ARTICLE
28 October 2024

Don't Wait For Data Protection Rules: MEITY Asks Stakeholders To Comply With The DPDP Act, 2023

SR
S.S. Rana & Co. Advocates

Contributor

S.S. Rana & Co. is a Full-Service Law Firm with an emphasis on IPR, having its corporate office in New Delhi and branch offices in Mumbai, Bangalore, Chennai, Chandigarh, and Kolkata. The Firm is dedicated to its vision of proactively assisting its Fortune 500 clients worldwide as well as grassroot innovators, with highest quality legal services.
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as the "DPDP Act") was enacted in August 2023 which lays down a robust framework for digital personal data collection...
India Privacy

Background

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as the "DPDP Act") was enacted in August 2023 which lays down a robust framework for digital personal data collection on similar lines as the General Personal Data Protection Regulations in the European Union. The Act provides for broad principals of data collection, processing and storage.

The industry has been waiting for the Rules on Data Protection to be fully compliant with the DPDP Act. The Rules were, however, expected to be released for industry consultation in September, 2024. In fact in February 2024, the Parliamentary Standing Committee criticized the Ministry of Information and Technology (MEITY) for delay in drafting of Rules on Data Protection and not specifying a timeline for rolling out of the Digital India Bill.1

Start compliance with the DPDP Act

In a new turn of events, MEITY convened a meeting on October 14, 2024. Members of MEITY, members of National Informatics Centre, members of the industry, civil society and lawyers were amongst those who attended the meeting.

During the meeting, MEITY asked organisations, including industry and public bodies to not to wait for Rules to be notified and instead start adapting their systems and build capacities in keeping with the new law. It is further reported that the officials mentioned that the Rules will not override the provisions of the Act and nothing will be miraculous in them and hence it is prudent for organisations to start building their capacities in accordance with the Act instead.2

The journey is similar to GDPR which was enforced in 2016 but came into effect from May, 2018 thereby allowing the organisations a transition period of two (02) years to be in compliance with the regulations.

Anticipation for Rules

The Government with this meeting has put an end on the anticipation built up waiting for the Rules amongst industry players and organisations looking forward to start compliance procedures. Organisations, eagerly waiting for Rules to come out to comply will now have start their compliance journey based on the broad principles of DPDP Act.

To safeguard digital personal data, holding them accountable, while also enshrining the rights and duties of Data Principals. The DPDP Act sets out certain principals in respect of processing of personal data.

What are the principles under the DPDP Act?

3

  1. The principle of consented, lawful and transparent use of personal data;
  2. The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
  3. The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
  4. The principle of data accuracy (ensuring data is correct and updated);
  5. The principle of storage limitation (storing data only till it is needed for the specified purpose);
  6. The principle of reasonable security safeguards; and
  7. The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Act and imposition of penalties for the breaches).

What can organisations do to be DPDP compliant?

To initiate the process, organisations need to start with:

  1. Conducting gap assessment exercises to analysis the current and expected practices;
  2. Conduct Data Protection Impact Assessment
  3. Introduce/update data safety protocols followed and ensure adherence to information security standards;
  4. Develop consent practices
  5. Reviewing existing agreements and contracts and imbed standard clauses for data protection
  6. Follow the general principals of fairness, data minimization and purpose limitation

Footnotes

1. https://ssrana.in/articles/how-is-delay-in-release-of-dpdp-rules-impacting-business/#:~:text=The%20impending%20Data%20Protection%20Rules,out%20the%20Digital%20India%20Bill.

2. https://www.moneycontrol.com/news/business/get-cracking-on-data-protection-act-dont-wait-for-rules-meity-tells-stakeholders-12843911.html

3. https://pib.gov.in/PressReleasePage.aspx?PRID=1947264

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Privacy Law and Privacy Regulations

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More