What is the DPDP Act?

The Digital Personal Data Protection Act is a law that focuses on how personal information is handled by organisations.

It sets rules to ensure that both businesses and individuals respect and protect personal data. It grants individuals more control over their data and outlines responsibilities for organizations to handle personal information responsibly and transparently.

How much time will the government give businesses to comply?

The government will provide a transition period for businesses to adapt to the new law. During this time, companies can understand the requirements and make necessary changes to their processes. There are certain media statements by the Minister that the rules will be implemented in a series of phases, gradually becoming enforceable over time.

What are the penalties for non-compliance?

Non-compliance with the Act can result in fines that may extend up to INR 250 crores for each instance. Factors such as nature, severity, impact and duration will be taken into consideration before imposing the penalty. 

What is a Data Protection Board?

The Data Protection Board is an authoritative body responsible for overseeing and enforcing the Act. It ensures that companies follow the rules and practices outlined in the Act.

Based on the nature of my business, how soon will I be prone to an audit?

Audit timing can vary based on factors like the scale and type of data processing your business conducts. The Data Protection Board will assess when audits are necessary.

What is personal data?

Personal data refers to information that can identify an individual, like their name, phone number, email, address and more.

What is sensitive data?

Sensitive data, often called "special categories," includes health information, nationality, health records, payment information, food allergies, travel patterns & preferences, racial or ethnic details, religious beliefs, and other sensitive aspects of an individual’s life. 

What is a data breach?

A data breach is an act of any personal information leaking out of the organization such as KYC details, card details in an unauthorized manner which may lead to its exposure or misuse.

Who is a Data Protection Officer, and do we need to appoint one?

A Data Protection Officer commonly knows as a DPO oversees data protection efforts within a company. While not all businesses need a DPO, those engaged in significant data processing are required to appoint one by the Act.

We have spent on GDPR, do we need to re-start again on this junction?

The experience gained from GDPR can be valuable, as it shares common principles with the DPDPA. While you won't start from scratch, adjustments in practices will ensure compliance with the DPDPA's unique requirements.

When does the Act become effective?

The Act doesn't specify an implementation period but mentions that its provisions will become effective on dates set by the Government. There are speculations that the implementation of the law might take around 6 - 10 months

How does the Act address the extra-territorial effect, especially for businesses operating internationally?

The Act acknowledges the extra-territorial effect by regulating the processing of personal data outside of India if it involves individuals in India. This means that even if your business is located outside India but collects or processes personal data of individuals in India, it would need to adhere to the Act's requirements.

How will the Act impact my business's data collection and processing practices?

The Act will require your business to adhere to stricter guidelines for collecting, processing, and storing customer data. You'll need to ensure that you have explicit, free, specific, informed consent of an individual with a clear affirmative action for collection of their data. You will also need to provide clear notices about how their data will be processed.

What steps should my business take regarding data that was collected before the Act came into effect?

Provide Data Principal with a notice detailing the purpose of collected personal data, giving them opt-out option & ways to exercise their rights and how to lodge a complaint with the Data Protection Board. 

Do I need to make significant changes to my current data handling procedures to comply with the Act ?

Depending on your current practices, you might need to re-align processes. This could include reviewing your consent mechanisms, updating privacy policies, and enhancing data security measures.

What criteria determine who or what qualifies as a Significant Data Fiduciary (SDF) under the Act?

Data Fiduciaries who deal with high volumes of data, sensitive personal data considering factors like data scale, risk to rights, impact on India's integrity, electoral democracy, state security, and public order.

If my business qualifies as a significant data fiduciary, what do I need to do?

If you qualify as an SDF, you'll need to appoint a DPO, an Independent Data Auditor and facilitate Data Protection Impact Assessments.

Why is the role of a Consent Manager introduced in the Act, and what is the concept behind it?

A "Consent Manager" will be a registered individual who serves as a central contact. He shall facilitate data principals in providing, managing, reviewing, and withdrawing consent using a user-friendly, transparent, and interoperable platform.

Aspects like Accountability, Registration regarding Consent Manager is left for rulemaking as a delegated legislation

How can I ensure that third-party service providers I use, such as cloud storage or marketing tools, also comply with the Act?

Signing a valid contract is mandatory for engaging a Processor. You'll need to include DPDPA compliance clauses in your contracts with service providers. They should adhere to the same data protection standards to safeguard your customers' data

How will the Act impact cross-border data transfers for my international business operations or service providers?

Cross-border data transfers are permissible under the Act, if they're not directed to restricted countries. The Central Government will notify specific countries or territories via a proposed blacklist.

What immediate step should I take in the event of a data breach as per the provisions of the Act?

As an immediate step, the Act requires you to notify the Data Protection Board and affected Data Principals promptly in the prescribed manner. 

Could you explain the reporting structure and appeals mechanism established by the Act?

The DPDPA features the Data Protection Board for compliance oversight. If unsatisfied with the Board's decision, individuals can appeal to the Appellate Tribunal for further review.

How will the Act influence my current marketing strategies, particularly personalized marketing efforts?

Personalized marketing practices will need to align with the Act's consent and notice requirements. You'll likely need to review and modify your marketing strategies to ensure that data processing is transparent and in line with individual preferences.

What steps can I take to educate my employees about data protection and their role in Act’s compliance?

Conduct training sessions and elevate employee awareness through training, workshops, seminars, and certifications to educate your employees about data protection principles, their responsibilities, and the importance of adhering to the DPDPA's regulations.

What are the specific security measures that we need to implement to comply with the Act?
  • Using strong passwords and security measures to protect their computer systems.
  • Encrypting personal data when it is stored or transmitted.
  • Implementing access controls to restrict access to personal data to authorized individuals.
  • Conducting regular security audits to identify and address security vulnerabilities.
How do we ensure that we are compliant with both the Indian DPDPA and the GDPR at the same time?
  • Review their data collection, storage, and use practices to ensure that they are compliant with both the laws.
  • Implement appropriate security measures to protect personal data from unauthorized access, use, or disclosure.
  • Put in place a process for individuals to access, correct, or delete their personal data.
  • Communicate changes of your businesses' data privacy practices to your customers and employees.
How will the introduction of the Act impact our business practices, considering that we are already in compliance with GDPR?

While your business may already be aligned with GDPR regulations, the introduction of the DPDPA might bring about some adjustments in your operational procedures. Although the two regulations share similar principles, the DPDPA could potentially entail specific provisions such as appointing a Consent Manager, making available the right to nominate to the individuals, the enforcement authority is two tiered, there is a special category known as Significant Data Fiduciary with additional obligations to comply, appointment of an independent data auditor, breach reporting notification to both individuals and authority amongst many others. 

How do large entities manage their roles as data fiduciaries and processors across multiple businesses?

Large entities adapt their roles based on context. For instance, they might be a data fiduciary in one business, sharing data fiduciary duties in a partnership, and a data processor in another parallel venture. An example could be a tech conglomerate that operates its social media platform as a data fiduciary, collaborates with a marketing agency as a joint data fiduciary, and offers cloud services as a data processor. Each role involves distinct responsibilities and compliance measures.

Are there any certifying Authority’s that certify for GDPR/CCPA/ DPDPA etc who are the certifying bodies?

The GDPR only allows for data processing activities to be certified, not organizations, products or services. For that reason, Europrivacy as a scheme allows controllers and processors to certify that a number of selected data processing activities are in compliance with the GDPR. Two organisations that currently undertake these are https://www.timelex.eu/en/europrivacy & https://www.sgs.com/en/services/europrivacy-certification

There are different certifying authorities for different data protection regulations. For example, for GDPR, the *CNPD* (the Luxembourg data protection authority) has developed a certification mechanism called *GDPR-CARPA https://edpb.europa.eu/news/national-news/2022/cnpd-adopts-certification-mechanism-gdpr-carpa_en 

Will these certifying bodies certify DPDPA?

The certifying bodies for GDPR and CCPA are not authorized to certify DPDPA. The DPDPA will have its own certification mechanism may or may not be administered by the Data Protection Board, which is yet to be established. 

Customer data collected in the order database is permanently anonymized. Now if customer queries and exercises the right to erasure. How will we identify which data to be erased

Even though customer data is anonymized in the order database, a unique identifier or token is usually retained to manage the data. When a customer requests erasure, this identifier can be used to locate and delete the associated anonymized data. This process ensures compliance with the erasure request while maintaining the integrity of the anonymization process.

If the data collected is used for identifying the preferences of the customer on the items in the menu, while no Personally Identifiable Information (PII) is captured/retained, will consent be required from the customer?

Generally, when collecting and using non-PII data solely for the purpose of identifying customer preferences, explicit consent may not be necessary.

Can a DF / SDF opt not to have a consent manager?

From the Bare text of the Act, it appears as though this may be a mandatory requirement for Data Fiduciary's. Detailed guidelines regarding Consent Manager will be established through subsequent rule-making and delegated legislation. 

Can a consent manager be within the organization or has it to be necessarily independent?

As per the law, a consent manager must be an individual registered with Data Protection Board, serving as a central point of contact for data principals. The requirement also emphasizes transparency and interoperability. This leaves room for interpretation whether it involves an individual appointment alongside an interoperable platform, including automated tools.

If the data collected is anonymized and used for behavioral tracking, demographic analysis and no PII is kept. Will the law be still applicable on them? Can the customer identify we are using their data?

In cases where data is truly anonymized and devoid of Personally Identifiable Information (PII), the law might not be applicable. Since the data cannot be linked to individuals, customer identification through this data would not be feasible

Company has franchisee model. There is a Point-of-sale software owned by third party. The data is accessible by all. Whether the law will be applicable on the franchisee as well.

Franchisees, handling customer data via shared software, could fall under legal obligations as data processors or controllers. While the software ownership is third-party, both the company and franchisees might share responsibilities to ensure compliant data handling.