Article

DPDP Bill 2023: India's next step in safeguarding personal data

By:
Jaspreet Singh
insight featured image
In a landmark move towards safeguarding personal data, India's Lok Sabha has unveiled the much-awaited Digital Personal Data Protection (DPDP) Bill 2023.
Contents

This significant legislation marks a crucial step in creating a comprehensive framework for data protection in the country.

The DPDP bill introduces a number of innovative concepts that promise to reshape the way personal data is handled, setting a new standard for transparency, consent and accountability. One of the bill's defining features is the introduction of the term "data fiduciary", which refers to entities or individuals responsible for determining the purpose of processing of personal data. These data trustees play a vital role in collecting data for various purposes, ranging from service delivery to research efforts.

At the heart of the bill are "data principles," individuals to whom personal data belongs. Under the DPDP bill, data principles are granted several rights, including right to access, correction, deletion, erasure, nominate and right to grievance redressal. The bill also places significant emphasis on obtaining consent, ensuring that it is free, specific, informed, unconditional and unambiguous. This critical aspect is overseen by a "consent manager", which simplifies the process for data entities to manage their consent preferences.

In a forward-looking approach, the bill introduces the concept of "Significant Data Fiduciary" (SDF). This classification includes subjects who process large volumes of sensitive personal data, subjecting them to further obligations established by law. The bill also addresses the sensitive issue of children's data by requiring data fiduciary to obtain verifiable parental consent before processing such data. Harmful practices aimed at children are strictly prohibited.

The DPDP bill takes a unique approach to cross-border data transfers by adopting a negative list system along with relevant security safeguard. This framework allows data transfers to most jurisdictions except those restricted by government. This flexibility strikes a balance between data flow and data security.

At its core, the bill is underpinned by a number of key principles: the lawful, fair and transparent use of personal data; purpose limitation; data minimization; data accuracy; storage limitation; responsibility; and solid security guarantees.

For businesses, the passage of the bill will mark a seismic shift. Organizations will need to prioritize transparency and compliance with stringent data protection standards. User interfaces may undergo redesigns to inform users and obtain consent for data collection. Privacy notices and notifications will require updates to align with new regulations. Supplier contracts will need to incorporate dedicated data protection clauses, ensuring external compliance.

The implications also extend to employee training. Companies will need to educate their workforce across all departments on the nuances of using data and the criticality of safeguarding user information. In response to these developments, companies can seek collaboration with experienced data privacy experts and leverage customizable gap assessment tools to ensure seamless compliance with evolving regulations.

As the DPDP bill advances through legislative channels, India is graceful to set a global precedent in data protection, strengthening citizens' rights to their personal information and propelling businesses into an era of greater responsibility and accountability.

This article first appeared in ETCISO.in on 08 August 2023.