DPDPA

DPDPA : What is it ?

The Digital Personal Data Protection Act (DPDPA) is a major Indian legislation that was enacted in 2023 to regulate the processing of digital personal data. This law aims to balance the right of individuals to protect their personal data and the need to process this data for legal purposes. It came into effect on August 11th by the central Indian government and was published in the Official Gazette.

The DPDPA also applies to the processing of digital personal data outside of Indian territory if this processing is related to an activity offering goods or services to the main data holders (Data Principals) on Indian territory. This means that foreign companies processing digital personal data related to their activities in India are also subject to this law.

The DPDPA sets up specific measures for “Significant Data Fiduciaries”, which are entities that process large volumes of sensitive data. These measures include the obligation to appoint a data protection officer based in India, who will represent the entity under the provisions of the law.

This officer will also be the point of contact for the grievance resolution mechanism under the law. Significant Data Fiduciaries are also required to appoint an independent data auditor to conduct a data audit. This auditor will assess the entity’s compliance with the provisions of the DPDPA. Additionally, these entities must conduct a periodic data protection impact assessment, which is a process that includes a description of the rights of the main data holders and the purpose of processing their personal data, the assessment and management of the risk to the rights of the main data holders, and other matters concerning this process as prescribed by the law.

The law pays special attention to the protection of children’s data. Before processing a child’s personal data, verifiable consent from the parent or legal guardian must be obtained. Moreover, tracking or behavioral monitoring of children, as well as targeted advertising towards them, is prohibited.

A key element of the DPDPA is the creation of the Data Protection Board of India. This board is tasked with overseeing and regulating the processing of personal data in India. It consists of a chairman and a number of members determined by the central government.

The DPDPA is a crucial step for India in regulating the digital landscape and protecting personal data. It establishes a balance between the rights of individuals and the needs of businesses, while emphasizing the protection of data of vulnerable groups like children. With the rise of digital technologies and the growing importance of data in India, this law will play a pivotal role in shaping the country’s digital future.