'Norway, South Africa, and New Zealand are some of the countries that have praised India's new data law. While Norway called it a “landmark” regulation, South Africa said the law offers “invaluable lessons” on how safeguards can be applied in developing nations'.
In an era of digital age, the sheer volume of data generated, shared, and processed has reached unprecedented levels. From personal information to business transactions, our lives are intricately connected with the digital landscape. With this evolving landscape comes the need to ensure that our data is treated with the utmost security.
Data protection is not just a buzzword but a fundamental right and a critical aspect of modern-day life. It involves safeguarding our personal information from unauthorized access, misuse, and exploitation. The significance of data protection extends to both individuals and organizations, as the misuse of data can lead to identity theft, financial losses, reputational damage, and a host of privacy-related concerns.
India, however, has no specific standalone law on data protection until recently. The use of personal data was regulated under the IT Act, 2000. In this context, the recently enacted Digital Personal Data Protection (DPDP) Act, 2023 marks a significant milestone and a step in the right direction in addressing these concerns.
WHAT IS DPDP ACT, 2023?
“With the advent of Artificial Intelligence and the need for safeguarding privacy, India’s Digital Personal Data Protection bill aspires to set and evolve the framework for businesses to adopt best practices, strengthen data governance and drive responsible data handling, embracing a ‘Privacy by Design’ approach integrates privacy measures from the inception of the technology or system development, rather than treating it as an afterthought. It fosters a sense of trust amongst stakeholders and can even accelerate growth opportunities.”- Ivana Bartoletti, Global Chief Privacy Officer, Wipro Limited
The Digital Personal Data Protection (DPDP) Act, 2023 is a legal framework introduced in India to safeguard the personal data of individuals and ensure that their data is shared or processed only with their consent. It regulates the processing of digital personal data and outlines various provisions to protect individuals’ privacy in the digital age. This act, designed to regulate the practices of organizations, brings a comprehensive framework to guide personal data handling, processing, storage and accountability of the person/entity processing the personal data. Please find the link to the act here.
WHAT DOES DPDP ACT MEAN TO INDIVIDUALS?
It is necessary to appreciate and comprehend the applicability of the Digital Personal Data Protection Bill, which creates a new framework for personal data security. The bill will bring India one step closer to establishing the law on data privacy and protection. It is being done to serve the greater aim of a Digital Economy. The bill is expected to give people more rights, visibility, awareness, autonomy in decision-making, and control over their data, while also requiring businesses to respect those rights and offer suitable remedies- Sujit Patel, MD, and CEO, SCS Tech
For individuals, the act brings control over their personal data, thus empowering them. With an emphasis on the right to privacy, individuals gain greater control over how their personal information is collected, processed, and shared. This personal data can be anything that can be used to identify a particular individual, like name, email address, phone number, Aadhar Id, bank account details, medical records, biometrics, etc.
The data principal, which means the individual to whom the personal data relates, has certain rights specified in the act:
1. The right to access information about personal data processed.
2. Right to make a request with data fiduciary (that is, persons, companies and government entities who process data) for correction, completion, updating and erasure of personal data that is no longer necessary for the purpose for which it was processed.
3. Right of grievance redressal.
Along with rights, this act also establishes few duties to the data principals. These duties put the data principal under the obligation to not register a false or frivolous complaint with a data fiduciary or the board. To not furnish false particulars or suppress any material information or impersonate any other person while applying for a document, service, proof of identity etc. Always provide authentic and verifiable data.
WHAT DOES THIS MEAN TO ORGANIZATIONS?
In light of the new movement towards data privacy, businesses must be aware of their responsibilities towards their customer’s data protection. Data protection must be balanced with the right equation of fraud detection associated with data. Businesses must be well-equipped to combat the threats of data breaches and ensure their customer’s data is not at risk-Dhiraj Gupta, Co-Founder, and CTO, mFilterIt
The act’s impact on organizations is equally significant. While this act also intends to enhance Ease of Doing Business and enable India’s digital economy and its innovation ecosystem, it mandates stringent practices for data collection, storage, and processing. Non-compliance with the act’s provisions can result in substantial fines and penalties, urging organizations to prioritize data protection as a fundamental aspect of their operations.
To ensure compliance with the DPDP Act, organization’s must
1. Obtain individuals’ consent before collecting or processing their personal data.
2. A notice to be given by the Data Fiduciary to the Data Principal, informing her the personal data and the purpose for which the same is proposed to be processed.
3. Ensure comprehensive security measures (like encryption, masking) for all personal data.
4. Provide access to Data Principals to their personal data and enabling corrections.
5. A grievance redressal mechanism, and an officer (Consent Manger) to respond to queries from Data Principals.
6. To erase personal data when it is no longer needed for the specified purpose.
7. Report breaches to the Data Protection Board (to be set up by Union Government) and the affected individuals.
Apart from these, the DPDP Act introduces further provisions for data fiduciaries notified as ‘significant data fiduciaries’ to appoint a data auditor and conduct periodic Data Protection Impact Assessment to ensure higher degree of data protection.
India's Digital Personal Data Protection Act, 2023 is just a right step towards commitment to data privacy and security. Its influence on individuals and organizations is profound. However, it is important to note that this act is just the beginning. It still needs enhancements such as including government agencies within its ambit, providing clarity on data localization, specifying the countries with which data fiduciaries can share the data, and determining who can access the data of Indian citizens.
As technology continues to advance, the act will require ongoing enhancements to address emerging challenges. The journey to complete data protection is a continuous one, and this legislation marks a significant stride in the right direction. With collaborative efforts from individuals, organizations, and policymakers, the legislation’s effectiveness will continue to evolve, ensuring a safer and more secure digital future for all.
Our organization’s information security implementation not only equips businesses to comply with the new act but also positions them as leaders in data protection. In this evolving digital landscape of India, the importance of information security becomes increasingly inherent. Our comprehensive approach not only safeguards sensitive data but empowers businesses to navigate complex regulatory landscapes with confidence.
Gorisco has a wide range of experts who are experienced in defining and designing various solutions to help organizations mitigate their risks and resolve their problems.
At Gorisco, our motto is 'Embedding Resilience’, and we are committed to making the organizations and their workforce resilient. Reach out to us if you have any queries, clarifications, or need any support on your initiatives.
To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.