Steps to Comply With India's Data Protection Law

After almost five years of deliberation, India's Parliament has finally granted approval for the country's first broad data protection law. The legislation places stricter obligations on organizations processing personal data and provides individuals with increased rights over their information.

It imposes restrictions on data transfers outside India unless exempted by a government notification. Here are six steps businesses can take to comply with the new law.

1. Applicability

The Digital Personal Data Protection Act of India covers entities that collect, process and store personal data. This consent must be fully informed and clear, and it cannot be sought for any further purpose other than the purpose(s) reported. The act is extraterritorial in that it applies to those processing the data of people in India even when located outside India.

The law establishes rights and obligations for data fiduciaries. It requires informed, unambiguous, and limited consent; limits processing purposes to those explicitly specified; and ensures data retention only as long as necessary.

Additionally, the DPB (Data Protection Board Of India) will have the authority to investigate complaints against regulated entities and issue directions/penalties as necessary. Its decisions will have an impactful impact on data privacy law as well as business practice.

2. Consent

After nearly six years of deliberations, India has finally adopted its first comprehensive privacy law: DPDP Act. This regulation sets consent mechanisms for data fiduciaries as well as privacy standards and security safeguards to be in effect by law.

Organizations must appoint a Data Protection Officer (DPO), establish grievance redress mechanisms, report breaches to the Board within six hours and gain their data principal's free, specific, informed, and unconditional consent to processing - much like GDPR requirements but with reduced exemptions and stronger protection for certain categories of personal data.

3. Enable Data Principal Rights

The DPDPA, like similar laws worldwide, attempts to strike a balance between the legitimate needs for processing personal information and individuals' right to control it. It outlines rights and duties for data fiduciaries as well as penalties for violations. Furthermore, it creates a category of significant data fiduciaries, requires verifiable consent for children and persons with disabilities as well as localization restrictions for cross-border transfers.

Similar to GDPR, this law imposes higher compliance burdens when processing sensitive and critical personal information. Furthermore, it grants the Government powers to demand access from fiduciaries, boards and "intermediaries", and to block public access to certain computer resources containing specific data.

4. Adopt Data Protection Measures and Safeguards

The Data Protection and Development Protection Act imposes stringent data protection measures on businesses that collect or use Indian citizens' personal data, necessitating modifications to business practices and technology infrastructure.

The Act creates a data protection authority with authority over compliance, investigations and settlement of complaints as well as grievance redress mechanisms. Furthermore, purpose limitations, security safeguards and an obligation to notify of data breaches are included as legal requirements under this statute.

These requirements will force entities to make significant investments to meet minimum standards required by law, which should lead to the natural emergence of good practices tailored specifically for India's context. It remains to be seen, however, whether such changes will adequately protect individuals' privacy.

5. Regulatory Bodies

The DPDP Act places considerable obligations on data fiduciaries to ensure responsible handling and privacy, and grants individuals rights to access and correct their own personal information.

Data Fiduciaries can be defined broadly as any entity which determines the purpose and methods for processing data - from small startups to multinational corporations.

Significant data fiduciaries must appoint a Data Protection Officer, conduct data impact assessments and audits, localize operations within India and set up procedures to address grievances under the Act as well as notify the DPA of their compliance status.

6. Enforcement

India recently passed its inaugural data protection law - the Digital Personal Data Protection Act (DPDPA). This landmark legislation places strict regulations on businesses handling Indian personal data.

Under Indian law, sensitive personal data requires enhanced levels of protection. Furthermore, certain businesses are classified as significant data fiduciaries with additional obligations imposed such as localization restrictions and registration in India.

Organizations must implement processes to ensure compliance with these requirements. Human resources teams should integrate data handling policies into employee onboarding and periodic training programs. Additionally they should draft and publish internal policies or SOPs which describe these requirements in detail.