1. Exceptions to DPDP Act 2023:
– Personal data used for domestic purposes (e.g., family contact lists) is not covered by the DPDP Act.
– Data made public by the individual or law is also not subject to the DPDP Act.
2. Personal Data Becoming Public:
– Personal data can become public by the individual, such as data shared on social media, blogs, or LinkedIn profiles.
– Public records, such as land records, can also become public.
3. Consent Managers:
– India has a Consent Manager framework to manage and withdraw consent for individuals (Data Principals).
– Consent management should be clear, standardised, and easy-to-understand.
– Data Principals can withdraw consent as easily as it was given.
4. Localised Data Retention Rules:
– Data fiduciaries (e.g., e-commerce platforms) must delete personal data after 3 years of no interaction.
– Data should only be retained as necessary.
5. Obligations of Data Fiduciaries:
– Data fiduciaries must implement strong security measures.
– Data fiduciaries must notify data breaches within 72 hours.
6. Significant Data Fiduciaries:
– Significant data fiduciaries must conduct annual Data Protection Impact Assessments (DPIAs).
– Significant data fiduciaries must also conduct enhanced audits and compliance checks for AI and automated systems.
7. Rights of Data Principals:
– Data Principals have the right to access, correct, erase, and port personal data.
– Data Principals also have the right to be informed about data breaches.
8. Processing of Children’s Data:
– Verifiable parental consent is required for the processing of children’s data.
– Children’s data cannot be tracked or targeted for advertising.
9. Cross-Border Data Transfers:
– Cross-border data transfers are only allowed to whitelisted countries or with adequate safeguards.
– Transferring critical personal data abroad requires government approval.
The Data Protection Board (DPB) operates as a digital office, handling complaints, imposing penalties, and ensuring compliance.
Proactive Data Breach Notification: Data fiduciaries are required to notify affected Data Principals and the DPB within 72 hours of a breach, detailing the nature, extent, and mitigation efforts.
Grievance Redress Mechanism: Data fiduciaries must appoint Grievance Redress Officers to resolve issues within a defined timeframe.
Penalties for Non-Compliance: Serious breaches may result in fines up to R250 crore.
Accountability for Government Processing: The DPB ensures that the government processes personal data in accordance with clear standards, maintaining transparency when providing subsidies, benefits, or public services.
Personal data breach is defined: Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data.
In the event of a personal data breach, the data fiduciary is required to notify the Data Protection Board of India and affected data principals in a manner prescribed by the Digital Personal Data Protection Act 2023 (DPDP Act). Additionally, every data fiduciary must protect personal data in its possession or control by taking reasonable security safeguards to prevent personal data breaches, including for processing undertaken by its data processors. The penalties for failing to take reasonable safeguards to prevent a personal data breach may extend to INR 2,50,00,00,000, and for failing to notify the Data Protection Board of India and affected data principals, the penalty may extend to INR 2,00,00,00,000.
Data Centric 