Comprehensive answers to the most important questions about DPDPA compliance, data protection rights, and privacy best practices.
The DPDPA 2023 is India's comprehensive data protection law that governs the processing of personal data. It establishes rights for data principals and obligations for data fiduciaries, ensuring the protection and lawful processing of personal data within India.
DPDPA 2023 received presidential assent on August 11, 2023. However, the Act will be implemented in phases as notified by the Central Government through official rules and regulations.
DPDPA applies to the processing of personal data where the data is processed within India, the activities involve offering goods or services to data principals in India, or for profiling data principals in India.
While both laws protect personal data, DPDPA has India-specific provisions, different penalty structures, simplified consent mechanisms, and distinct definitions of sensitive personal data. DPDPA also has specific provisions for children's data and cross-border data transfers.
Data principals have the right to information, right of access, right to correction and erasure, right to data portability, and right to grievance redressal. These rights ensure individuals maintain control over their personal data.
Data principals can submit requests directly to data fiduciaries through designated channels. Organizations must establish clear processes and respond to rights requests within reasonable timeframes as specified in the rules.
The right to data portability allows data principals to obtain their personal data in a structured, commonly used, and machine-readable format and have it transmitted to another data fiduciary without hindrance.
Data fiduciaries must ensure lawful processing, implement appropriate security measures, obtain valid consent, provide transparency notices, respond to data principal rights, and comply with data breach notification requirements.
Valid consent must be free, specific, informed, unconditional, and clearly given. It should be obtained through clear affirmative action and can be withdrawn by the data principal at any time.
Significant Data Fiduciaries must appoint Data Protection Officers, conduct Data Protection Impact Assessments, implement data audits, and have additional transparency and accountability measures as prescribed by the rules.
Yes, but only to certain notified countries and territories, or with explicit consent of the data principal. The Central Government maintains a list of restricted countries where data transfer is prohibited.
Transfers are permitted to countries with adequate data protection laws as notified by the government. For other countries, explicit consent or other lawful grounds as prescribed in the rules are required.
Organizations should conduct data mapping, review consent mechanisms, implement privacy policies, establish data subject rights processes, conduct privacy impact assessments, and train staff on data protection requirements.
Penalties can be up to ₹250 crores depending on the violation. The Data Protection Board has the authority to impose financial penalties based on the nature and severity of the breach.
Organizations must notify the Data Protection Board and affected data principals of personal data breaches without undue delay, following the notification procedures and timelines specified in the rules.
A DPIA is a process to assess and mitigate privacy risks in data processing activities. Significant Data Fiduciaries and certain high-risk processing activities require conducting DPIAs before processing begins.