The Digital Personal Data Protection (DPDP) Act is India’s law to protect digital personal data, enacted in 2023 is yet to take effect, which aims to give individuals more control over their data and hold companies accountable for how they process it. Businesses must comply with its rules for collecting, storing, and processing personal data, with consequences including potential fines. The law has key provisions like a consent-based framework and the introduction of entities called consent managers to help individuals manage their data permissions.
What does it cover:
- Data subject rights: Individuals’ rights to access, rectify, or erase their personal data.
- Consent management: Obtaining clear, specific, informed, and unambiguous consent from individuals before processing their data.
- Data fiduciary responsibility: Identifying a data fiduciary (the entity responsible for managing personal data) and outlining their obligations.
- Data processor agreement: Establishing a contract with any third-party data processor detailing their data handling responsibilities.
- Data security measures: Implementing robust security practices to protect personal data from unauthorized access, disclosure, or modification.
- Data breach notification: Reporting data breaches to relevant authorities and affected individuals within a specified timeframe.
- Cross-border data transfer: Complying with regulations regarding transferring personal data outside the country.
- Privacy notice: Providing clear and accessible information to individuals about how their data is collected, used, and shared.
- Data minimization: Collecting and processing only the necessary personal data for the intended purpose.
- Data protection impact assessments (DPIAs): Conducting DPIA for high-risk data processing activities.
Let’s understand the roles & obligations of a Data Fiduciary & Data Processor
Data Fiduciary
An organization (like a company, government body, or even an individual) that determines why and how personal data is collected, used, and stored. The Data Fiduciary is the “owner” of the data processing relationship and is directly accountable to the Data Principal (the individual whose data is being processed).
Key Responsibilities:
- Obtaining valid consent from the Data Principal.
- Providing a privacy notice that details the purpose of data collection and how it will be used.
- Ensuring data is only used for the specified purpose (purpose limitation).
- Collecting only the necessary data (data minimization).
- Implementing reasonable security safeguards.
- Allowing individuals to easily withdraw their consent.
Data Processor
An entity that processes personal data strictly on behalf of a Data Fiduciary. The Data Processor is a service provider, like a cloud storage company or a marketing automation platform. They do not have an independent role in deciding the purpose of processing; they simply execute the instructions of the Data Fiduciary.
Key Responsibilities:
- Must have a formal agreement or contract with the Data Fiduciary.
- Must process the data according to the Fiduciary’s instructions and the terms of the agreement.
- Must adhere to the security requirements and data protection principles dictated by the Fiduciary.
DPDP’s Solution Framework
Compliance & Governance Framework
A solution without Governance will be a biggest failure to implement DPDP controls.
How an Entity or Organization can prepare for DPDP
To prepare for the DPDP Act, work on the below mentioned steps:
- Understand applicability and scope
- Do the gap analysis audit
- Classify your Inventory and map your data
- Implement consent mechanisms
- Enable data principal rights
- Implement Data Security
- Implement strict Data usage controls
- Manage Third-Party Risk
- Plan an incident response to handle Data Breaches
- Train the team
- Audit, Review & Report
- Manage Compliance & Governance effectively
How can Techsec Digital help here
Techsec Digital have a team of professionals to support the organizations for: –
- Audit & Gap Analysis
- Provide the right mix of solutions & tools for Consent Management, Data Discovery & Classification, Data Security, Third Party risk management, Reporting & Compliance Management
- Professional Services with deployment
- Monitoring Services with Incident Response
- Training & Awareness
- Provide Virtual Data Protection Officer (vDPO) services
- Support & Manage round the clock
Techsec Digital goal is to empower business with the right tools, knowledge, expertise to not only comply with the law, but to also see data privacy and protection as a fundamental aspect of the Client’s operations.
