Digital Personal Data Protection Bill ( DPDP Bill ) 2023, a much-needed legislation in India

As the most awaited and much needed legislation in India is getting prepared to release, I would like to take some time to give a brief overview on this Digital Personal Data Protection Bill (DPDP) to understand about this bill’s expectations, the need of it and its benefits to safeguard an individuals’ personal data. The DPDP Bill has been developed to protect the personal data in this digital age getting affected from the emerging threats and risks in the recent past. Government of India is taking serious steps in releasing this bill to establish a robust privacy culture to protect the personal data. This bill applies to any personal data of an individual that can recognize them, whether it’s accumulated online or offline or digitized and then processed without securing a proper consent from the data owner.

industry4o.com

The widespread adoption of the usage of internet and digital technology in this country has led to the need for strong data protection laws to safeguard the privacy and security of the personal data of every individual. As per the draft bill, this bill is primarily focussed on the rights and duties of every citizen on one hand and on the other hand, its on the obligations to use the collected data lawfully adhering to the data fiduciaries. This bill focusses on some key considerations to govern and protect the use of personal data, core principles to set the rights and duties of users, and the key expectations on businesses.

On August 3, 2023, the Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) was proposed by the Central Government in the Indian Parliament. This bill primarily focusses on digital personal data and does not apply to non-personal data. Once this bill is passed and released, it will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”). The main objective of this bill is to establish a holistic legal framework that governs the collection, storage, processing, and transfer of personal data by individuals, organisations (both private and public) or any other stakeholders operating within the boundaries of India.

Data transfer and storage of personal data is allowed in some countries while raising the penalty for violations in some places based on the liability. This bill strongly focusses on consent before collecting and processing of the personal data and stringent penalties of as much as ₹500 crore if any individual/organisation fails to prevent data breaches including accidental disclosures, sharing, altering, or destroying personal data. Hence, it’s very important for an individual / for every entity like private/ public to build a robust security posture adhering to DPDP bill requirements and core principles.

This bill is composed of 7 core principles which revolves around the collection and usage of the personal data of citizens of India.

The bill has some strict fiduciaries that mandates the penalties for any non-compliance on exploiting the personal data and failing to adhere to the core principles of DPDP. This Bill extends its reach to digital personal data processing that involves profiling or offering of goods/services to individuals within India. It raises expectations on any organization in any part of the world, which handles the personal data of Indian citizens to adhere to the DPDP bill requirements.

In the bill, a penalty of ₹200 crore is proposed if the data fiduciary or the data processor fails to report a personal data breach to the Data Protection Board and affected individuals without due course delay. Also, there is a strict penalty payment on failure to ensure acceptable security safeguards to protect the personal data, failing which the Data Fiduciary or Processor can be penalized up to ₹250 crores as per the proposed bill. The draft bill allows only monetary penalties for personal data breaches or non-compliance, ranging from INR 50 crore to INR 250 crore, with a maximum penalty of INR 500 crore for significant data breaches.

The DPDP Bill takes data breaches seriously and have established strong fiduciaries to reduce the data breaches which has raised significantly in the recent past. Both the data fiduciary and any data processor they work with must notify the Data Protection Board and the affected individuals in case of a breach as expected by the bill without delays.

Some of the individual’s rights include to be aware and followed:

  1. The right to know if their data is being processed.
  2. The right to know where their data is stored and for how long.
  3. The right to know what kind of data is collected and where it will be used.
  4. The right to know who it’s being shared with and for what purpose.
  5. The right to change/edit/delete an individual’s personal data.
  6. The right to decline consent to any requirements that involves an individual personal data.

If an individual is not satisfied with the way an individual’s personal data is used / exploited, they can file a complaint with the Data Protection Board.

How to Get Prepared?

The draft DPDP bill establishes compliance requirements and legal obligations for protecting the personal data from data exploitations or breaches. Every individual or organizations or businesses will need to ensure that they adhere to DPDP obligations without fail to ensure the protection of data. This bill primarily focusses on obtaining consent for data processing, maintaining data accuracy, implementing security measures, and establishing mechanisms for data breach notifications. Any non-compliance to these requirements can result in high penalties, legal and reputational damage.

It’s very important for the organisations to regularly monitor updates and guidance from the Data Protection Board and relevant authorities regarding the interpretation and enforcement of the data protection bill to avoid non-compliance to the bill and diminish data breaches. There must be a strong governance structure to ensure ongoing compliance and to address any specific concerns or gaps related to the organization’s current security posture. Embracing these measures and best practices will not only ensure compliance with the law but also strengthen trust between organizations and their customers, promoting a strong data ecosystem in the long run.

The upcoming enforcement of the Digital Personal Data Protection Bill 2023 in India marks a significant step towards protecting personal data and ensuring privacy rights for Indian citizens, while also imposing responsibilities on businesses to enhance data protection practices. While businesses may initially perceive it as a challenge due to potential fines and increased obligations, it is important to recognize that the bill aims to strike a balance between privacy protection and fostering innovation and economic development. Embracing these measures will not only ensure compliance with the law but also strengthen trust between organizations and their customers, fostering a healthier data ecosystem in the long run.

Disclaimer :

“The views and opinions expressed by Kavitha in this article are solely her own and do not represent the views of her company or her customers.”

About the Author :

Cyber security

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

TCS

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are only from her personal side and not representing her company viewpoints or sharing any of her customers views.

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article: