DPDP Moves India Closer to GDPR-Like Privacy Laws – Challenges for Indian Businesses

The DPDP created the Data Protection Board of India (DPB), the first regulatory body in India focused on protecting personal data privacy. Like similar regulatory bodies, the DPB's goal is to oversee compliance and impose penalties on non-compliant organizations.

In August 2023, the Indian Parliament passed the Digital Personal Data Protection Act (DPDP Act), the first comprehensive data protection law of the country. The DPDP Act does not only apply to personal data processed within India, but also covers the personal data processed outside of India when done in relation to offering of goods and services to individuals in India. The Central Government and the Data Protection Board of India (DPB) are responsible for rulemaking and enforcement of the law, respectively.

Rights of Data Principals

The DPDP Act grants several key rights to Data Principals (individuals whose personal data is being processed). These rights include:

Right to Information and Access (Section 11)

Data Principals have the right to request and receive a summary of their personal data being processed, the reasons for processing, and the names of entities with which their data has been shared.

Right to Correction, Completion, and Erasure (Section 12)

Data Principals can request correction of inaccurate data, completion of incomplete data, updating of outdated information, and erasure of their personal data under certain conditions.

Right to Grievance Redressal (Section 13)

Data Fiduciaries must establish accessible grievance redressal mechanisms to address complaints from Data Principals within a specified timeframe.

Right to Nominate (Section 14)

Data Principals can nominate representatives to exercise their data rights in cases of incapacity or posthumously.

The DPDP Act aims to empower individuals by granting them control over their personal data and ensuring transparency from Data Fiduciaries regarding data processing activities.

Responsibilities of Data Principals and Organizations

The DPDP Act outlines specific responsibilities for both Data Principals (individuals) and Organizations (Data Fiduciaries and Data Processors) to ensure data privacy and protection.

Responsibilities of Data Principals

As per Section 15 of the DPDP Act, Data Principals have the following duties:

1. No Impersonation: They must not impersonate others while providing personal data.
2. No Suppression of Material Information: They must not suppress material information when submitting personal data for unique identifiers, documents, addresses, or identity proof.
3. No False or Frivolous Complaints: They must not register false or frivolous complaints with the Data Protection Board. The Board can issue warnings or impose costs for such complaints.
4. Provide Authentic and Verifiable Information: When exercising the right to correction or erasure of personal data, Data Principals must provide authentic and verifiable information.
5. Comply with Existing Laws: They must comply with all provisions of existing laws when exercising their rights as Data Principals.

Responsibilities of Organizations (Data Fiduciaries and Data Processors)

1. Establish Grievance Redressal Mechanisms: Data Fiduciaries must establish accessible grievance redressal mechanisms to address complaints from Data Principals within a specified timeframe (Section 13).
2. Respond to Data Principal Requests: Organizations must respond to Data Principals' requests for access, correction, completion, updation, and erasure of their personal data (Sections 11 and 12).
3. Appoint Data Protection Officer (for Significant Data Fiduciaries): Significant Data Fiduciaries identified by the government must appoint a Data Protection Officer based in India.
4. Conduct Data Protection Impact Assessment (for Significant Data Fiduciaries): Significant Data Fiduciaries must conduct a Data Protection Impact Assessment.
5. Appoint Independent Data Auditor (for Significant Data Fiduciaries): Significant Data Fiduciaries must appoint an independent Data Auditor.
6. Notify Data Breaches: Organizations must notify the Data Protection Board and affected Data Principals in the event of a personal data breach.

The DPDP Act aims to strike a balance between protecting individual data privacy rights and ensuring organizational compliance with data processing obligations.

What are the Penalties for Noncompliance

Violations of the requirements—in particular, failure to implement information security measures necessary to mitigate the risk of a personal data breach—could result in fines of up to 250 crore INR/$30 million.

The penalty is less severe than 2022's proposed legislation, which wanted to impose a fine of up to approximately INR 500 crore (approximately $61 million).

Key Requirements for Businesses

Understanding these requirements as they relate to the implementation of technology is important, as to meet the requirements of the DPDP Act, some technologies will need earlier implementation than others. In some cases, a phased approach will be required to effectively deploy capabilities in a parallel manner to adjust for technologies with prerequisites or those that have a longer lead time for implementation. Experience has demonstrated that three (3) streams of work are usually required for a successful implementation of Technologies to help organisations meet their compliance requirements.

Three Key Streams

• DISCOVER Classify and Understand Sensitivity
• STREAMLINE & AUTOMATE Privacy Processes
• COMPLY Consent and Incident Management

DISCOVER Classify and Understand Sensitivity

• This has implications above and beyond the privacy needs. Understanding what personal and sensitive data is held, where it is stored, how it is used in applications and processes, and why it is still held has implications for Risk, Security, Governance, and Compliance teams.
• Why is the Data still held? Are there duplicates, or are there multiple versions? These points have implications:
  • Information Protection – as to how this information is stored and protected?
  • Governance ­– why it is still being held, and the quality of the data? Risk around why there is a need to hold this information: can reducing holding reduce risk?
  • Compliance – are we meeting all the regulatory requirements around sensitive and personal data?
  • Privacy – can we manage Data Subject Requests (DSRs) and Breach Management and notification requirements under the PDP Law?

• Data Discovery is not enough, you need to apply sensitive data intelligence and automatically orchestrate appropriate actions to data!

STREAMLINE and AUTOMATE Privacy Processes

• Building on the data intelligence created during the discovery phase, data subject access requests can now be automated to meet the requirements of the PDP Law. Requests can be collected, authorised, and processed to meet the 72-hour response timeline.
• You need to understand what applications and processes are using personal data and ensure any orphan data is managed appropriately. This requires the creation of data maps and records of processing. By linking these applications and processes to the asset holding and processing that data can provide near real-time compliance and accurate tracking of any variations to the Privacy Impact Assessments (PIA) associated with the applications of processes.
• Collaboration across the organisation will be required for Data Privacy Impact Assessments (DPIA), and automation will be required to scale across the business to meet the requirements of mapping all applications and processes. Additionally, the risks determined during this will need to be exposed and addressed. This will require automation and risk visualisation in an actionable dashboard so the prioritisation of risk reduction can be managed.
• Cross-border transfers need to be managed and understood. This includes controlled and uncontrolled data stores managed by third parties. This type and sensitivity of this information needs to be understood, monitored, and managed according to regulations.

COMPLY Consent and Incident Management

• Any incident, no matter how small, will be required to be tracked and assessed according to the regulation. This will require collaboration and assessments to be collected in a timely manner and the risks measured to determine reporting obligations.
• You will need to ensure that consent from the Data Subject is collected and maintained forever. This means any updates or changes are also managed, taking into account the requirements, to ensure this consent can be reported upon for data subject access requests.

Lessons from Other Geographies

Along with the emergence of Modern Privacy regulations based on similar principles to GDPR, we are experiencing countries morphing these regulations into Data Protection and Privacy, including Sensitive Data.

Organisations are also encountering Data Sovereignty Laws as well as banking regulations around PII and Metadata that require audit and compliance at the cloud scale.

Key Points

1. Globally, Modern Privacy Regulation is morphing into Data Privacy Regulation.
2. Technology is being developed and adopted to help organisations manage these regulations at scale and, where possible, autonomously.
3. An overlap of roles and responsibilities across Policy, Classification, and Protection is occurring, and the adoption of cloud and multi-cloud is accelerating this.

Key Insights

1. Multiple parts of the business are looking to solve similar use cases

This is resulting in time and cost impacts to the business, as often multiple vendors are being assessed, and solution overlap is often significant, significantly impacting contracting and operating costs.

2. Impending regulation enforcement is fast approaching

It takes the business significant time to assess, select, implement, and operationalise a solution. This is putting the business at compliance risk and potential brand impact compared to competitors who have taken earlier steps to meet their obligations to Consumers and Regulators. Often, the business is not ready to embrace the organisational program of work and have appropriate budgets in place to implement and operationalize a privacy program.

3. Organisational alignment is critical

Typically, we find in businesses the following stakeholder teams to deliver successful programs; please note the use of the term program versus project as a Privacy Program is ongoing and needs to be built and funded accordingly:

• Chief Data Officer or Head of Data Governance
  The CDO works with the business owners to define the classification of and policy around business data, including sensitive data.

• Chief Information Security Officer or Head of Information Security and Risk
  • The CISO/CSO operates the technology to implement the protective controls and mitigations.

• Data Protection Officer or Chief Privacy Officer
  • The DPO/CPO is guided by the applicable regulations for the geographies the business operates.

• Legal Team
  • The legal team will be responsible for providing guidance to adherence to regulatory requirements and reporting obligations.

Conclusion

Organizations are advised to adopt a phased approach to comply with India's DPDP regulations, despite the pending specifics of the rules and enforcement guidelines. To facilitate compliance, organizations worldwide have established cross-functional task forces focusing on several key areas: assessing the current and desired states of their privacy programs, outlining a compliance and governance strategy, and engaging with peers, advisory partners, and technology vendors. These collaborations aim to integrate experienced insights and align technological solutions with regulatory requirements and internal business processes.