In today’s digital world, personal information is constantly shared online, making it more important than ever to protect it. Whether you’re shopping online, using social media, or accessing your bank accounts, your data is out there, and that puts you at risk of misuse.
This is where India’s new Digital Personal Data Protection (DPDP) Act, 2023, comes into play. This law is the first of its kind in the country and sets out clear rules on how personal data should be handled by both companies and government agencies.
The journey to this law began in 2018, when the first draft of the Data Protection Bill was introduced. After several amendments in 2019 and 2021, the bill was eventually scrapped and replaced with a new version—the Digital Personal Data Protection Bill, 2022. The final version of this bill was introduced on August 3, 2023, passed by the Lower House of Parliament on August 7, and by the Upper House of Parliament on August 9. It officially became law on August 11, 2023, after receiving the president’s approval.
In this blog, let’s understand everything you need to know about the Digital Personal Data Protection (DPDP) Act, 2023.
What is the Digital Personal Data Protection (DPDP) Act, 2023?
The India Digital Personal Data Protection Act 2023 (DPDP Act) is a landmark piece of legislation that attempts to protect people’s privacy in the digital era. The Act applies to all organisations that handle Indian individuals’ personal data.
It covers any personal data collected in India, whether it’s stored digitally or converted from non-digital formats. And if a company fails to protect your data, they could face a hefty fine of up to Rs. 250 crore (around USD $30 million) for each breach.
What is Personal Data?
The DPDP Act defines personal data as “any data that relates to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.” This broad definition covers a wide range of information and includes, but is not limited to:
- Name, address, and contact information.
- Date of birth and gender.
- Financial information, such as bank account numbers and credit card details.
- Online browsing history and search queries.
- Social media posts and messages.
- Location data, such as GPS coordinates.
Key Principles of the Digital Personal Data Protection (DPDP) Act, 2023
Lawfulness
The processing of personal data must be just, fair, and transparent.
Limitation on Purpose
Personal information may only be gathered for clear, explicit, and legal objectives. It may not be used for other purposes or processed in a way that is inconsistent with those goals.
Data Minimisation
Personal information must be sufficient, pertinent, and kept to a minimum, given the goals for which it is handled.
Accuracy
Personal information must be true and, if updated, kept current.
Limitation on Storage
Personal information may only be stored for as long as is required to fulfil the purposes for which it is processed and only in a format that allows data subjects to be identified.
Integrity and Confidentiality
Personal data must be processed in a way that guarantees adequate security, including defence against unauthorised or illegal processing as well as against unintentional loss, destruction, or damage, by utilising the proper organisational or technical safeguards.
Benefits of the Digital Personal Data Protection (DPDP) Act, 2023
Explicit Consent is Required
Before using consumer data for personalised marketing initiatives, companies must obtain explicit permission.
To comply with Act restrictions, an e-commerce firm might, for example, employ an in-app or native pop-up on their website or app to ask users’ permission to use their browsing and purchase history for personalised suggestions. But companies must implement this change in a way that does not interfere with consumers’ smooth experiences.
Purposeful Use and Timely Data Deletion
Once your data is no longer required, companies are expected to destroy it. Your data should only be used for the purposes for which you consented. Companies should also respond right away to requests for data deletion. This commitment to privacy not only meets legal requirements but also builds your trust.
Robust Data Protection Measures
For companies, protecting your private information is a top priority. Regular security audits, multi-factor authentication, and encryption are examples of essential safety protocols. The Data Protection Board in India must be notified by companies in the event of a data breach, along with any associated risks. For example, a health app that stores your medical records should protect them using multi-factor authentication and robust encryption. To preserve your trust, you would be informed right away in the event of a breach.
Ensuring Data Transparency
You should have easy access to your personal data, with the ability to request corrections if needed. Transparent communication about how your data is used helps build trust. For instance, if you use an e-commerce app, you should be able to view and update your data through a simple interface.
Cross-Border Data Compliance
When your data is shared with international partners, companies must ensure it’s only transferred to countries approved under the Act. For instance, an e-commerce application that partners with international suppliers needs to guarantee that your data is only shared with nations that comply with the Act’s regulations. This guarantees that your data is protected in accordance with the highest guidelines.
Safeguarding Children’s Data Privacy
If a company targets children, it must obtain verifiable parental consent before collecting or using data from anyone under 18. For example, a children’s educational app should have a parental verification procedure that uses a variety of channels, such as push notifications, in-app messaging, email, and more, to ensure that permission laws are followed and to improve privacy protection.
Government Agency Exemptions
Companies that work with government agencies must disclose any exemptions that are given to them for reasons such as national security. It is essential to ensure responsible practices that uphold privacy rights.
Take a banking app as an example. If the app partners with the government, the company should be aware that government agencies may have exclusions, especially when it comes to national security.
Conclusion
The Digital Personal Data Protection (DPDP) Act, 2023, is a significant piece of law that would significantly change how businesses gather, utilise, and distribute personal data in India. The Act gives people more control over the personal information they share with organisations and places stronger requirements on such companies. Businesses that must comply with the DPDPA must take action to make sure they are doing so.
Also read: https://www.captainbiz.com/blogs/5-tips-to-take-your-business-online/.
Frequently Asked Questions (FAQs)
What type of data does the DPDP Act apply to?
The DPDP Act is applicable to the processing of personal data in the following scenarios:
- Handling of personal information gathered in digital format (also known as digital personal data);
- Handling of information gathered in non-digital format and later converted to digital format.
However, the DPDP Act’s provisions will not apply if:
- You are an individual processing personal data for any domestic or personal purpose; or
- You are processing personal data that the data principal, or any other person who is required by Indian law to make it public, has made available.
How will the DPDP impact any organisation, and what is it?
The Digital Personal Data Protection Act, 2023 (also known as the “DPDP Act”) is the most recent law governing how organisations will process, retain, and protect the digital personal data of individuals.
These new regulations will apply to any organisation that gathers and uses digital personal data of any person, including its own employees. It is important to remember that processing personal data is only permitted with appropriate authorisation and for the specific, listed lawful purposes.
What kind of permission is needed to process personal data? How can it be gathered?
According to the DPDP Act, you must obtain the consent of each person with whom you want to collect and process personal data before processing any of it. The notice that accompanies the request for consent must explain the nature and intent of the data collection, how persons whose data is being collected can exercise their rights, and how complaints can be made to the Data Protection Board of India.