Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

Cross-Border Data Transfer Requirements Under India DPDPA

By Asaad Ahmad Qureshy | Reviewed By Salma Khan

Published October 28, 2024

Introduction

The Digital Personal Data Protection Act (DPDPA) 2023 is India's primary legislation governing the processing of personal data. It protects the rights of data principles (data subjects). It applies to any entity (Indian or foreign) processing the personal data of individuals within India. Under the DPDPA, entities handling personal data are categorized as data fiduciaries or significant data fiduciaries (SDFs). Data fiduciaries manage individuals' personal data, while SDFs handle larger volumes of sensitive personal data or engage in high-risk activities, resulting in stricter compliance obligations.

The DPDPA grants the government the authority to restrict cross-border personal data transfers to certain countries by establishing a "negative list." This paper aims to guide organizations in complying with the DPDPA's cross-border data transfer requirements. It utilizes the Data Security Council of India (DSCI)’s Privacy Across Borders Whitepaper (DSCI’s Paper) to provide organizations with best practice recommendations for effective compliance.

Understanding Cross-Border Data Transfer under DPDPA

The DSCI paper defines cross-border data transfer under DPDPA by reading Section 16(1) in conjunction with Section 2(x).

Processing of personal data of individuals in India from any other country. This processing can occur through automated or manual means and includes activities such as sharing, disclosing, or disseminating personal data, whether stored in cloud or non-cloud environments globally.

The DPDPA's provisions on cross-border data transfers apply to all data fiduciaries, including startups, Micro, Small, and Medium Enterprises (MSMEs), and SDFs.

Additionally, the DPDPA does not override existing sector-specific laws for cross-border data transfer that provide greater protection, establishing DPDPA requirements as a baseline. This means that regulations from entities like the Reserve Bank of India (RBI) and the Securities Exchange Board of India (SEBI), which require financial data to be stored in India, remain in effect alongside the DPDPA.

Basis of Transferring Personal Data Outside India

Organizations can transfer personal data outside India in the following circumstances:

Government Notification

Through a notification, the government may impose restrictions on transferring personal data to specified countries or territories outside India. The DPDPA does not provide the basis upon which data transfers may be restricted. However, as per the DSCI Paper, the negative list will be based on a comprehensive assessment of relevant factors and will include specific details as outlined in the government notification.

Exempted Categories

Certain categories of processing are exempted from the government notification requirement imposing restrictions on the transfers. These include:

Processing necessary for enforcing legal rights or claims.
Processing by courts, tribunals, or regulatory bodies in India for judicial or quasi-judicial functions.
Processing necessary for the prevention, detection, investigation, or prosecution of offenses or legal contraventions in India.
Processing of personal data of data principals located outside India, pursuant to contracts with individuals outside the country by an Indian entity.
Processing required for court-approved mergers, amalgamations, demergers, or other corporate restructurings.
Processing to ascertain the financial status of individuals who have defaulted on loans, provided it complies with relevant disclosure laws.

Compliance with Cross-Border Data Transfers Requirements under DPDPA

Organizations should adopt a proactive compliance strategy to transfer data outside India under the DPDPA. The table below briefly summarizes how organizations can best comply with the DPDPA when transferring personal data outside India.

Identify the Category of Data your Organization Processes

If processing sensitive data (explained below) or high volumes of data, identify yourself as an SDF.

If you process personal data and at lesser volumes, classify yourself as a data fiduciary.

If you process personal data on behalf of a data fiduciary, classify yourself as a processor.

To ensure that you comply with the DPDPA, make sure to:

Identify if data is being transferred to a destination country that is on the Negative List
- If a transfer is not occurring in a prohibited country, then proceed with the transfer.
- If the transfer is to a prohibited country, please see if any exemptions apply.
Implement additional controls, such as obtaining explicit consent for the transfer.
Conduct periodic Data Protection Impact Assessments and audits and engage an independent data auditor to ensure compliance with the DPDPA, including its cross-border data transfer requirements.
Document cross-border data transfers to be prepared for audits if requested by the Data Protection Board of India.

To ensure that you comply with the DPDPA, make sure to:

Engage data processors under valid contracts.
Identify if data is being transferred to a destination country that is on the Negative List
- If a transfer is not occurring in a prohibited country, then proceed with the transfer.
- If the transfer is to a prohibited country, please see if any exemptions apply.

To ensure compliance with the DPDPA, make sure to:

Examine the terms of the signed agreement with the Data Fiduciary regarding the processing of personal data.
Identify if data is being transferred to a destination country that is on the Negative List
- If a transfer is not occurring in a prohibited country, then proceed with the transfer.
- If the transfer is to a prohibited country, please see if any exemptions apply.

Additional Measures

Ensure to notify the data principal in detail before the commencement of the data transfer outside India.
Execute relevant agreements (e.g., consent forms, contracts) and provide data principals with comprehensive notices before data transfers.
Document consent/contracts for data transfer if executed.

The DPDPA does not override existing sector-specific laws for cross-border data transfer that provide greater protection, establishing DPDPA requirements as a baseline. This means that regulations from entities like the Reserve Bank of India (RBI) and the Securities Exchange Board of India (SEBI), which require financial data to be stored in India, remain in effect alongside the DPDPA. Ensure compliance with any other applicable law when transferring personal data.

Documentation of Personal Data Elements and Categories

Establish a system for maintaining records of all personal data transfers, ensuring traceability for audits. Confirm where each personal data element is stored (on-premise, cloud). Map whether each element is transferred outside India.

Maintain a detailed record of all personal data elements involved in the transfer.

Clearly identify if the data includes sensitive data. While the DPDPA does not define sensitive data, insights can be drawn from Information Technology Rules, 2011 (SPDI Rules), which defines them as the following:

Passwords
Financial information such as Bank account or credit card or debit card or other payment instrument details;
Physical, physiological, and mental health condition;
Sexual orientation;
Medical records and history; and
Biometric information.
Any additional details provided to the organization as part of a service that relate to the sensitive personal data elements listed above.
Any information received by the organization under the above categories, processed or stored under lawful contracts or otherwise.

The rules may provide clarity on the categorization of sensitive personal data under DPDPA.

Keep a detailed record of all personal data elements involved in the transfer. If the data does not fall under the sensitive category listed, classify it as simply personal data.

Core Personal Data Elements:

Full name and contact information (email, phone number, address).
- Date of birth, nationality, gender.

Due Diligence Responsibilities

As per the Government notification regarding prohibited countries, permitted countries will likely be based on adequate data protection laws. Thus organizations must verify that overseas recipients can adequately protect personal data and fulfill contractual commitments.

Obtain Recognised Certifications

The SPDI Rules inform organizations to obtain certifications like the ISO/IEC 27001. Thus, it is recommended organizations engaging in cross-border data transfers should adopt industry certifications like ISO 27001, ISO 27701:2019 etc., which focus on Privacy Information Management. These certifications provide a clear framework for managing personal data and ensuring secure international transfers. These certifications show compliance with international standards such as the GDPR, California’s CCPA and the Indian Data Protection Board may recommend such certifications as a best practice.

Security Safeguards and Technical Controls

As per DPDPA’s requirements, organizations must ensure appropriate technical and organizational measures to protect personal data.

Data in Transit

Stored Data

Secure data in transit and in use through encryption, obfuscation, and access control mechanisms.

Secure stored data through physical, logical, and system security controls for data transferred and stored outside India.

Physical security/access control which in the industry looks like:
- Utilizing badge readers, biometric scanners, or keypads at entry points to ensure only authorized personnel can access data storage areas.
Logical security controls
- Implementing username and password protections, multi-factor authentication (MFA), or biometric verification to ensure only authorized users access systems.
- Configuring firewalls and encryption models to restrict access to sensitive systems from external networks or untrusted internal networks.
System security controls
- Implementing automated backups and disaster recovery plans to ensure data can be restored if lost or compromised.
- Employing tools to detect and remove malicious software that could compromise systems or data.

Web and internet-related system security controls
- Securing web traffic between users and servers with encryption protocols like SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to protect sensitive data from interception.
- Using CDNs to distribute content securely, reducing the risk of DDoS (Distributed Denial of Service) attacks by distributing load and traffic over multiple servers.

Identify the Storage Mode, Storage Location, and Medium of Data Transfer

For both cloud and non-cloud environments, ensure that contractual safeguards are in place with vendors, especially for transfers involving sensitive or critical data.

For Cloud environments, ensure a Data Transfer Agreement is in place with the provider, alongside implementing technical, security, and process controls.

Refer to the security safeguards listed in stored data to comply with access, technical, security, and process controls.

For non-cloud environments, technical, security and process controls establish access, governance and audit functions.

Refer to the security safeguards listed in stored data to comply with access, technical, security, and process controls.

Data Transfer Impact Assessments

Conduct a thorough impact assessment before transferring personal data to foreign jurisdictions, evaluating risks. Document key factors such as:

The purpose of processing,
Services involved,
Destination countries.

Data Transfer Agreements

While the DPDPA does not provide exhaustive details on contractual obligations between organizations, organizations can look to add these in their agreements based on regulations from sectoral laws such as the Reserve Bank of India, SEBI, and other laws such as the GDPR, etc.

Purpose Limitations:
Establish clear policies to limit data use to ensure organizations use personal data only for the agreed services. This minimizes risks of misuse and non-compliance by clearly defining data boundaries.
Accuracy, Data Minimization, and Retention:
Contracts should obligate organizations to maintain accurate data, minimize access, and delete or return data post-service. This ensures proper data management, reduces sprawl, and helps with compliance.
Third-Party Disclosure Restrictions:
Restrict unauthorized disclosures, particularly to law enforcement, and involve legal counsel to review requests. This prevents privacy breaches, especially in less regulated regions.
Security Considerations:
Define security obligations, including incident notifications. This safeguards against cyberattacks, ensuring compliance and data protection.
Data Subject Rights:
Ensure providers can facilitate access, correction, and deletion requests, supporting transparency and compliance with data protection laws.
Subcontracting and Onward Transfers:
Require providers to notify customers about subcontractors and ensure they adhere to the same data protection standards, maintaining data security across all processing stages.
Liability Provisions:
Clarify liability for breaches.

Utilization of Data Transfer Instruments

Before granting access to personal data, conduct a thorough due diligence process to ensure that the overseas recipient can adequately protect the data and fulfill contractual commitments. Explore the use of established Data Transfer mechanisms, such as Standard Contractual Clauses (SCCs), to facilitate lawful data transfers.

Regular Data Protection Audits

Organizations should regularly audit their data processing activities to ensure compliance with both the DPDPA and any relevant sectoral regulations. The Indian Data Protection Board may require your organization to conduct these audits as part of ongoing compliance efforts, helping to standardize practices and build trust in international data transfers. These audits should verify secure data processing, highlight risks, and address any gaps in data transfer practices to enhance accountability.

Stay Informed on Regulatory Developments

Regularly monitor updates from the Central Government regarding restrictions on data transfers, industry certifications, and changes in the legal landscape affecting data transfer agreements.

How Securiti Can Help

India's Digital Personal Data Protection Act (DPDPA) is a welcome endeavor in the legislative privacy landscape, especially in light of recent technological advancements and the need for a comprehensive data privacy framework in India.

Securiti Data Command Center leverages contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform, enabling organizations to comply with India's DPDPA.

Securiti can assist you in complying with India's DPDPA and other privacy and security standards worldwide.

Request a demo to witness Securiti in action.

Cross-Border Data Transfer Requirements Under India DPDPA

Introduction

Understanding Cross-Border Data Transfer under DPDPA

Basis of Transferring Personal Data Outside India

Government Notification

Exempted Categories

Compliance with Cross-Border Data Transfers Requirements under DPDPA

Identify the Category of Data your Organization Processes

Additional Measures

Documentation of Personal Data Elements and Categories

Due Diligence Responsibilities

Obtain Recognised Certifications

Security Safeguards and Technical Controls

Identify the Storage Mode, Storage Location, and Medium of Data Transfer

Data Transfer Impact Assessments

Data Transfer Agreements

Utilization of Data Transfer Instruments

Regular Data Protection Audits

Stay Informed on Regulatory Developments

How Securiti Can Help

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

Cross-Border Data Transfer Requirements Under India DPDPA

Introduction

Understanding Cross-Border Data Transfer under DPDPA

Basis of Transferring Personal Data Outside India

Government Notification

Exempted Categories

Compliance with Cross-Border Data Transfers Requirements under DPDPA

Identify the Category of Data your Organization Processes

Additional Measures

Documentation of Personal Data Elements and Categories

Due Diligence Responsibilities

Obtain Recognised Certifications

Security Safeguards and Technical Controls

Identify the Storage Mode, Storage Location, and Medium of Data Transfer

Data Transfer Impact Assessments

Data Transfer Agreements

Utilization of Data Transfer Instruments

Regular Data Protection Audits

Stay Informed on Regulatory Developments

How Securiti Can Help

Join Our Newsletter

Share

More Stories that May Interest You

An Overview of Regulation on Personal Data Transfer Outside the Kingdom

Understanding India’s DPDPA Consent Manager

China’s Renewed Cross-Border Data Transfer Regime

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New