FAQ: Navigating India's New Data Protection Law

What is the Digital Personal Data Protection Act (DPDPA)?

The Digital Personal Data Protection Act (DPDPA) is a law enacted on August 11, 2023, in India, aimed at balancing individuals' rights to protect their personal data with the legitimate needs of organizations to process such information.

Who are the key stakeholders under the DPDPA?

1. Data Principal: The individual to whom the personal data relates, including parents or guardians in the case of children and lawful guardians for persons with disabilities.

2. Data Fiduciary: Any entity that determines the purpose and means of processing personal data, such as companies and organizations handling personal data.

3. Significant Data Fiduciary: Specific data fiduciaries notified by the government, subject to more stringent obligations due to the scale and sensitivity of data they handle.

4. Data Processor: Entities processing data on behalf of a data fiduciary.

5. Consent Manager: Registered entities enabling data principals to manage their consent regarding data processing.

What rights do data principals have under the DPDPA?

1. Right to Access: Data principals can request details about their data being processed.

2. Right to Correction and Erasure: They can request corrections, updates, or deletion of their data.

3. Right to Grievance Redressal: They can raise complaints about data handling practices and expect a timely response.

4. Right to Nominate: They can nominate another individual to exercise their data rights in case of incapacity or death.

What duties do data principals have?

Data principals are required to:

• Avoid impersonation.

• Provide accurate information.

• Not lodge false complaints.

What obligations do data fiduciaries have under the DPDPA?

1. Data Breach Notification: Notify the Data Protection Board and affected data principals in the event of a breach.

2. Data Erasure: Erase data when consent is withdrawn or the data is no longer needed, unless retention is required by law.

3. Grievance Redressal: Establish mechanisms to address grievances from data principals.

4. Data Protection Officer: Appoint an officer responsible for compliance with the DPDPA and addressing data protection queries.

5. Technical and Organizational Measures: Implement measures to protect personal data from breaches.

What additional responsibilities do significant data fiduciaries have?

1. Data Protection Impact Assessments: Conduct regular assessments to evaluate the impact of data processing on the rights of data principals.

2. Independent Audits: Perform periodic audits to ensure compliance with the DPDPA.

3. Verifiable Consent for Children's Data: Obtain verifiable consent from parents or guardians before processing children's data, ensuring it does not adversely affect the child's welfare.

What are the penalties for non-compliance with the DPDPA?

Non-compliance can result in hefty penalties, including fines up to ₹250 crore for breaches and up to ₹200 crore for failing to prevent data breaches.

How can businesses ensure compliance with the DPDPA?

Businesses can ensure compliance by:

• Integrating DPDPA provisions into their contract management processes.

• Including clear clauses on data transfers, breach notifications, and record-keeping.

Where can I get more detailed guidance on DPDPA compliance?

For detailed guidance, consult with us to tailor your strategies effectively to comply with the DPDPA.