Understanding The Digital Personal Data Protection Act 2023: A Simple Guide

Banner Image for Blog post: Understanding The Digital Personal Data Protection Act 2023: A Simple Guide
Author profile photo
Gareth Shelwell September 22, 2023

India is on the brink of taking a gigantic leap forward into a new era of consumer data protection. Like never before, there's a magnified spotlight on safeguarding personal data.

For organizations, big and small, this isn't merely about compliance and ensuring you're not hit with mind-blowingly hefty fines but establishing trust and ensuring a smooth transition into this new data-protective era.

How The DPDP Act 2023 Affects Businesses of India

What You'll Learn In This Article.

  • The timeline leading up to the DPDP Act 2023
  • The basics: what data and who is affected
  • Discover what the term "Data Fiduciary" means and how it applies to the Act
  • Explore the affects the Act will have on the businesses of India
  • What's the difference between the GPPR 2018 to the DPDP Act 2023
  • The vicious penalties for non-compliance
  • How the DPDP Act 2023 affects citizens of India
  • Where do businesses go from here

Before we dive into the details, let's take a quick look at the journey to the DPDP Act of 2023

  • 1

    November 8, 2022

    The Ministry of Electronics and Information Technology released the Digital Personal Data Protection Bill 2022 for public consultation.

  • 2

    July 5, 2023

    The cabinet approved the Digital Personal Data Protection Bill, 2023, the revised version of the bill that was put up for public consultation earlier.

  • 3

    August 3, 2023

    The Digital Personal Data Protection Bill 2023 was introduced in Lok Sabha, the lower house of the Parliament of India.

  • 4

    August 7, 2023

    the Digital Personal Data Protection Bill 2023 was passed by Lok Sabha.

  • 5

    August 9, 2023

    The Digital Personal Data Protection Bill 2023 was introduced and passed by the Rajya Sabha, the upper house of the Parliament of India.

  • 6

    August 11, 2023

    The President of India assented to the Digital Personal Data Protection Bill, 2023, which now makes it the Digital Personal Data Protection Act, 2023.

What Is The DPDP Act 2023 And Who Is Affected?

The DPDP Act 2023 is a comprehensive data protection law that applies to the processing of digital personal data within India.

According to the Act, every business in India that collects, stores, uses, or transfers digital personal data of individuals will need to adhere to the Act and its rules.

Image of a global map with India in the spotlight

However, there are some exceptions and exemptions for certain types of data processing, such as:

  • Personal data processed by an individual for any personal or domestic purpose.
  • Aggregated personal data collected for research and statistical purposes.
  • Personal data made publicly available by the data principal or any other person.
  • Personal data processed by the Central Government or any State Government for certain purposes such as national security, public order, or legal proceedings.
  • Personal data processed by small entities such as startups.

The Act also provides different levels of protection for different categories of personal data, such as sensitive and critical personal data.

Sensitive personal data includes information such as financial data, health data, biometric data and sexual orientation.

The Central Government defines critical personal data from time to time and may include information such as military or intelligence data.

These categories of personal data have stricter requirements for processing and transferring across borders.

What Is A Data Fiduciary?

The concept of a Data Fiduciary was popularized by India's Personal Data Protection Bill, which defines entities or individuals that decide the purpose and means of processing personal data as "Data Fiduciaries".

To understand the Act, we must understand this term. Let's break it apart. "data" is just another term for information, especially facts and details about you in this context. "fiduciary" is a fancy legal term that implies trust between two parties. Combine them, and you have "data fiduciary," an entity trusted with your personal information.

According to the Act, a Data Fiduciary is any person who determines the purpose and means of processing personal data. In other words, a Data Fiduciary is the entity that decides why and how personal data is collected and used.

For example, suppose you use an online shopping platform. In that case, the platform is the Data Fiduciary that collects and processes your personal data for various purposes, such as providing you with products, services, recommendations, etc.

The government will identify these entities using the volume and sensitivity of personal data processed and associated risk.

What’s Considered Digital?

The Acts reach is not limited to modern digital services; it even reaches data that has transitioned to digital records!

Image of a Seagate hard drive

No longer can old-school brick-and-mortar businesses operate in the shadows. They, too, must comply with the new regulations.

Businesses currently on the journey from paper to digital are within scope and faced with a twofold challenge: ensuring that old records are protected during digitization and that the new digital records fall in line with the Act's requirements.

Let’s break it down simply:

  • This act looks at all companies' personal data, whether digital or turned digital.
  • If an organization is using digital tools or has changed paper records to digital ones, this law will apply.

How The DPDP Act 2023 Affects Businesses of India

While it’s hard to determine how the Act will affect each different business, one thing is for certain: a monumental shift in how organizations handle and collect data in India is coming.

To help one understand the potential challenges and opportunities facing businesses of India, we can look back to when the European Union's General Data Protection Regulation (GDPR) came into play in 2018.

  1. Clarity and Guidance: Right out of the gate, interpreting specific provisions of the GDPR was an issue. Be prepared with additional resources to help your organization understand and implement the requirements.
  2. Scalability for Different Business Sizes: While GDPR applies to all businesses, the operational impact on smaller and mid-sized companies can be more significant relative to their resources.
  3. Start Early: Many businesses struggled to meet the deadline of GDPR. With severe penalties in place, giving yourself adequate transition time is crucial.
  4. Business Processes and Documentation: Businesses had to review and, if necessary, change their processes and policies related to data to ensure they're GDPR-compliant. This often involved creating or updating privacy policies, terms of service, and other documentation, which we know is resource heavy and time-consuming.
  5. Trust and Reputation: On the positive side, GDPR-compliant businesses could market themselves as trustworthy entities that respect user data, potentially improving their relationship with consumers on a global scale.
  6. Vendors and Third-party Relationships: Companies needed to ensure that their vendors or third-party service providers were also GDPR-compliant, leading to a cascading effect down the business chain.

It’s important to note that the GDPR and DPDP Act 2023, whilst along the same vein, are not the same. Here are the key differences:

The differences between the GDPR of 2018 and the DPDP Act 2023

Image source: Decoding the Digital Personal Data Protection Act, 2023

Implementing the GDPR was no easy feat, but it paved the way for more responsible data handling. The Act promises a similar transformation. Businesses in India, as well as those interacting with Indian enterprises and its citizens, can eagerly anticipate a brighter, more secure tomorrow!

What Are The Penalties For Non-Compliance With The DPDP Act?

Businesses that underestimate the Act's mandates might face staggering consequences, with fines soaring up to and beyond USD$30 million!

The Data Protection Board isn't just observing from the sidelines. They have power to delve deep into investigations and slap organizations with these colossal fines.

And here's the kicker: While the GDPR might consider your business's turnover when determining a fine, the Act disregards it.

The Act features a breach schedule that clearly specifies, in no uncertain terms, the hefty price tags for each violation.

Here are the key notes:

250 Crore rupees
(USD$30 Million)

Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach.

200 Crore rupees
(USD$24 Million)

Breach in observance of additional obligations in relation to children.

200 Crore rupees
(USD$24 Million)

Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach.

With so much at stake, it's now mission critical for businesses to ensure they are taking reasonable steps to secure data and prevent a breach.

By combining phishing simulations with regular security awareness training, organizations create a robust human firewall that complements technological defenses.

This dual approach significantly reduces the chances of a data breach, ensuring not only the security of organizational data but also compliance with the Act.

"(5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach." - THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: Section 8, Clause 5

How The DPDP Act 2023 Affects Citizens of India

At the heart of the DPDP Act is a detailed consent mechanism.

Citizens of India are empowered to explicitly give consent and be advised exactly how their data will be used and they will now have the following rights:

  1. Right To Information

  2. Citizens will have the right to know what data is being collected, and the Data Fiduciary will need to make this information available in a way that can be easily understood.

    Data Fiduciary must be transparent about why they collect personal data, how it will be used, with whom it might be shared, and how long it will be retained.

  3. Right To Erase

  4. Citizens will have the right to have inaccurate personal data rectified or completed if it is incomplete. The right to erasure, often referred to as "the right to be forgotten", allows citizens to request the deletion of data that is no longer required.

    If an individual discovers that information held about them is incorrect or misleading, they can have it corrected.

  5. Right To Nominate

  6. Citizens can nominate or designate a representative to exercise their data rights in the event of death or if they are incapable of making their own decisions.

  7. Right To Grievance Redressal

  8. Put simply, this means the right to complain and be heard.

    This right ensures that citizens have a mechanism to raise concerns or complaints regarding collecting, processing, or misusing their personal data.

Where Do We Go From Here?

With the DPDP Act 2023 in the global spotlight, and eye-popping fines for those who risk not taking action, it is more important than ever for Indian companies to get their house in order. Security awareness training will be necessary to promote a privacy-first culture throughout every organization and avoid astronomical fines. CanIPhish provides enterprise-level security awareness training at a fraction of its competitor's price.

Create a free caniphish account!
Gareth Shelwell author profile photo
Written by

Gareth Shelwell

An Ops Manager dedicated to helping you safely swim amongst the internet of phish!