xIoTz | Managed Cyber Assurance Platform

The Digital Personal Data Protection Act (DPDPA)

July 26, 2024

Table of Contents

Introduction

In an increasingly digitized world, the protection of personal data has become a critical concern. India recognized this need and enacted the Digital Personal Data Protection Act (DPDPA) in 2023. Let’s explore this law, what it means, and how it protects people’s online privacy.

What is the India Digital Personal Data Protection Act (DPDPA) 2023?

The DPDPA is a significant law in India that protects people’s privacy online. The Act began on September 1, 2023. It impacts all organizations that manage personal data of individuals in India.

What is personal data?

The DPDPA defines personal data as information that can identify a person. This includes their name, ID number, location, or online ID. This expansive definition covers a lot of ground and includes, but is not limited to:

  • Name, address, and method of contact
  • Birthdate and gender
  • Financial data, including credit card numbers and bank account numbers
  • History of online searches and browsing
  • Posts and messages on social media
  • location information, such GPS coordinates

Which types of data are covered by DPDPA?

The DPDPA protects personal data processed in India or abroad, regardless of where it was originally collected. Even when processing personal data of Indian citizens takes place outside of India, the Act still applies.

Personal data that is not covered by the DPDPA is:

  • processed in order to support national security or police enforcement
  • processed in order to produce news or creative works
  • processed for family or personal use

Who is a data fiduciary under the DPDP Act?

A “data fiduciary” is someone who decides how personal data is processed, either by themselves or with others. Also known as a data controller under some other laws.

A “Significant Data Fiduciary” refers to any data fiduciary or class of data fiduciaries as may be notified by the Central Government.

What protections are there for children’s data under the Indian personal data protection law?

A data fiduciary must obtain verifiable consent from a parent or guardian before processing any personal data from a child or person with a disability.

Additionally, data fiduciaries must not track or engage in behavioral monitoring of children or targeted advertising directed at children.

Rights of data principals

The DPDPA grants individuals several rights with respect to their personal data, including:

  • The right to access their personal data
  • The right to rectification of inaccurate personal data
  • The right to erasure of their personal data
  • The right to restrict the processing of their personal data
  • The right to data portability
  • The right to object to the processing of their personal data

 Enforcement and Penalties

The DPDPA establishes a Data Protection Authority (DPA) responsible for enforcement. Penalties for non-compliance can be severe, including fines and imprisonment.

Challenges and Future Prospects

While the DPDPA is a significant step toward data protection, challenges remain:

  1. Awareness: Public awareness about digital privacy rights needs improvement.
  2. Implementation: Effective implementation and enforcement are crucial.
  3. Technological Advancements: As technology evolves, the DPDPA must adapt.

Exclusions

The act excludes non-automated personal data, offline personal data, and personal data existing for at least 100 years. They have removed the maximum limit of INR500 crore for penalties.

Currently, we have not included the grievance redressal review provision. The timeline excludes reporting a data breach to authorities within 72 hours. 

Conclusion

The DPDPA is an important law that will greatly affect how organizations handle personal data in India. The Act gives people the choice to decide which personal information they want to share with businesses. It also establishes stricter rules for companies that collect personal information. Businesses who must comply with the DPDPA must take action to make sure they are doing so.

Highlights of the bill 

The law in India will govern the management of digital personal information. This includes information collected both online and offline. The information will then be converted into digital format. Additionally, it extends to such processing activities conducted outside India, particularly if aimed at offering goods or services within the Indian market.

Processing personal data will be permissible only for legitimate purposes and with the explicit consent of the individual. Some uses of data, like sharing it voluntarily or for government purposes, may not require permission.

Data fiduciaries must ensure they accurately secure and delete data once they fulfill its purpose.

The law will give people certain rights, like the right to see information, fix or delete wrong data, and get help with complaints.

Government agencies may not have to follow certain laws if the central government grants exemptions. Authorities typically grant these exemptions for reasons such as national security, maintaining public order, or preventing crime.

Related Terms

  • Data Privacy Legislation
  • Personal Data Protection Regulations
  • Indian Data Protection Laws
  • Digital Privacy Framework
  • Data Security Standards
  • Privacy Rights Legislation
  • Personal Data Safeguards
  • Information Privacy Laws
  • Digital Privacy Act
  • Data Protection Measures

References:

digital-personal-data-protection-bill-2023

Digital data protection

cyber security decoding

Related Blogs:

Navigating Regulatory Changes in 2024

Ultimate Windows Hardening Guide for 2024

Cyber Law in India

Related Terms:

The Rise of Cyber Scam

Ransomware

Cyber Safety

Quick Links:

Explore Careers

Integrated partnership approach invitation

Be up to date our Blogs 

Posted in Awareness, Celebrations, Education, Event