Securiti Launches Industry’s First Solution To Automate Compliance
View
Today's digitally interconnected world necessitates safeguarding personal data to avoid privacy breaches, unauthorized access, and non-compliance penalties. As individuals increasingly share their personal data with online platforms and services, governments and regulatory bodies have enacted comprehensive data privacy regulations to protect their personal data.
Two foundational pieces of data privacy legislation are the European Union's General Data Protection Regulation (GDPR), approved by the European Parliament in 2016 and enacted in 2018, and the recently enacted India's Digital Personal Data Protection Act, 2023 (DPDP Act), passed by the Parliament on 9th August and gazetted on 12th August 2023.
In this guide, we examine these two crucial pieces of legislation in-depth, focusing on their key provisions and their implications for individuals, organizations, and the global data economy.
Legislation protecting data privacy serves as a watchdog protecting our digital ecosystem, and its importance cannot be emphasized enough at a time when data travels nonstop across virtual realms. Data privacy legislation prevents inadvertent personal information exposure and fosters confidence in the digital interactions that have permeated today’s digital environment.
These laws enable individuals to exercise control of their personal data by establishing data collection, processing, and sharing guidelines. Additionally, they require organizations to embrace ethical behavior, encouraging the smooth coexistence of technological development with an emphasis on the fundamental right to privacy.
In today's interconnected world, drawing comparisons between India's DPDP Act and the EU's GDPR is paramount. While both laws aim to protect personal data, they come from distinct perspectives and target diverse demographics. This comparative analysis uncovers the intricacies of each legislation and emphasizes its underlying challenges and solutions.
India's DPDP Act and the EU's GDPR are significant laws representing a large segment of the world’s population. The DPDP Act is a testament to the country's effort to protect digital information and promote responsible data handling practices.
The DPDP Act outlines extensive provisions that solely protect an individual’s personal data and require a legal basis for processing their data. It also empowers individuals (data principals) with the right to exercise how their data is being processed by imposing obligations on data fiduciaries (data handlers/controllers) and outlines the penalties for non-compliance.
On the other hand, the EU's GDPR has influenced laws worldwide with its comprehensive approach to data privacy and data protection. It sets an international standard of regulations for handling personal data across EU member states, giving individuals greater control over their data while imposing stricter requirements on organizations that process data. It also introduces data processing principles and has an extraterritorial reach.
The Data Protection Board of India established by the Central Government.
An individual who has not completed the age of eighteen years.
A person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent and interoperable platform.
A representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.
Any person who, alone or in conjunction with others, determines the purpose and means of processing personal data.
The individual to whom the personal data relates and where such individual is:
Any person who processes personal data on behalf of a Data Fiduciary.
An individual appointed by the Significant Data Fiduciary.
Any data about an individual who is identifiable by or in relation to such data.
Any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government.
The DPDP Act applies to the processing of personal data collected in digital or non-digital form and then subsequently digitized.
The DPDP Act does not apply to personal data processed by an individual for domestic or personal use and any personal data that is made or caused to be made publicly available by either the data subject or by an individual under legal authority to do so.
If digital personal data processing is associated with providing goods or services to data principals within India, the DPDP Act has an extraterritorial application.
Additionally, the Central Government of India may, within five years of the commencement of the DPDP Act, exclude data fiduciaries or classes of data fiduciaries from the application of any provision of the DPDP Act for a notified period.
Personal data may only be processed for a lawful purpose for which the data principal has given or is deemed to have given his/her consent or for certain legitimate uses. Any purpose that the law does not specifically and explicitly prohibit is known as a lawful basis. The DPDP Act's provisions and any other applicable rules or regulations that may be adopted under the DPDP Act must be implemented when processing personal data.
The consent given by the data principal shall be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of their personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
The data principal must be given access to any request for consent made in accordance with the provisions of this Act or any related rules in clear, plain language, with the option to access the request in either English or any other language listed in the Eighth Schedule to the Constitution of India.
The DPDP Act specifies the circumstances in which the data fiduciary may process the personal data of the data principals, in addition to the data subject's consent. These include:
The data principal voluntarily provides their personal data and gives explicit consent to the use of personal data.
For the purpose of providing subsidies, benefits, services, certificates, licenses, or permits to the data principal, based on their prior consent or if the data is available in State-maintained records as specified by the Central Government.
For the performance of any action by the Government under Indian law or to preserve India's integrity, sovereignty, and security of the State.
To meet legal obligations requiring individuals to share their information with the State or its instrumentalities, provided that the processing of such information complies with the laws governing the disclosure of information.
For compliance with any judgment, decree, or order made under any law.
To respond to medical emergencies endangering the life of the data principal or others, as well as to offer medical care during epidemics or dangers to public health.
For taking measures to protect an individual's safety or for providing assistance or services to an individual in need during a disaster or any breakdown of public order.
Purposes related to employment, prevention of corporate espionage, maintenance of confidentiality (trade secrets, intellectual property, classified information, etc.), recruitment, termination of employment, and provision of any service or benefit sought by the data principal who is also an employee.
The data fiduciary must notify the data principal when obtaining or receiving their consent. The notice should include the exact personal data being processed and the intended purpose of the data processing.
The notice shall also explain the procedures through which the data principal can exercise their right to withdraw consent, as well as information regarding how to submit a complaint with the data fiduciary and the Board. The data fiduciary must make the notification available to the data principal, allowing them to read it in English or any other language listed in Schedule 8 of the Indian Constitution.
A data fiduciary must implement the necessary organizational and technical security measures to protect personal data and ensure compliance with the DPDP Act. The Board and each impacted data principal must be notified in the event of a personal data breach by the data fiduciary or data processor.
A Data Protection Officer (DPO) must be appointed by the Significant Data Fiduciary in order to represent and ensure compliance with the DPDP Act's provisions. The DPO must be located in India and is accountable to the company's Board of Directors or an equivalent governing body. The DPO's principal duty is to act as the point of contact for the grievance redressal mechanism created by the DPDP Act.
The data fiduciary may employ a data processor to process personal data on that entity's behalf. This should only be carried out when a valid legal contract outlines the agreement between the data processor and the data fiduciary.
A data fiduciary must obtain verifiable consent from the parent or the person's legal guardian before processing the personal data of children or disabled individuals. Additionally, the data fiduciary is not allowed to track children or monitor their behavior, nor may they use them as targets for advertising.
After verifying that the data fiduciary processes children's data safely, the Central Government may inform the data fiduciary of the age at which the data fiduciary is exempt from the requirements for processing children's personal data.
The Central Government of India may designate any data fiduciary or class of data fiduciaries as a "Significant Data Fiduciary" based on an assessment of cases that are significant, such as:
A Significant Data Fiduciary must also designate an independent data auditor who will determine whether the Significant Data Fiduciary complies with the DPDP Act's requirements and implement extra security measures like carrying out Data Protection Impact Assessments and periodic audits.
Transmitting personal data outside of India is neither expressly prohibited by the DPDP Act nor does it specify any particular compliance criteria (such as requiring standard contractual clauses or transfer impact assessments). However, the countries or territories outside of India to which a data fiduciary may not transfer data may be determined by the Central Government of India.
The DPDP Act aims to make provisions for the processing of personal data in a way that acknowledges both the necessity to handle such data for authorized purposes and for matters related to or incidental to those purposes, as well as the right of individuals to have their personal data protected.
The data principals have the following rights:
The data principal has the right to inquire the data fiduciary about their personal data, including whether it is being processed, how it is being processed, who is processing it, with whom it has been shared, and what categories of personal data have been shared.
A data principal has the right to update and delete their personal data. A data fiduciary is obligated to update a data principal's personal data in the systems in accordance with any updates made after receiving a request for such correction of the personal data from a data principal. The data fiduciary is also required to destroy any personal data that is no longer required for the original reason it was collected and processed unless retention is required by law.
A data principal can lodge a complaint with the Consent Manager or a data fiduciary. The data principal must use this right prior to bringing any grievances to the Board for any grievance redressal.
In the event of the data principal's demise or incapacity, the data principal shall be able to designate a substitute in the manner permitted by the DPDP Act to act on the data principal's behalf. Incapacitation refers to the data principal's incapacity to exercise their legal rights under this Act because of physical or mental incapacitation.
When the data principal's consent is the foundation for processing personal data, he has the right to revoke his consent at any time, using a withdrawal process that is just as straightforward as giving the original consent.
The Data Protection Board of India will act as the regulating body to carry out the DPDP Act's provisions. The Board will be in charge of monitoring compliance with the DPDP Act and enforcing penalties as necessary. The Board may additionally require data fiduciaries to take any immediate action necessary to address a personal data breach and mitigate any harm done to data principals.
A data fiduciary or data processor is subject to a fine of up to two hundred and fifty crore Indian Rupees if they don't take appropriate security precautions to prevent a personal data breach. A penalty of up to two hundred crore Indian Rupees will also be imposed if the Board or the affected data principals are not notified of the data breach and any obligations for processing children's data are not met. A data principal is also liable to a fine of 10,000 Indian Rupees if they don't carry out their obligations under the Act.
Personal data includes any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be directly or indirectly identified. This includes names, location information, ethnicity, gender, biometric data, religious beliefs, and political opinions.
A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
The GDPR covers both territorial and material aspects in determining its applicability. Two important determinants of GDPR’s applicability are:
The GDPR outlines a set of fundamental principles that guide the lawful and responsible processing of personal data. These principles lay the groundwork for how organizations should manage customer data.
Personal data must be processed lawfully, fairly, and transparently and individuals must be informed about how their data will be used. Additionally, data processing must have a legitimate legal basis, such as consent, a contractual requirement, legal requirements, vital interests, a public task done in the public interest, or legitimate interests pursued by the data controller or a third party. The data subject must be informed about how their data will be used.
Personal data should be collected and processed for specified, explicit, and legitimate purposes. The data controller should not use it for activities that conflict with the original purpose for which it was obtained.
The data minimization concept highlights the idea that data controllers should only collect and process the adequate, relevant, and limited personal data required to fulfill the processing activities.
Data controllers are responsible for taking reasonable measures to ensure that inaccurate or outdated personal data is corrected or deleted without undue delay.
The principle of storage limitation mandates that those in control of data must retain personal information only for the duration necessary to fulfill the processing purposes for which it is collected. Exceptions allowing the retention of personal data beyond these purposes exist in specific situations, such as for public interest, scientific or historical research purposes, or statistical purposes, provided that adequate organizational and technical measures are in place to safeguard the personal data.
Data controllers must implement appropriate technical and organizational measures to ensure the security of personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Data controllers are accountable for complying with the GDPR's principles and demonstrating evidence of compliance. This includes maintaining track of processing operations, conducting data protection impact assessments (DPIAs) for processing activities that pose a high risk, and collaborating with supervisory authorities.
When an individual’s consent is necessary for processing personal data, that consent should be freely given, specific, informed, and unambiguous. The data subjects must be able to withdraw their consent as easily as it was given at any time.
Special categories include personal data for which high levels of data protection measures are necessary, like sensitive health or biometric data, and processing of sensitive data is generally prohibited unless explicit consent or legal grounds for such processing are applicable.
The GDPR empowers individuals whose personal data is processed within the EU and EEA with comprehensive rights that enable them to exercise greater control over their personal data and how organizations process it. This includes:
Data subjects have the right to be informed about how their personal data is processed. Data controllers should maintain transparency by giving clear and concise details regarding the objectives, legal basis, duration of data retention, and other relevant personal data processing information in an intelligible and easily accessible form, using plain language.
Data subjects have the right to access their personal data collected, stored, or used by an organization. The data subjects should be provided with clear and easily understandable information that covers, at least, confirmation on whether a controller is processing their data, the purpose behind such processing, its legal bases, the source of the personal data, the entities with whom the data has been or might be shared, the anticipated duration of storage, insights into how their data is used for profiling and automated decision-making. When personal data is transferred to a third country or to an international organization, details of appropriate safeguards related to the transfer of personal data must be provided to the data subjects.
Data subjects are entitled to have inaccurate personal data about them rectified as soon as possible, along with the right to complete any incomplete personal data, including by means of providing a supplementary statement.
Data subjects have the right to request the deletion of their personal data without undue delay in certain situations, such as when the data is no longer required for the originally obtained purpose, when consent is withdrawn and when there are no reasons to process the personal data any further or the personal data has to be erased to fulfill a legal obligation within EU or Member State law to which the controller is obligated.
Data subjects have the right to restrict of processing their personal data If any one of the following conditions are met:
Data subjects have the right to obtain personal information in a structured, commonly used, and machine-readable format. Data subjects can also ask for the transfer of their personal data from one data controller to another without interference.
Data subjects have the right to object to processing their personal data at any time on grounds relating to their personal situations unless the data controller can provide a clear and convincing justification that supersedes the interests, rights, and freedoms of the data subject or that the processing is necessary for the establishment, exercise, or defense of legal claims. Certain rights to object should be absolute, particularly in the context of direct marketing.
Data subjects have the right to be exempt from decisions solely based on automated processing, including profiling, especially if those choices would significantly affect their legal standing or other matters except if the decision is required for entering into or fulfilling a contract between the data subject and a data controller.
Data subjects have the right to revoke their consent at any time. This withdrawal does not affect any processing that took place when consent was valid. Additionally, the withdrawal should be as simple as consenting.
Data subjects have the right to file a complaint with the supervisory authority if they deem their rights are violated.
The transfer of personal data to a third country or an international organization can occur when the Commission has determined that the said third country, a specific territory, or one or more designated sectors within that third country, as well as the concerned international organization, guarantee an adequate level of protection. In such instances, specific authorization for such transfers is not required.
However, in the absence of an adequacy decision, additional guarantees are required by means of contractual agreements such as Standard Contractual Clauses, Binding Corporate Rules, Codes of Conducts, or Certification Mechanisms.
The GDPR mandates that only countries outside the EU/EEA that provide an adequate level of data protection may receive personal data transfers. Adequacy is determined by evaluating whether the recipient country's data protection laws, rules, and practices offer safeguards that are fundamentally equal to those in the EU.
The European Commission may issue adequacy decisions indicating that the degree of data protection is adequate. Adequacy decisions enable the smooth flow of data across borders without requiring additional security.
Where an adequacy decision is not established with a recipient country, data controllers and processors can utilize standard contractual clauses (SCCs) – pre-approved contract templates, to ensure personal data protection during the transfer of personal data.
Binding Corporate Rules (BCRs), which are internal guidelines for cross-border data transfers among their corporate group, can be established by large multinational organizations. The appropriate data protection authorities must authorize BCRs and ensure that the data is protected across the board.
Codes of conduct and certification mechanisms confirming that organizations comply with GDPR requirements while transmitting data can be established.
Cross-border data transfers are permitted without an adequate decision or SCCs when:
Each EU Member State is responsible for appointing one or more independent public authorities to monitor the enforcement of GDPR. These are known as Data Protection Authorities (DPAs) that protect individuals' rights and freedoms regarding their personal data. Here are the responsibilities of a DPA:
DPAs are responsible for monitoring and enforcing compliance with local data protection legislation and the GDPR in their own countries. To make sure that personal data is handled legally, they maintain a watchful eye on the actions of data controllers and processors.
DPAs must initiate investigations into complaints, breaches, and alleged violations and conduct audits and inspections of how organizations process personal data to assess their compliance.
DPAs must set up a process by which people can report alleged violations of their data protection rights, investigate those concerns, and respond appropriately if violations are found.
DPAs must provide organizations, individuals, and other stakeholders with direction and assistance regarding data protection practices, compliance, and the GDPR's interpretation.
DPAs must establish approved codes of conduct and introduce certifications that enable organizations to comply with the GDPR swiftly.
To ensure a uniform approach to data protection enforcement across the EU/EEA, a DPA of one country must cooperate with the DPAs of other countries and the European Data Protection Board (EDPB).
Rules regarding penalties for the infringement of GDPR shall be laid down by the Member States, but these rules must comply with the principles, conditions, and limitations set out in the GDPR. Depending on the nature of the violation, the DPAs can impose administrative fines. For less serious violations, an organization may be fined €10 million or 2% of its annual revenue from the previous fiscal year, whichever is higher. More serious infractions carry a fine of up to €20 million, or 4% of the organization’s previous year's revenue, whichever is higher.
DPAs play an essential role in educating the public and creating awareness of their rights and obligations with regard to data protection.
DPAs must collaborate with data protection authorities outside the EU/EEA when addressing cross-border data protection issues and global data transfers.
India’s DPDP Act defines ‘personal data’ as any data pertaining to an identifiable individual. Anyone who, alone or in conjunction with others, determines the purpose and means of processing personal data is known as a Data Fiduciary.
GDPR, on the other hand, defines personal data as any information that relates to an individual who can be directly or indirectly identified. The GDPR regards the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data as a Data Controller.
Although each law defines them differently, the interpretation is identical in both cases.
In addition, it’s worth noting that the GDPR defines a “child” as a natural person who has not attained the age of 16 years. On the other hand, the DPDP Act considers a natural person “who has not completed” 18 years as a child. This distinction highlights the age variance between these two laws.
The DPDP Act applies to the processing of digital personal data within the territory of India, where the personal data is collected in digital form or in non-digital form and is subsequently digitized. The GDPR has a more advanced approach towards its applicability, covering both territorial and material aspects. Two important determinants of GDPR’s applicability are:
Although each law defines them differently, the application's goal is identical in both cases.
Both India’s DPDP Act and the GDPR emphasize obtaining explicit consent before processing an individual's personal data. A data fiduciary must put in place the necessary organizational and technical safeguards to protect personal data and ensure compliance with the DPDP Act. Each data fiduciary and data processor must take reasonable security precautions to secure any personal data that is in their possession or under their control to prevent any breach of the personal data of the data principal.
In case of a data breach, the data fiduciary or data processor must inform the Board and each affected data principal. The only difference is that the DPDP Act requires the data fiduciary to inform the affected data principals in all cases of a data breach. However, GDPR requires the data controllers to notify the affected data subjects when it involves a high risk to the rights and freedoms of individuals.
The GDPR outlines seven data protection principles: lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitations, integrity and confidentiality, and accountability. However, such data protection principles are not covered in the DPDP Act, even though some provisions embody principles such as purpose limitation and accountability.
Both India’s DPDP Act and the GDPR provide individuals with several rights regarding the processing of their personal data, such as the right to access personal data obtained by the data fiduciary or the controller, the right to rectification, right to erasure, right to data portability, right to object, right to withdraw consent, etc. However, the GDPR provides a broader range of legal grounds for data processing in contrast to the DPDP Act, which has a limited scope with "strictly defined consent" and "legitimate use" as its primary bases.
The consent requirements are identical where the consent obtained shall be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
This is where the laws differ. India’s DPDP Act does not expressly prohibit cross-border data transfers or prescribe any specific compliance requirements (like obliging with standard contractual clauses, transfer impact assessments, etc.) for transferring personal data outside India. However, in the case of the GDPR, a transfer of personal data to a third country or an international organization may take place where the European Commission has determined that the third country, a specific territory, one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection such as SCCs, BCRs, impact assessments, etc.
The Indian government has nominated the Data Protection Board of India as the regulatory authority to implement the provisions of the DPDP Act. The Board may also direct data fiduciaries to adopt any urgent measures - in the event of a data breach - to remedy such personal data breach or mitigate any harm caused to data principals. Fines range from ten thousand Indian Rupees to two hundred and fifty crore Indian Rupees. Under the DPDP Act, the data principals are required to exhaust the remedy available to them for redressal of grievances by approaching data fiduciaries or consent managers before approaching the Data Protection Board.
Under the GDPR, each Member State is responsible for assigning independent public authorities (‘supervisory authority’) to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. Less severe infringements can result in a fine of €10 million or 2% of a firm's entire global turnover of the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm's entire global turnover of the preceding year, depending on what is higher.
India's DPDP Act and the GDPR have significant implications for individuals and organizations. For individuals, it reinforces their data subject rights and gives them more power over their personal data. As for organizations, they face the responsibility of ensuring compliance with stricter data protection rules, which may need operational changes and higher accountability standards.
Nevertheless, both laws promote cross-border data transfer between India and the EU, necessitating global organizations with operations spanning across borders to uphold data privacy practices. All things considered, it encourages a more egalitarian digital environment where individuals are empowered, their rights are respected, and organizations act responsibly when processing their personal data.
Organizations operating within India's jurisdiction face several compliance challenges due to the uniformity of India's DPDP Act with the GDPR. One key problem is adjusting to the higher data protection regulations, which may necessitate massive adjustments to the current data processing procedures and infrastructure.
Organizations must establish reliable consent processes to ensure that the individual gives explicit and informed consent for data processing activities. As for SMEs that lack the resources or funding, designating a Data Protection Officer (DPO) could be an obstacle.
Organizations must also thoroughly understand cross-border data transfers and establish their legal basis, which may call for contractual agreements or additional security measures. Also, maintaining records demonstrating compliance and ensuring data breach notifications are sent out within the given time may be complex for organizations without a dedicated resource.
It’s essential for organizations to navigate these difficulties to comply with evolving data protection rules and prevent negative legal and reputational damage.
International data flows and cross-border transfers occur in real-time. Organizations engaging in cross-border data transfers between India and the EU and other jurisdictions must ensure that the necessary protections are in place to protect individuals' personal data because both frameworks strongly emphasize data protection and privacy.
This could involve implementing SCCs, complying with BCRs, or relying on approved certification mechanisms. It's important to realize that ensuring the legality of data transfers becomes increasingly difficult, especially when working with third-party service providers or cloud services. Organizations must carefully assess the routes for data flow and establish defenses against potential risks by assigning authorized personnel to access data, etc.
Note that data transfers could be temporarily or permanently stopped if there is non-compliance, which would impede global business operations.
Securiti’s Data Command Center enables organizations to comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the European Union's General Data Protection Regulation (GDPR) by leveraging contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
Get all the latest information, law updates and more delivered to your inbox
March 6, 2024 knowledge-center
Artificial Intelligence (AI) is taking on an increasingly important strategic role for businesses. It promises a tremendous leap in productivity, efficiency, and revenues, with...
January 17, 2024 knowledge-center
Data privacy and protection have become an increasingly important strategic and operational consideration for organizations globally. This is further compounded by the proliferation of...
January 1, 2024 knowledge-center
The European Union’s General Data Protection Regulation (GDPR) is the first-ever comprehensive data privacy law, inspiring almost every global regulation today. The regulation fosters...
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2024 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128
