Cross-Border Data Transfer Requirements Under India DPDPA

Identify the Category of Data your Organization Processes

• Identify if data is being transferred  to a destination country that is on the Negative List
  • If a transfer is not occurring in a prohibited country, then proceed with the transfer.
  • If the transfer is to a prohibited country, please see if any exemptions apply.
• Implement additional controls, such as obtaining explicit consent for the transfer.
• Conduct periodic Data Protection Impact Assessments and audits and engage an independent data auditor to ensure compliance with the DPDPA, including its cross-border data transfer requirements.
• Document cross-border data transfers to be prepared for audits if requested by the Data Protection Board of India.

• Engage data processors under valid contracts.
• Identify if data is being transferred  to a destination country that is on the Negative List
  • If a transfer is not occurring in a prohibited country, then proceed with the transfer.
  • If the transfer is to a prohibited country, please see if any exemptions apply.

• Examine the terms of the signed agreement with the Data Fiduciary regarding the processing of personal data.
• Identify if data is being transferred  to a destination country that is on the Negative List
  • If a transfer is not occurring in a prohibited country, then proceed with the transfer.
  • If the transfer is to a prohibited country, please see if any exemptions apply.

Additional Measures

• Ensure to notify the data principal in detail before the commencement of the data transfer outside India.
• Execute relevant agreements (e.g., consent forms, contracts) and provide data principals with comprehensive notices before data transfers.
• Document consent/contracts for data transfer if executed.

Documentation of Personal Data Elements and Categories

Establish a system for maintaining records of all personal data transfers, ensuring traceability for audits. Confirm where each personal data element is stored (on-premise, cloud). Map whether each element is transferred outside India.

Clearly identify if the data includes sensitive data. While the DPDPA does not define sensitive data, insights can be drawn from Information Technology Rules, 2011 (SPDI Rules), which defines them as the following: 

• Passwords
• Financial information such as Bank account or credit card or debit card or other payment instrument details;
• Physical, physiological, and mental health condition;
• Sexual orientation;
• Medical records and history; and
• Biometric information.
• Any additional details provided to the organization as part of a service that relate to the sensitive personal data elements listed above.
• Any information received by the organization under the above categories, processed or stored under lawful contracts or otherwise.

The rules may provide clarity on the categorization of sensitive personal data under DPDPA.

Core Personal Data Elements:

• Full name and contact information (email, phone number, address).
  • Date of birth, nationality, gender.

Due Diligence Responsibilities

As per the Government notification regarding prohibited countries, permitted countries will likely be based on adequate data protection laws. Thus organizations must verify that overseas recipients can adequately protect personal data and fulfill contractual commitments.

Obtain Recognised Certifications

The SPDI Rules inform organizations to obtain certifications like the ISO/IEC 27001. Thus, it is recommended organizations engaging in cross-border data transfers should adopt industry certifications like ISO 27001, ISO 27701:2019 etc., which focus on Privacy Information Management. These certifications provide a clear framework for managing personal data and ensuring secure international transfers. These certifications show compliance with international standards such as the GDPR, California’s CCPA and the Indian Data Protection Board may recommend such certifications as a best practice.

Security Safeguards and Technical Controls

As per DPDPA’s requirements, organizations must ensure appropriate technical and organizational measures to protect personal data.

Data in Transit

Stored Data

• Physical security/access control which in the industry looks like:
  • Utilizing badge readers, biometric scanners, or keypads at entry points to ensure only authorized personnel can access data storage areas.
• Logical security controls
  • Implementing username and password protections, multi-factor authentication (MFA), or biometric verification to ensure only authorized users access systems.
  • Configuring firewalls and encryption models to restrict access to sensitive systems from external networks or untrusted internal networks.
•  System security controls
  • Implementing automated backups and disaster recovery plans to ensure data can be restored if lost or compromised.
  • Employing tools to detect and remove malicious software that could compromise systems or data.

• Web and internet-related system security controls
  • Securing web traffic between users and servers with encryption protocols like SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to protect sensitive data from interception.
  • Using CDNs to distribute content securely, reducing the risk of DDoS (Distributed Denial of Service) attacks by distributing load and traffic over multiple servers.

Identify the Storage Mode, Storage Location, and Medium of Data Transfer

For both cloud and non-cloud environments, ensure that contractual safeguards are in place with vendors, especially for transfers involving sensitive or critical data.

Refer to the security safeguards listed in stored data to comply with access, technical, security, and process controls.

Refer to the security safeguards listed in stored data to comply with access, technical, security, and process controls.

Data Transfer Impact Assessments

Conduct a thorough impact assessment before transferring personal data to foreign jurisdictions, evaluating risks. Document key factors such as:

• The purpose of processing,
• Services involved,
• Destination countries.

Data Transfer Agreements

While the DPDPA does not provide exhaustive details on contractual obligations between organizations, organizations can look to add these in their agreements based on regulations from sectoral laws such as the Reserve Bank of India, SEBI, and other laws such as the GDPR, etc.

1. Purpose Limitations:
   Establish clear policies to limit data use to ensure organizations use personal data only for the agreed services. This minimizes risks of misuse and non-compliance by clearly defining data boundaries.
2. Accuracy, Data Minimization, and Retention:
   Contracts should obligate organizations to maintain accurate data, minimize access, and delete or return data post-service. This ensures proper data management, reduces sprawl, and helps with compliance.
3. Third-Party Disclosure Restrictions:
   Restrict unauthorized disclosures, particularly to law enforcement, and involve legal counsel to review requests. This prevents privacy breaches, especially in less regulated regions.
4. Security Considerations:
   Define security obligations, including incident notifications. This safeguards against cyberattacks, ensuring compliance and data protection.
5. Data Subject Rights:
   Ensure providers can facilitate access, correction, and deletion requests, supporting transparency and compliance with data protection laws.
6. Subcontracting and Onward Transfers:
   Require providers to notify customers about subcontractors and ensure they adhere to the same data protection standards, maintaining data security across all processing stages.
7. Liability Provisions:
   Clarify liability for breaches.

Utilization of Data Transfer Instruments

Before granting access to personal data, conduct a thorough due diligence process to ensure that the overseas recipient can adequately protect the data and fulfill contractual commitments. Explore the use of established Data Transfer mechanisms, such as Standard Contractual Clauses (SCCs), to facilitate lawful data transfers.

Regular Data Protection Audits

Organizations should regularly audit their data processing activities to ensure compliance with both the DPDPA and any relevant sectoral regulations. The Indian Data Protection Board may require your organization to conduct these audits as part of ongoing compliance efforts, helping to standardize practices and build trust in international data transfers. These audits should verify secure data processing, highlight risks, and address any gaps in data transfer practices to enhance accountability.

Stay Informed on Regulatory Developments

Regularly monitor updates from the Central Government regarding restrictions on data transfers, industry certifications, and changes in the legal landscape affecting data transfer agreements.