitimate interest” as acceptable reasons for the processing of Personally Identifiable Information (PII) in accordance with the principle of implied permission, data stewards are now required to rely on the provision of explicit consent in order to treat personal data. The protection of individual data rights and the promotion of increased data processing transparency are both improved as a result of this.
V. General Data Fiduciary Obligations: Accuracy, Completeness, and Consistency
Data stewards are now required to ensure that the data they acquire is not only accurate and comprehensive, but also consistent. This provision emphasizes the importance of data veracity throughout its entire lifecycle and promotes more effective data management practices.
V. Children’s Data: Promoting Responsible Handling
To encourage the responsible management of children’s data, the DPDPB’s exempts Data Fiduciaries from certain parental consent, tracking, behavioral monitoring, and targeted advertising obligations. This seeks to strike a balance between protecting the privacy of children and encouraging innovative data use.
VI. Changes to Data Principal Access and Exemption Rights
Changes have been made to the right of access to data, including the exclusion of affirmation of data processing by the Data Fiduciary. In addition, certain rights under particular clauses may not apply when data are collected for the purpose of preventing, detecting, investigating, or prosecuting crimes or cyber incidents. This emphasizes the significance of comprehending the context of data processing and its effects on individual rights.
VII. Data Principal Obligations: Reduced Information Requirements
The DPDP Act eliminates the requirement that data subjects provide only verifiably authentic information when exercising their right to rectification or erasure. While this may expedite the process, it raises concerns regarding data integrity and the potential for the provision to be abused.
VIII. Cross-Border Data Transfer: Adaptability and Restriction
According to the new requirements, data may be sent to other countries, unless the Central Government forbids the transfer or another legislation requires a higher level of data protection. In any of these cases, the transfer would be in violation of the new provisions. This finds a balance between the competing demands of the necessity for international data flow and the concerns regarding data privacy and national security.
IX. Valid Interest: Expanded Scope and Exemptions
The definition of “legitimate interest” has been expanded by the DPDPB to encompass procedures for mergers and acquisitions, demergers, as well as evaluating the financial information, assets, and liabilities of individuals with debt claims. In addition, the Central Government has the ability to notify certain Data Fiduciaries or classes that they are exempt from specified regulations on the basis of the amount and nature of the data processing. This may include startup companies.
X. Punishment: Enhancing Enforcement
The DPDPB’s proposes to increase enforcement and responsibility for data breaches and violations by removing the maximum penalty cap and adding penalties for the transgression of voluntary undertakings. These two changes are part of the bill’s effort to eliminate the maximum penalty cap.
The Digital Personal Data Protection Bill, of 2023 introduces changes that seek to strengthen data protection, privacy, and accountability. As data experts, compliance professionals, and cybersecurity specialists, it is essential to remain informed of these amendments to ensure a safer and more secure digital environment. Understanding the implications of the DPDPB’s will assist organizations in adapting their data protection practices and remaining compliant with the ever-changing regulatory environment. Let’s adopt these changes collectively to protect data rights and promote responsible data management practices.
About Concur – Harmonizing Data Compliance
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and the use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.