Overview
As we all know, the Parliament of India has recently passed the Digital Personal Data Protection Bill, 2023 (DPDP). This bill applies to the processing of digital personal data in India. It also applies to processing personal data outside India, if it involves providing goods or services in India. The bill lists the responsibility of Data Fiduciaries (processors of personal data), the rights of Data Principals (data subjects), and the consequences of non-compliance.
Key Principles
- The bill gives enormous rights to Data Subjects, such as the right to information, the right to correction and erasure, and the right to nominate.
- The bill empowers the Central government to block an organization or impose fines, in case of violations. The Data Fiduciary can face a penalty of 250 crore INR under this bill if they fail to take enough actions to prevent personal data breaches.
- The personal data may be used only for the purposes for which the data principal has given his consent. The data should be deleted by the Data Fiduciary once its purpose has been met.
- The Data Principal can give and withdraw their consent to the Data Fiduciary via the Consent Manager.
- The bill empowers the citizens, as Data Subjects have the right to ask for correction and deletion of their data for which they have previously given consent. They have the right to know how their data is processed and can also raise grievances with the Data Fiduciary. Data Fiduciary shall erase the personal data of the Data Subject on receiving a request for that from the Data Subject.
- The bill, by default, allows cross-border data transfers. It defines the rights of Data Subjects and the responsibility of Data Fiduciaries. The responsibility of Consent Management and Breach Management for Data Fiduciaries has been added to the bill. The personal data should only be used after obtaining consent from an individual and should be deleted upon withdrawal of consent. The Consent Managers will be accountable to the Data Subjects. They will be acting as agents for the Data Subjects. Consent Managers should register with the Data Protection Board of India.
- The Central government can restrict the transfer of personal data for processing outside India by a Data Fiduciary, as it deems fit.
- Data Fiduciary may appoint or make use of a Data Processor to process personal data on their behalf for any activity concerning Data Principals.
- The bill will redefine how personal data is handled by various Data fiduciaries. Data Fiduciaries have the responsibility to take appropriate steps to prevent a data breach. They must list down the appropriate measures being taken to protect personal data. In case of a Data Breach, Data Fiduciaries must inform the Data Protection Board of India and the affected data subjects. The bill will be implemented soon and Data Fiduciaries will play a major role during its implementation.
The bill is similar to other international Data Privacy Regulations when it comes to Data Subject Rights, protection measures, penalties, and fines. However, it does not specify any particular timeline to comply with the regulation. Also, it does not apply any restrictions on cross-border data transfer. However, the Government can list down the countries to which the personal data should not be transferred.
iEDPS and Securiti.ai
iEDPS (Infosys Enterprise Data Privacy Suite), along with Securiti.ai, offers robust Data Protection solutions that can help to comply with India’s Digital Personal Data Protection Bill 2023 and other data privacy regulations internationally.
- Securiti.ai offers Data Intelligence and Business Automation through its PrivacyOps architecture, enabling enterprises to comply with the DPDP Act.
- Securiti.ai provides solutions for Consent Management, which is its major strength. Cookie Consent Management is streamlined through its automated framework. DPDP bill complies with International Privacy regulations such as GDPR, CCPA, and others. However, in contrast to other international regulations, the DPDP Act introduces Consent Management.
- iEDPS, on the other hand, has Data Protection capabilities such as Static Masking, Data Sub-setting, and Privacy Impact Assessment and can help in Breach Management. Businesses should make use of Robotic Process Automation (RPA) to accelerate compliance, which will help to advance in the continuously changing world of data privacy.
Infosys 4D Methodology
Infosys enables 4D services through its 4D framework.
- Diagnose – This phase will identify gaps and give recommendations to comply with the DPDP Act. This will create a plan for the organization to embark on its compliance journey.
- Design – This phase will help the organization to design controls for privacy and data protection controls.
- Deliver – Deliver phase will implement data protection controls across the organization to comply with security principles of applicable laws.
- Defend – We do periodic assessments for baseline measurement, Privacy Impact Assessment automation, and privacy assurance.
Conclusion
This bill will reshape the processing of personal data by businesses in India as it comes at a time when India is transforming into an international digital economy. It will prove to be a major tool for the protection of user data, which is the key element of India’s digital economy. It’s a move by India towards its commitment to create a secure atmosphere for its people and businesses.