In August 2023, India’s Digital Personal Data Protection Act (DPDPA) passed through the final stages of approval after several years of debate, amendments, and negotiations, giving the world’s most populous nation a comprehensive privacy law. More recently, the government has signaled it will give businesses about six months to comply with its requirements.
The DPDPA establishes guidelines for businesses handling and processing data, as well as rights for individual citizens of India. The bill aims to provide a framework for the Data Protection Board (DPB) to enforce compliance with the law, prevent cross-border data transfers, and impose penalties for data breaches.
In the time since the law’s passage, the government has apparently been busy translating the law into regulations, as minister of state for electronics and IT, Rajeev Chandrasekhar, indicated that the government is “ready with all rules and ready to notify the [DPB] soon.” The six-month window to start enforcement is fairly aggressive given the standards set by other governments, who have given businesses a year (or years) to comply.
Organizations holding data have several obligations they must fulfill under DPDPA:
- Transparency about data collected and its purpose
- Informed consent prior to collecting data (and the ability to withdraw consent)
- Obligation to attempt to ensure accuracy and completeness
- Adequate security measures for data held
- Data retention only as long as required for the intended purpose
- Data breach notification to the DPB and individuals affected
- Data sharing restrictions
Larger organizations must also appoint a data protection officer and independent auditor.
Individual rights established by the DPDPA include:
- Right to information about data held and how it is processed
- Right to withdraw consent for processing or sharing with third parties
- Right to correction and erasure of personal data
- Right of grievance redressal, or in effect, a private right of action for violations
The DPDPA 2023 got enacted after more than a decade of effort to adopt a comprehensive data protection regime for India. The bill covers substantive requirement of a horizontal framework with specific rules and timelines for enforcement waiting to be notified that will reduce uncertainity. The MeitY Minister has indicated that the sunshine period won't be as long as the 24 months organizations got for the GDPR. For certain provisions, the government may not grant more than six months to demonstrate compliance, a wake-up call for the organizations that haven't embarked on their data protection governance journey yet. Privacy compliance is on the board’s agenda now. Gap assessments, process and legal consulting, technology integration and optimization and audits will all help organizations develop and mature their practices to become and exhibit compliance with DPDPA.
One of the most important elements of a functioning data privacy program is data retention—namely, deleting data after it is no longer needed or used. Learn how a variety of regulations in India set out requirements for data retention in our recent whitepaper, Data Retention and Erasure in India.
Download the PDF version of this Data Privacy Alert here.