The DPDP Act 2023: What Every Business Leader Needs to Know (And Do Now)
The DPDP Act 2023: What Every Business Leader Needs to Know (And Do Now)
Introduction: Welcome to the Age of Data Accountability
The DPDP Act isn’t just another checkbox in your compliance list. It’s a fundamental shift in how businesses are expected to collect, process, and store digital information. Think of it as India’s GDPR, only for digitally collected data.
WHAT IS DPDP- DIGITAL PERSONAL DATA PROTECTION ACT?
“THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023) [11th August, 2023.]
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”
– MINISTRY OF LAW AND JUSTICE (Legislative Department)
The Digital Personal Data Protection (DPDP) Act, 2023 applies to the processing of digital personal data within the territory of India collected online or collected offline and later digitized.
It is also applicable to processing digital personal data outside the territory of India if it involves providing goods or services to the individuals within the territory of India.
It does not apply to personal data that is made publicly available or is processed by a person
for personal or domestic purposes.
KEY TERMINOLOGIES
“Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
“Data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
“Data Fiduciary” means any person or company who collects and determines the purpose of personal data.
“Data Principal” means the individual to whom the personal data relates. Such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on their behalf.
“Data Processor” means any person who processes personal data on behalf of a Data Fiduciary.
“Digital personal data” means personal data in digital form.
“Personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
OBLIGATIONS OF DATA FIDUCIARY
According to this act a person or company (Data Fiduciary) can only use someone’s personal data (Data Principal) if they have the informed consent, follow the instructions as mentioned in this act or have a valid legal reason.
Before collecting data, they must tell the person what and why they’re collecting the data and where to reach out in case of a complaint or query. Consent must be clear, specific, and easy to withdraw.
If someone gave consent before this act was published they must be informed and their data can still be used unless they take it back.
“Data can also be used without consent in certain situations—like for government services, emergencies, or employee safety.”
Companies must protect the data and delete it when it’s no longer needed. In case of a data breach the individual and authorities must be notified; within 72 hours of the breach. If they share or use the data to make decisions about someone, they must ensure it’s accurate.
For minors, under the age of 18, parental or guardian consent is mandatory.
RIGHTS AND DUTIES OF USERS/ INDIVIDUALS (DATA PROCESSORS)
Individuals have the whole right to access their information including how many Data Fiduciaries have their data and a description of it; which also includes the additional information that may be related to the data.
Note: This right does not apply if the data is shared with law-authorised entities for purposes like crime prevention, investigation, or prosecution.
They can request to change, correct, or delete their data unless required for the legal purposes. They may also nominate someone to exercise their rights in case of death or incapacity (due to mental or physical reasons).
PENALTIES
| Sl. No. | Breach of provisions of this Act or rules made thereunder | Penalty Per Breach |
|---|---|---|
| 1 | Not implementing security safeguards to protect personal data. | Up to ~ ₹250 Crore |
| 2 | Failure to Notify of Data Breach. | Up to ~ ₹200 Crore |
| 3 | Non-Compliance with Child Data Protection Rules | Up to ~ ₹200 Crore |
| 4 | Non-Compliance by Significant Data Fiduciaries | Up to ~ ₹150 Crore |
| 5 | Violation of Individual Duties | Up to ~ ₹10,000 |
| 6 | Breach of Voluntary Undertaking | Up to the extent applicable for the breach. |
| 7 | Breach of Other Provisions or Rules | Up to ~ ₹50 Crore |
HOW WE CAN HELP?
At TM System, and we understand the complexity responsibility that comes with managing personal data. Our expertise lies in evaluating your IT infrastructure, data handling practices, and internal protocols to assess whether your organization is compliant with the Digital Personal Data Protection Act,2023.
We analyse how your organization collect, store, process, and secure personal data, and whether your processes align with the required legal obligations. From identifying gaps in your security safeguards to ensuring proper breach notification protocols; we offer a comprehensive compliance check according to your operational reality.
Conclusion:
In a digital-first world, non-compliance is a reputational, financial and operational liability. TM System empowers your business to navigate this compliance minefield with confidence. Partner with us to safeguard your organization, maintain trust with your stakeholders, and stay ahead of evolving regulatory demands.
Check the doc-
https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
Blog
Related Posts
July 20, 2024
By TM Systems
