Impact of the Digital Personal Data Protection Act on Businesses
| Summary: The Digital Personal Data Protection Act (DPDPA) revolutionizes data privacy in India. We have created a comprehensive guide to the new legislation and its impact. Learn more about the latest data protection standards and how it impacts businesses. |
|---|
To protect individuals and organizations from the risks of data breaches, governments are increasingly adopting data protection legislation. During the Monsoon Session of Parliament in July-August 2023 the Digital Personal Data Protection Act, 2023 was passed.
In this article, we shall cover:
- The Digital Personal Data Protection Act, 2023: The Basics
- Quick Look at Data Protection History in India
- Why We Need a New Law?
- Five Key Terms in the New Data Protection Act
- Chapterwise Explanation of The Digital Personal Data Protection Act?
- How Does The Digital Personal Data Protection Act Affect Businesses?
- Impact of the Act on Indian Startups
- Penalties Under the DPDPA
- Responsibility Of Data Erasure, and How Bitraser Helps With Compliance
The Digital Personal Data Protection Act, 2023: The Basics
The The Digital Personal Data Protection Act, of 2023 aims to protect the personal data of individuals and organizations from misuse.
What is the Data Protection Act?
The Data Protection Act is a law in India that sets rules for how companies can collect, use, and store people’s personal information. It also outlines what rights individuals have regarding their own data.
How does the Data Protection Act impact any Indian business?
If your business collects information from people, like customers or employees, you need to follow this law. It sets out what you can and can’t do with that data. Not following the rules could lead to fines or legal trouble, so it’s important to understand what’s required.
What steps should a business take to comply with Data Protection law?
- Know what kind of personal data you’re collecting and why you need it.
- Make sure you have strong security measures to protect the data from unauthorized access or leaks.
- Tell people what you’re going to do with their data and get their permission before you collect or use it.
- Have a clear policy for deleting or anonymizing data when it is no longer needed or when someone asks for their data to be erased. This makes a data erasure tool such as BitRaser vital for a business to comply with the DPDPA. Ensuring and proving data erasure where relevant is part of your responsibility as a ‘Data Fiduciary’ (in simpler terms, the ‘data fiduciary’ is the business that handles customers’ data).
Quick Look At Data Protection History In India
IT Act, 2000
This was India’s first law that talked about keeping data safe. But it mainly focused on online transactions and computer security. It did say companies should keep data secure but didn’t go into much detail.
Aadhaar Act, 2016
This law is about the Aadhaar ID system in India. It has rules for keeping biometric data (like fingerprints) safe. But it only applies to Aadhaar and not other types of data.
What Is The Need For The Digital Personal Data Protection Act, 2023?
- Countries around the world are making strong data protection laws. India needs to catch up to make sure it can do business easily with other countries.
- Technology is moving fast, and data is at risk. Our old laws can’t handle new challenges like data breaches.
- Right now, we have different laws for different things. We need one strong law that covers everything about data protection.
Five Key Terms In The New Data Protection Act
Data Principal
This term refers to the individual customer or client whose data you’re handling. Understanding their rights under the new law, such as the ability to access and correct their data, is crucial for maintaining trust and compliance.
Data Fiduciary
Your business is the data fiduciary if you’re deciding the purpose and methods of data processing. You have specific responsibilities, like obtaining informed consent from the Data Principal before collecting or using their data. Failure to comply could result in penalties.
Data Processor
If your business outsources data handling tasks, the third-party service doing the job is the Data Processor. While they don’t set data usage policies, they’re still obligated to protect the data. Make sure your contracts with Data Processors are in line with the new law.
Sensitive Data
This category includes high-risk data like financial information, health records, or biometric data. Handling this type of data comes with additional security requirements. Businesses need to be extra cautious and may need to implement advanced security measures.
Consent
This is the explicit permission you must obtain from the Data Principal before processing their data. Consent needs to be clear, informed, and revocable. Businesses should have a straightforward process for Data Principals to give or withdraw consent.
Chapterwise Explanation Of The Digital Personal Data Protection Act?
The Data Protection Act is structured into 9 chapters, each covering a different aspect of data protection in India.
Below is a list of these chapters along with a brief description of what they likely entail:
- Preliminary: This chapter introduces the Act, its scope, and definitions of key terms. It outlines the objectives and key terminology.
- Obligations Of Data Fiduciary: This chapter outlines the responsibilities and obligations of the ‘Data Fiduciary’ – the entity that collects and processes personal data. It discusses consent, data collection limits, and duties like data security.
- Rights And Duties Of Data Principal: This part focuses on the rights of the individual whose data is being processed, known as the ‘Data Principal’. Topics include the right to access, correct, or delete personal data.
- Special Provisions: This chapter delves into specific scenarios or exceptions to general rules, possibly including provisions for minors, sensitive data types, or cross-border data transfer.
- Data Protection Board Of India: This section outlines the formation, structure, and role of a governing body for data protection in India, specifying its powers, functions, and responsibilities.
- Powers, Functions, And Procedures to Be Followed By the Board: This chapter elaborates on the powers and procedures of the Data Protection Board. It could cover topics like audits, investigations, and the issuing of guidelines or recommendations.
- Appeal And Alternate Dispute Resolution: This chapter focuses on the judicial and non-judicial mechanisms available for resolving data protection disputes, including the appeals process.
- Penalties And Adjudication: This section discusses the penalties for violating the Act, how they are determined, and the adjudication process. It may include both financial penalties and other forms of punishment or corrective actions.
- Miscellaneous: This final chapter contains various other relevant provisions, such as how the Act interacts with other laws, transitional arrangements, and any other topics not covered in previous chapters.
How Does The Digital Personal Data Protection Act Affect Businesses?
The introduction of DPDPA is set to redefine the boundaries and responsibilities of businesses about personal data.
The Act sets out several requirements for businesses, including:
- Purpose limitation: Businesses must collect and process personal data only for a specific purpose.
- Data minimization: Businesses must only collect the personal data that is necessary for the purpose.
- Storage limitation: Businesses must not store personal data for longer than necessary.
- Confidentiality: Businesses must keep personal data confidential and protected from unauthorized access.
The following are some of the key impacts of the DPDPA on businesses:
- Data Handling Changes
Businesses must revamp how they gather and store data to comply. This may mean getting permission before collecting personal data, reducing data collected, and erasure of unnecessary data.
- Fresh Responsibilities
Businesses get new duties under the DPDPA. Ensuring data accuracy and security, plus responding to data subject requests, become priorities. Setting up data security measures and response procedures is a must.
- Rising Compliance Costs
Adhering to the DPDPA can increase costs. Establishing data security measures, hiring data protection officers, and managing data subject requests may all contribute.
- Risk of Fines
Non-compliant businesses face fines and penalties. Ignoring the rules can lead to significant financial consequences.
The DPDPA is a game-changer for businesses in India. Those dealing with personal data must align with the DPDPA to sidestep fines and ensure a smooth operational journey.
Impact Of The Act On Indian Startups
Indian startups are facing a funding winter, with investment declining by 70% in the fiscal year 2023. This is due to several factors, including:
- Rising interest rates
- Recessionary trends in developed markets
- The downturn in the value of technology stocks
To weather the storm, startups are cutting costs, becoming more efficient, and focusing on profitability. However, The Digital Personal Data Protection Act (DPDPA), could add to their compliance costs.
The DPDPA is similar to the European Union’s General Data Protection Regulation (GDPR), which has been estimated to have cost businesses 8.1% in profits. The DPDPA could have a similar impact on Indian startups.
With a notable fraction of unicorns—companies valued at over $1 billion—failing to turn profits, the situation is compounded. Only 31 of nearly 100 unicorns have managed to attain profitability.
The next few years will be a test of the resilience of Indian startups. Those who can adapt and innovate will be the ones who succeed.
Penalties Under The DPDPA
The DPDPA includes specific provisions for penalties if there’s a breach of the Act’s rules.
The Data Protection Board of India (the Board) is responsible for determining if a breach is significant and imposing monetary penalties accordingly.
The amount of the penalty is determined based on various factors, such as:
- nature of the breach
- type of data affected
- the actions taken by the person responsible for the breach
| Breach Description | Penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent personal data breach | Up to 250 crore rupees |
| Failure to notify the Board or affected Data Principal of a personal data breach | Up to 200 crore rupees |
| Breach of obligations related to children | Up to 200 crore rupees |
| Breach of obligations of Significant Data Fiduciary | Up to 150 crore rupees |
| Breach of duties under section 15 | Up to 10,000 rupees |
| Breach of any term of voluntary undertaking accepted by the Board | Up to the extent applicable for the breach |
| Breach of any other provision of this Act | Up to 50 crore rupees |
Responsibility Of Data Erasure, And How Bitraser Helps With Compliance
In the wake of the Digital Personal Data Protection Bill, of 2023, ensuring the complete and irreversible erasure of personal data has never been more critical.
The Digital Personal Data Protection Act outlines the rights of a data principal to request data erasure, and the obligation of a data fiduciary to comply.
The key points:
- Chapter 2 of the Act covers the Obligations of the Data Fiduciary or any entity that collects personal data.
- Section 8(7) under this chapter states that the data fiduciary must erase the personal data of an individual if consent is withdrawn or the original purpose for data collection no longer applies.
- There are some exceptions where data retention may still be required by other laws.
- Chapter 3 details the Rights and Duties of the Data Principal or the individual whose personal data is involved.
- Section 12 gives data principals the right to request complete erasure of their data from a data fiduciary.
- On receiving such a request, the data fiduciary is obligated to permanently erase the individual’s data, unless retaining it is critical for legal reasons or the original specified purpose.
The penalties for non-compliance are severe.
Enter BitRaser Drive Eraser – your ultimate solution for data protection compliance.
BitRaser is not just another data erasure tool. It’s a NIST-Tested Software, compliant with every global erasure standard. It guarantees the absolute deletion of data beyond any scope of recovery. Whether you’re an enterprise, an IT Asset Disposition Company, or a government institution, BitRaser caters to all.
Here are some of the key benefits of using BitRaser Drive Eraser:
- Generates tamper-proof certificates of data erasure. [Check a sample.]
- Complies with global data privacy laws and audit requirements.
- Can wipe data from different types of devices, including remote ones.
- Integrates with cloud and asset management tools.
- Supports 24 global wiping standards and allows for configuration and automation.
Conclusion
In an era where data breaches can cause hefty fines, BitRaser Drive Eraser offers complete peace of mind. Its certification and adherence to global data privacy laws make it the best-suited tool for compliance with the Digital Personal Data Protection Act, of 2023. Choose BitRaser Drive Eraser, because when it comes to data protection, you need the best.
About The Author
Girish
Girish is a blogger and writer. He has over 6 years of experience in Data Recovery and Data Eraser technology. In his free time, he writes about technical tips and tutorials.