An overview of the key developments in the IP and Data Privacy/Data Protection space in India – since January 2023
Table of Contents
ToggleThe Digital Personal Data Protection Act, 2023 (DPDPA 2023) is seen as a major turning point in the field of digital rights. It was passed by both the Lower House (the Lok Sabha) and the Upper House (the Rajya Sabha), and it was signed into law by the president. This landmark law, which puts a lot of stress on privacy, would change how businesses work, give people more power, and start a new era of responsible data management.
The Act protects people’s right to privacy by letting them decide how their personal data is used. It also tells businesses how to handle the personal information they gather.
Key highlights of the act:
- Processing data is legal as long as you have permission and the reason is legal.
- Data localization rules have been relaxed, allowing transfers between countries unless specifically told not to.
- Agreements about how to handle data must be made before third parties are given work to do.
- Penalties of up to INR250 crore for every law broken.
- Significant Data Fiduciaries must now do regular Data Protection Impact Assessments.
- Information about people that is already out in the open is not covered.
The DPDPA has big effects on India’s businesses. Those which gathers, uses, stores, or shares private data must follow certain rules. These include:
- Requesting permission from people before getting their personal information.
- Taking the right safety measures to keep private data safe from people who shouldn’t be able to see, use, share, change, or destroy it.
- People should be able to see their own personal information and change, delete, or control how it is used.
- When data is stolen, it is important to let the right people know.
You can get fined up to INR 250 crore or 2% of your global yearly sales, whichever is higher, if you don’t follow the DPDPA.
Every company that does business in India needs to do a full DPDPA compliance check because the DPDPA has very strict rules. If this audit finds any gaps in a business’s compliance, they can make sure they are following the law by fixing the problems.
Checks for India DPDPA compliance are very important for many reasons, such as:
1. Keeping people’s privacy safe: There are clear rules about how to collect, use, and share personal information under the DPDPA. These rules protect people’s privacy. There are checks in place to make sure that businesses follow these rules and protect the right to privacy of Indian citizens.
2. Reducing the risk of litigation: If you don’t follow the DPDPA, you could face harsh punishments like fines of up to 2% of your world annual sales or ₹250 crore, whichever is higher. You are less likely to be sued if you do compliance checks that help you find and fix any possible compliance holes.
3. Improving Your Reputation: By following the DPDPA, you can help your company’s reputation as a trustworthy data manager. People will be more likely to believe the brand, and it will have an advantage in the market.
4. Stopping Data Breach: Follow-up checks help find and fix weak spots in how data security is handled. This lowers the chance of data leaks and stops people who shouldn’t have access to private information from using it in the wrong way or getting to it.
5. Making sure people trust the digital economy: Making sure that personal data is handled in an honest and reasonable way is a big part of the DPDPA. This helps to build trust in the digital economy. This goal can be reached with the help of compliance checks, which make the ways that data is processed more open and accountable.
Compliance with the DPDPA:
An India DPDPA compliance check is a necessary step for businesses that handle personal information about people in India. You could get fined a lot, have your reputation hurt, and even be sued if you don’t follow the DPDPA rules.
If you want to do an India DPDPA compliance check, here are the steps you need to take:
1. Put together an audit team: Get together an audit team with people who know a lot about data security, law, and technology. The people in this group will plan the audit, do it, and report the findings.
2. Define the scope of the audit: It should be made clear what the audit will include, such as the specific tasks, tools, and areas that will be checked out when data is processed. This will help the inspector pay attention to the right places and make sure they check them all.
3. Get facts together: Get together all the important papers that have to do with how you handle data. These could be partner contracts, privacy policies, data flow maps, or policies on how long to keep data. You can learn about how the group uses data from this documentation.
4. Do an assessment of risk: You should do a risk review to find out what the company does with data that could be harmful to data privacy. When this review is done, it should look at what kinds of personal information are collected, how they are kept, why they are processed, and if there are any security holes.
5. Check to See If DPDPA Principles Are Being Followed: You should check to see if the group follows the DPDPA’s major rules, which are:
- Limitation on Purpose: Do not collect or use personal information for any other reason that is not legal.
- Minimizing the data: You should not gather or use more personal data than you need for the purpose you have chosen.
- Accuracy of Data: Check that the personal information you have is right, complete, and up to date.
- Limits on storage: Secret data should only be kept for as long as it takes to reach the goal.
- Being honest and keeping secrets: Protect private data from people who shouldn’t be able to see, use, share, change, or destroy it by following the right safety steps.
- Each Person’s Rights: The people have the right to see, change, remove, restrict, and object to how their personal data is used.
6. Find the gaps and fix them: Try to find any holes or issues in the way the group handles data that might let it break the DPDPA. Make a plan to fix these issues and make sure that people keep following it.
7. Write down the results and suggestions of the audit: Write an in-depth audit report that explains how the problem was found, what was found, what was suggested, and how it will be fixed. Send this report to the people in charge and other important people.
8. Put the cleanup plan into action: Make sure you keep following the DPDPA and use the agreed-upon plan to fix the issues you’ve found. Policy changes, training programs, technology changes, or even changes to the way the business is set up could be needed.
9. Carry out regular reviews: Establishing a routine review schedule will assist the group to follow the DPDPA and easily adjust to new data privacy rules as they emerge.
DPDPA Compliance Standards
As part of the DPDPA, organizations must meet a number of important compliance standards, these include:
- Transparency: Make sure everyone knows how you collect, use, and share information.
- Consent: If there isn’t a legal reason to do otherwise, you should get someone’s permission before you store or use their personal information.
- Minimizing the data: Get only the information you need for the reason you were given.
- Safety of Data: Protect private data from people who shouldn’t be able to see, use, share, change, or destroy it by following the right safety steps.
- Notification of a Data Breach: As soon as possible, tell the Data Protection Authority (DPA) and the people whose information was stolen.
- Rights of Individuals: People have the right to see, change, delete, limit, port, and complain to how their personal data is used.
- Management of Data: Monitor how data privacy is treated by setting up a strong data governance system.
References
- Atul Gupta, Digital Personal Data Protection Act, 2023: An Overview, at <here> (Accessed on 30th June 2024)
- Ishwar Ahuja, Digital Personal Data Protection Act, 2023: A brief analysis, August 22, 2023 at <here (barandbench.com)> (Accessed on 30th June 2024)
- Arya Tripathi, Data Protection Law in India, August 15, 2023 at <here> (Accessed on 30th June 2024)
- Section 33 (l), The Digital Personal Data Protection Act 2023, available at <here> (Accessed on 30th June 2024)
About Author
Rakshit Sharma is a student of Amity Law School, Noida, Uttar Pradesh, India. He loves cycling. He published his first article on LawGlobal Hub in September, 2022, and became a volunteer in January, 2023.
Related Posts:
- Joseph Osemwegie Idehen & Ors. Vs George Otutu…
- R (on the application of Nicklinson and another) v…
- R (on the application of AM) (AP) v The Director of…
- R (on the application of AM) (AP) v The Director of…
- R (on the application of Smith) (FC) v Secretary of…
- Walumba Lumba (previously referred to as WL) (Congo)…