Decoding the Digital Personal Data Protection

Decoding the Digital Personal Data Protection Act, 2023

Lalit Kalra

Partner Cybersecurity and Data Privacy Leader, EY India

8 minute read 23 Aug 2023

The DPDP Act is India's first data protection act, and it establishes a framework for the processing of personal data in India.

In brief

  • At a time when technology has become the defining paradigm of the 21st century, India’s on-going Data Protection regulation underscores the nation’s focus on building a strong data privacy regime.
  • Building strong privacy governance programs is not only a reputational and business risk requirement but is also an integral part of building a transparent and long-term sustainable organization of the future.

The Digital Personal Data Protection (DPDP) Act, 2023 applies to the processing of digital personal data within the territory of India collected online or collected offline and later digitized. It is also applicable to processing digital personal data outside the territory of India, if it involves providing goods or services to the data principals within the territory of India. 

Significant Data Fiduciary (SDF)

DPDP Act underlines the role of significant data fiduciary (SDF), which the government will identify using the volume and sensitivity of personal data processed and risk associated. The specific obligations under this include appointing a data protection officer (DPO) based in India; appointing an independent data auditor; and conducting a data protection impact assessment (DPIA).

Citizens’ rights

The Act will empower the citizens of the country as the data principal rights specifically allow:

ey-citizens-right-01
ey-citizens-right-02
ey-citizens-right-03
ey-citizens-right-04
Welcome to "Gateway to data privacy and protection," a cutting-edge podcast series that delves deep into the realm of data privacy and protection.

Know more

At present, no timeline has been prescribed for implementing the grievance redressal and data principal rights.

 

Penalties

 

Another salient feature of DPDP Act is the penalty clause. There are penalties for non-compliance of the provisions by data fiduciaries up to INR250 crore. Some of these are:

  • Breach in observance of duty of data principal up to INR10,000
  • Failure to notify the data protection board and affected data principals in the event of a personal data breach is up to INR200 crore
  • Breach in observance of additional obligation in relation to children up to INR200 crore

 

Exclusions

 

In the act, non-automated personal data, offline personal data and personal data in existence for at least 100 years have been excluded. The maximum limit of INR500 crore for penalties has been removed. At present, the provision for grievance redressal review is not included. The timeline of 72 hours within which a data breach is to be reported to authorities is excluded.

 

Sectors impacted

 

The act is expected to have an impact on the majority of organizational areas, including legal, IT, human resources, sales and marketing, procurement, finance, and information security because of the type and volume of personal data that is collected, stored, processed, retained, and disposed of in India. Hence, organizations in these and related sectors must develop a strong data privacy and protection implementation program in view of the DPDP Act, 2023.

Download the full pdf

PDF (1 MB)

Download DPDP Act in a slide

PDF (1 MB)

Navigating the Digital Personal Data Protection Act and Understanding
the Impact on the Industry

The Digital Personal Data Protection (DPDP) Act aims to create a framework that respects individuals' right to safeguard their personal data while acknowledging the need for lawful data processing.
Watch Now

Summary

The DPDP Act is a significant step forward for data protection in India. This act is a step towards showcasing India's dedication to fostering a secure and trustworthy environment for both its citizens and businesses.

About this article

Lalit Kalra

Partner Cybersecurity and Data Privacy Leader, EY India

Cybersecurity Technology Leader, strengthening cybersecurity frameworks across industries
Related topics
Cybersecurity
Technology
Technology leader's agenda
Digital

How EY can help

Related articles

India's Digital Data Protection Bill: Implications of deemed consent

The concept of deemed consent, introduced in the DPDP Bill, holds the potential for substantial effects on employees and organizations alike. Explore its implications and significance here.

Harshavardhan Godugula + 1

Why there is a need for more data privacy and protection in healthcare

Understand why more data privacy & protection is needed in healthcare with EY's podcast. Prioritize patient data security. Tune in now!

17m 56s

How DPDP Act will impact the e-commerce businesses

Learn how the DPDP Act impacts the e-commerce businesses with EY's podcast. Master data privacy norms for online business. Listen now!

16m 22s

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.