India's Digital Personal Data Protection Act (DPDP)

India's Digital Personal Data Protection Act (DPDP) was enacted on August 11th, 2023, making it India's primary law concerning the processing of personal digital data. It will take effect at a date yet to be determined or disclosed as of September 2023.

This article explains what the DPDP Act is, who it applies to, how to comply with it, and penalties for noncompliance.

What is India's Digital Personal Data Protection Act (DPDP)?

India's Digital Personal Data Protection Act (DPDP) works to create a national framework in India that will protect personal data of its residents. It protects the personal data of what it refers to as data principals by restricting and limiting the activities of what it refers to as data fiduciaries. It outlines the rights of data principals and the responsibilities of data fiduciaries.

The opening text of India's DPDP explains that the law was created to protect individuals' rights and to serve as a framework for organizations that process digital personal data:

India's Digital Personal Data Protection Act (DPDP) Definitions

There are a few definitions you will need to know in order to understand who the India DPDP applies to.

Digital Personal Data

Digital personal data is any digital data that can be used to identify an individual. This can include a person's name, email address, mailing address, financial information and many other points of data.

Data Principal

Data principals are the individuals personal data belongs to, including parents of children and guardians of people with disabilities.

A data principal is similar to a "data subject" as defined by the European Union's (EU) primary consumer privacy law, the General Data Protection Regulation (GDPR).

For example, both the mother of an eight-year-old whose information was used to access an online app and the child could be considered data principals.

Chapter 1 of India's DPDP explains who counts as a data principals under the law:

Data Fiduciary

Data fiduciaries are anyone who decides why and how to process (use) personal data. A data fiduciary is similar to a "data controller" as defined by the GDPR.

For example, an Indian food ordering app that collects data principals' personal information to complete orders and uses a third-party to process sales could be considered a data fiduciary.

India's DPDP defines a data fiduciary as any person or group of people who decide the reasons for and methods of processing personal data:

Significant Data Fiduciary

Significant data fiduciaries are data fiduciaries whose data processing activities meet certain criteria.

The Indian government may classify an entity as a significant data fiduciary if it engages in any of the following data processing activities:

• Processes large amounts of personal data
• Processes sensitive personal data
• Processes data that risks the rights of the data principals
• Poses a potential risk to democracy, the security of the state, public order, or India's sovereignty or integrity

Data Processor

A data processor refers to anyone engaged in collecting, recording, organizing, storing, adapting, sharing, disclosing, destroying, or otherwise using personal data. Under India's DPDP, a data processor is anyone who processes personal data for a data fiduciary.

For instance, the owner of a retail business that collects customers' phone numbers for future communications could be considered a data fiduciary. If the company purchases software to organize and store the phone numbers, the software provider could be considered a data processor.

Chapter 1 of the India DPDP defines a data processor as someone who processes personal data at the request of a data fiduciary.

Data Protection Officer

A data protection officer (DPO) is an individual that is responsible for ensuring that an organization has the necessary data protection processes in place to comply with applicable laws.

Under the India DPDP, a DPO is responsible for responding to data principal questions about the processing of their personal data.

Chapter 10 of the DPDP Act explains that a data protection officer is a person appointed by a significant data fiduciary that acts as a point of contact for grievance redressal.

Who Does India's Digital Personal Data Protection Act (DPDP) Apply to?

India's DPDP Act applies to data fiduciaries (including significant data fiduciaries) and data processors who process digital personal data within India. It also applies to organizations that offer products or services to data principals and process digital personal data outside of India.

For example, the India DPDP would apply to a company based in the United States that sells digital courses and markets its services to residents of India and processes their personal data.

Section 3 of the DPDP Act explains that it applies to any organizations that process digital personal data within India or any organizations outside of India that offer goods or services to Indian data principals and process their personal data outside of India:

What Personal Data Does India's Digital Personal Data Protection Act (DPDP) Protect?

India's DPDP protects personal data that is collected:

• In digital form
• In non-digital form and then digitized after collection

What Personal Data Isn't Under the Scope of India's Digital Personal Data Protection Act (DPDP) Protect?

India's DPDP does not apply to:

• Personal data processed by individuals for personal reasons
• Personal data that is made publicly available by the data principals
• Personal data that is made publicly available by others for legal purposes

What Rights Do Consumers Have Under India's Digital Personal Data Protection Act (DPDP) Protect?

India's DPDP gives data principals the following rights:

• The right to know what personal data is being processed and why
• The right to know the identities of data fiduciaries and data processors that have access to their personal data
• The right to know what personal data is shared with third parties
• The right to edit their personal data
• The right to delete their personal data
• The right to redress their grievances (request correction of mistakes)

Sections 12 and 13 of India's DPDP describe some of the rights granted to data principals, including the rights to edit, update, or delete their personal data and the right to have a means for having their grievances redressed:

You should make sure that you have systems in place to honor data principals' rights under the India DPDP.

Checklist: What Do Significant Data Fiduciaries Have to Do to Comply With the India DPDP?

Significant data fiduciaries will be notified by the government that they have been defined as such, and must take specific steps to protect the personal data they process.

1. Significant data fiduciaries must appoint a DPO who:

   • Is based in India
   • Is responsible to the Board of Directors (or similar governing body)
   • Acts as a point of contact for data principals' grievance redressal

2. A significant data fiduciary must also appoint an independent data auditor who:

   • Ensures the significant data fiduciary complies with the India DPDP
   • Conducts periodic Data Protection Impact Assessments (privacy risk audits)

Section 10 of the India DPDP explains the duties significant data fiduciaries must fulfill in order to comply with the law, including appointing a DPO and an independent data auditor and conducting data protection impact assessments:

Checklist: What Do Data Fiduciaries Have to Do to Comply With the India DPDP?

There are several rules a data fiduciary must follow when processing a data principal's personal data.

1. The data fiduciary must only process personal data for which the data principal has given their consent, or for "certain legitimate uses."
2. The data fiduciary must only process personal data for legal purposes.

3. Either before or when requesting consent to process a data principal's personal data, the data fiduciary must provide a notice that informs them of:

   • What personal data will be processed and why
   • How the data principal can exercise their rights(including contact info for a DPO or other authorized individual who can respond to data principal requests)
   • How the data principal can make a complaint to the Data Protection Board

4. Once the data principal has provided consent for processing their personal data, the data fiduciary must notify the data principal as soon as possible of the following:

   • The personal data that has been processed
   • Why the personal data has been processed
   • How the data principal can exercise their rights
   • How the data [principal can make a complaint to the Data Protection Board
5. A data fiduciary must provide a method for data principals to withdraw their consent to having their personal data processed that is at least as easy as the method of giving consent initially.
6. If a data principal withdraws their consent to having their personal data processed, the data fiduciary must stop processing the personal data as soon as possible and have its data processors stop processing the personal data as well.

7. If a data principal has a consent manager (someone appointed by the data principal to act on their behalf), the data fiduciary is responsible for providing proof of the following if a question arises about the processing:

   • That notification was given to the consent manager by the data principal
   • That consent was given by the data principal to the data fiduciary
8. The data fiduciary is responsible for ensuring that both it and any of its data processors comply with the India DPDP.
9. Data processors that process data principals' personal data on behalf of data fiduciaries must have a valid contract in place.

10. The data fiduciary must ensure the accuracy of personal data that it processes that could be:

    • Used to make a decision that would likely affect the data principal
    • Shared with another data fiduciary
11. The data fiduciary must keep the personal data it collects or processes (including that processed on its behalf by contracted data processors) secure from data breaches. If a data breach does occur, the data fiduciary must inform the affected data principal and the Data Protection Board of the breach.
12. The data fiduciary must delete personal data and have contracted data processors delete personal data processed on its behalf. This must be done as soon as possible after a data principal withdraws their consent or after the data serves its initial purpose, whichever comes first.
13. A data fiduciary must publish the contact information for a DPO or its equivalent, who can answer questions from data principals about the processing of their personal data.
14. The data fiduciary must have a process in place for redressing data principals' grievances.
15. Before processing personal data belonging to a child or a person with a disability with a legal guardian, the data fiduciary must obtain consent from the child's parent or the guardian.
16. The data fiduciary cannot process any personal data that could cause harm to a child.
17. The data fiduciary cannot track children's online behavior or engage in targeted advertising directed at children.
18. A data fiduciary must correct, complete, or update a data principal's personal data upon request.
19. The data fiduciary must respond to any requests from the Central Government concerning the personal data it processes.

Chapter 2 of India's DPDP explains that a data fiduciary must first get consent from the data principal before processing their personal data, unless it is for "certain legitimate uses:"

How Do Data Fiduciaries Comply With India's Digital Personal Data Protection Act (DPDP)?

There are several steps data fiduciaries can take to ensure compliance with the DPDP Act, including getting consent, ensuring the accuracy of the data being processed, keeping data safe, and responding to requests.

Maintaining a Privacy Policy is an effective way to meet many of the India DPDP's requirements.

Get Consent

You must get consent from data principals before processing their personal data.You should only process data for legitimate reasons, and must disclose those reasons before requesting consent from data principals.

When requesting consent, you must inform the data principals of the following:

• What personal data you wish to process
• The reasons why you want to process their personal data
• How they can exercise their rights under India's DPDP
• How they can file a complaint

Unless you need to keep personal data for legal compliance purposes, you will need to erase personal data as soon as a data principals withdraws their consent for its use or your purpose for processing the data has been fulfilled.

When users create a TikTok account, they must first confirm that they have read and agree to its Terms and Conditions agreement and its Privacy Policy:

By clicking on the Privacy Policy link, users can find information about what personal data TikTok collects and processes and why, what their rights and choices are, and how they can contact TikTok with questions or concerns:

Ensure Accuracy of Personal Data

In any situation where the personal data you process may be shared with another Data Fiduciary or used in a way that could affect the data principals, you will need to take extra care to ensure the accuracy of the data.

Keep Data Secure

You will need to protect the data you collect and process. That means having technological security measures in place, such as firewalls, antivirus software, and multi-factor authentication.

You may also need to use physical security measures, such as security cameras or guards to protect locations where data is stored.

A data breach is when stored information is accessed or exposed without authorization. In the case of a data breach, you will need to inform the Data Protection Board (the regulating body of the DPDP Act) and any affected data principals.

Citigroup's Privacy Notice describes the safety measures it takes to protect personal information from loss, theft, or unauthorized use:

Respond to User Rights Requests in a Timely Manner

You should offer a way for data principals to submit requests concerning their personal data and respond to those requests in a timely manner.

The India DPDP requires data fiduciaries to publish contact information for a DPO - an individual responsible for monitoring the processing of personal data - or another individual who can answer questions concerning the processing of personal data.

Amazon Web Services' Privacy Notice includes the email address for its DPO, as well as additional contact links:

Take Special Care With Personal Data Belonging to Children

Before processing personal data belonging to a child, the data fiduciary must get consent from the child's parent or legal guardian. Data fiduciaries are not allowed to monitor childrens' online behavior or use targeted advertising directed at children.

India's DPDP Act defines a child as any individual under the age of 18. When a data principal is a child, their parents or legal guardian are also considered data principals.

Chapter 9 of India's DPDP explains how data fiduciaries should handle processing personal data belonging to children:

Maintain a Privacy Policy

One of the simplest ways to comply with the India DPDP is to maintain a Privacy Policy on your website or app. Your Privacy Policy should contain relevant clauses that provide the information required by the India DPDP.

Let's take a look at some of the clauses you can include in your Privacy Policy to help you comply with India's DPDP.

What Personal Data You Process

This clause describes the types of personal data you process, such as names, addresses, or financial or health data. You should mention whether you process sensitive personal data, which is a special category of personal data that can include religious beliefs, race or ethnicity, and sexual orientation.

Tata Group's Privacy and Cookies Policy informs users about the types of personal data it collects, including contact information, profession, academic year, and IP addresses:

Your Reasons for Processing Personal Data

This clause explains why you are processing personal data. You should only process personal data for the reasons explained in this clause.

If you need to process personal data for different reasons in the future, you will need to update this clause to keep it accurate.

Reliance Industries' Privacy Policy describes the reasons it collects and uses information, including to enhance visitor experience, provide services and information, process orders, and respond to requests:

What Third Parties You Share Personal Data With

You should use this clause to list the categories of third parties that you share personal data with.

The Infosys Privacy Statement explains that it shares users' personal information with business partners and service providers, among other third parties:

How You Keep Personal Data Secure

This clause explains the security measures you take to ensure the safety of the personal data you process.

Unilever's Privacy Notice describes the steps it takes to protect personal data, including using encryption and ensuring that third parties agree to keep the information they process on its behalf confidential:

How Data Principals Can Exercise Their Rights

You should explain how data principals can exercise their rights under the India DPDP, including how they can withdraw consent after they've given it.

Aditya Birla Group's Privacy and Cookies Policy lets users know what their rights are concerning their personal data and the email address they can contact in order to exercise those rights:

Your Contact Information

You should include your contact information and DPO contact information within your Privacy Policy so users can contact you with questions or concerns, or to exercise their rights.

ShareChat's Privacy Policy contains contact information for its Grievance Officer, including an email address specifically for police and investigation agencies:

Who Enforces India's Digital Personal Data Protection Act (DPDP)?

The India DPDP establishes the Data Protection Board of India in order to help enforce the requirements of the act.

This Board has supervisory powers and is authorized to investigate complaints of violations of the act and issue fines when appropriate. However, it cannot issue any binding guidance or impose any new or expanded regulations.

What are the Penalties for Not Complying With India's Digital Personal Data Protection Act (DPDP)?

If you are found to be in violation of India's DPDP, you may face financial penalties. The extent of the financial penalties depends on how serious the violation is, how long it lasts, whether it is repetitive, how it affected data principals, and whether you took any actions to try to mitigate the negative effects of the violation.

The Data Protection Board can issue fines of up to INR 250 crore to data fiduciaries that fail to observe their obligations and take steps to safeguard against data breaches.

In the event of a data breach, if the breached company doesn't give the Data Protection Board or affected data subjects notice of the breach, a fine of INR 200 crore can be assessed.

Non-compliance related to children's data can result in a fine of INR 200 crore.

Most breaches under the India DPDP come with a fine of INR 50 crore, but they can be as high as up to INR 10,000 crore in some cases of violations.

Summary

India's DPDP is a law that gives data principals certain rights concerning their personal data and explains what organizations that meet its criteria need to do in order to protect the personal data they process.

The act applies to entities that process digitized personal data within India, as well as organizations outside of India that offer goods or services to data principals located in India.

To comply with the India DPDP, you will need to:

• Inform data principals what personal data you want to collect and why you want to process it
• Get consent before processing personal data
• Only use personal data for legitimate purposes as explained to data principals before obtaining consent
• Ensure the accuracy of the personal data you collect and process
• Keep the personal data you collect and process secure
• Provide a way for data principals to exercise their rights (including a way to withdraw their consent)
• Respond to requests from data principals concerning their rights
• Provide DPO contact information
• Take special care with personal data belonging to children

Entities defined as significant data fiduciaries will need to take extra steps, including appointing an India-based DPO and an independent data auditor, and conducting regular data protection impact assessments.

An effective way to meet the India DPDP's requirements is to maintain a clearly written and regularly updated Privacy Policy.

Your Privacy Policy should contain relevant clauses, including:

• What personal data you process and why
• What third parties you share personal data with
• How you keep personal data safe
• How data principals can exercise their rights (including withdrawing their consent)
• Your contact information and DPO contact information