All about DPDP Act, 2023

Empowering individuals and enhancing trust through the DPDP Act

A photographic portrait of Rahul Rishi
Rahul Rishi

EY India Consulting GPS Leader

3 minute read 02 Nov 2023
Related topics
Cybersecurity
Technology leader's agenda
Digital

In the era of digital data explosion, the newly enacted DPDP Act endeavours to uphold individuals' authority over personal information.

In brief

  • Amid the rise of technology and data-driven decisions, it becomes increasingly crucial for individuals to understand their rights and protections under this legislation.
  • The act shields individual data from automated processing, including profiling.

The newly enacted Digital Personal Data Protection Act 2023 represents a significant stride in safeguarding personal data for Indian citizens. This act now serves as a catalyst for data empowerment, providing individuals with the capacity to control, supervise, and safeguard their personal information. By outlining procedures for corporations and the government to gather and utilize data concerning India's citizens, this act embodies a transformative juncture. Its mission extends beyond instilling individuals with confidence in the security of their data, aiming to foster a domain of conscientious and accountable data processing practices.

Welcome to “Gateway to data privacy and protection,” an innovative podcast series that delves deep into the realm of data privacy and protection.

Know more

The core of this act revolves around a set of data principles. These principles spindle around the basic idea that individuals inherently possess rightful dominion over their personal data—a dominion that mandates responsible and ethical handling by entities and establishments.

 

Consent is prime

 

As per the act, organizations may solely process an individual's personal digital data for a specific purpose, unless alternative consent is granted. For example, if an online retailer under a conglomerate manages personal data for a mobile purchase, the consent is exclusively applicable to that transaction. The data cannot be transmitted to the parent company or a sister organization. This delimited, informed, and functional consent effectively prevents data misuse.

 

Another extent of individual empowerment lies in the right to rectification. Individuals are empowered to rectify inaccurate or incomplete personal data held by organizations, including correcting name spellings. Data fiduciaries—the entities collecting and safeguarding data—must diligently strive to uphold data accuracy and completeness. The act compels entities, like insurance organizations, which previously lacked avenues for data correction, to now furnish means to rectify data, ensuring its precision and entirety.

 

The right to erasure of data lacks clear provision under existing laws. The new act introduces the right to erasure , wherein individuals, under certain conditions, can request the deletion of personal data no longer essential for its original collection purpose. Imagine a food ordering platform scenario. A long-term user who is not interested in continuing his engagement can now request the complete erasure of their data associated with the initial purpose of collection. The DPDP act extends the privilege of data porting to individuals. The user can now port his data to another similar platform if he wishes to. Thus a citizen can reuse the personal data across diverse services, fostering competition among service providers and choice for users.

October is Cybersecurity awareness month special, and this special podcast series is dedicated to helping you stay safe online. Join us as we dive into the world of cybersecurity, providing insights, tips, and expert interviews to help you stay safe in the digital realm.

Know more

Although customers maintain control and can grant consent for diverse data applications, individual consent doesn't exempt data-holding institutions from their data protection obligations. With the new act, all data fiduciaries, are being held accountable for safeguarding, managing, and minimizing data misuse—a responsibility not previously mandated.

 

The act also shields individual’s data from automated processing, including profiling. If such decisions yield significant consequences, the law safeguards data principals from unwarranted or automated processing of their personal data in cases where data fiduciaries have not obtained consent.

 

Remedies and measures

 

The act stresses on creating transparent policies regarding the storage, use and access to citizens’ data implementing processes to ensure that data is being used ethically, giving citizens a level of control. However, in the event of data rights violations, individuals possess an avenue to seek remedies and compensation. In any such case, an individual can initiate a complaint with the data fiduciary. The data fiduciary should respond to grievances within certain period. If the concern remains unaddressed, he or she can escalate the matter and approach the data protection board, an entity data protection board which is to be constituted by the central government. Considering the nature, gravity and duration of the breach and the type and nature of the personal data, the board can impose monetary penalty. As a final option, legal redress through the courts remains available.

 

In an era increasingly dominated by digital data, securing individuals' control and comprehension of their personal information remains paramount. Consequently, a deep understanding of its provisions and steadfast compliance is important for organizations as well.

How EY can help

Related articles

India's Digital Data Protection Bill: Implications of deemed consent

The concept of deemed consent, introduced in the DPDP Bill, holds the potential for substantial effects on employees and organizations alike. Explore its implications and significance here.

Harshavardhan Godugula + 1

How DPDP Act will impact the e-commerce businesses

Learn how the DPDP Act impacts the e-commerce businesses with EY's podcast. Master data privacy norms for online business. Listen now!

16m 22s

Decoding the Digital Personal Data Protection Act, 2023

The DPDP Act is India's first data protection act, and it establishes a framework for the processing of personal data in India. Learn more about DPDP Act.

Lalit Kalra

    Summary

    The act transcends being a mere collection of constraints and regulations; its essence is empowerment. Through the conferment of pivotal rights upon data principals and the imposition of rigorous obligations upon data fiduciaries, the act ardently endeavours to strike an equilibrium between technological innovation and individual personal data protection.

    About this article

    A photographic portrait of Rahul Rishi
    Rahul Rishi
    EY India Consulting GPS Leader
    Partner with Government & Public Sector practice in India. Works closely with governments in India and overseas, helping them improve public administrative and citizen services using technology.
    Related topics
    Cybersecurity
    Technology leader's agenda
    Digital

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.