Background
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as the "DPDP Act") was enacted in August 2023 which lays down a robust framework for digital personal data collection on similar lines as the General Personal Data Protection Regulations in the European Union. The Act provides for broad principals of data collection, processing and storage.
The industry has been waiting for the Rules on Data Protection to be fully compliant with the DPDP Act. The Rules were, however, expected to be released for industry consultation in September, 2024. In fact in February 2024, the Parliamentary Standing Committee criticized the Ministry of Information and Technology (MEITY) for delay in drafting of Rules on Data Protection and not specifying a timeline for rolling out of the Digital India Bill.1
Start compliance with the DPDP Act
In a new turn of events, MEITY convened a meeting on October 14, 2024. Members of MEITY, members of National Informatics Centre, members of the industry, civil society and lawyers were amongst those who attended the meeting.
During the meeting, MEITY asked organisations, including industry and public bodies to not to wait for Rules to be notified and instead start adapting their systems and build capacities in keeping with the new law. It is further reported that the officials mentioned that the Rules will not override the provisions of the Act and nothing will be miraculous in them and hence it is prudent for organisations to start building their capacities in accordance with the Act instead.2
The journey is similar to GDPR which was enforced in 2016 but came into effect from May, 2018 thereby allowing the organisations a transition period of two (02) years to be in compliance with the regulations.
Anticipation for Rules
The Government with this meeting has put an end on the anticipation built up waiting for the Rules amongst industry players and organisations looking forward to start compliance procedures. Organisations, eagerly waiting for Rules to come out to comply will now have start their compliance journey based on the broad principles of DPDP Act.
To safeguard digital personal data, holding them accountable, while also enshrining the rights and duties of Data Principals. The DPDP Act sets out certain principals in respect of processing of personal data.
What are the principles under the DPDP Act?
3
- The principle of consented, lawful and transparent use of personal data;
- The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
- The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
- The principle of data accuracy (ensuring data is correct and updated);
- The principle of storage limitation (storing data only till it is needed for the specified purpose);
- The principle of reasonable security safeguards; and
- The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Act and imposition of penalties for the breaches).
What can organisations do to be DPDP compliant?
To initiate the process, organisations need to start with:
- Conducting gap assessment exercises to analysis the current and expected practices;
- Conduct Data Protection Impact Assessment
- Introduce/update data safety protocols followed and ensure adherence to information security standards;
- Develop consent practices
- Reviewing existing agreements and contracts and imbed standard clauses for data protection
- Follow the general principals of fairness, data minimization and purpose limitation
Footnotes
3. https://pib.gov.in/PressReleasePage.aspx?PRID=1947264
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.