The Digital Personal Data Protection Act, 2023 (“DPDPA”) is an umbrella legislation that governs the processing of personal data in India. The law establishes a comprehensive framework for the processing of personal data and specifically requires data fiduciaries – defined as persons that determine the means and purposes of processing personal data – to ensure the privacy and security of personal data.
Key Obligations of Data Fiduciaries Under the New Data Protection Law in India
Under the DPDPA 2023, data fiduciaries must comply with the following obligations:
The DPDP Act 2023 also empowers the central government the authority to designate specific data fiduciaries as “significant data fiduciaries” based on factors such as the volume and sensitivity of the data processed, potential risks on data principals, etc. In addition to the abovementioned obligations, significant data fiduciaries must:
a. Appoint an India-based data protection officer who is responsible directly to the board of directors. No particular qualifications have been specified for such individuals at this point; however, it is standard for organisations to appoint personnel from the information security or legal teams.
b. Hire an independent data auditor to conduct periodic data audits.
c. Conduct regular data protection impact assessments.
Children’s Data:
Data fiduciaries must obtain verifiable consent from parents or lawful guardians before processing personal data of children (individuals under 18 years of age) or persons with disabilities who have guardians. Unless specifically permitted by the government through notifications, data fiduciaries are prohibited from processing data that could harm the well-being of a child or engaging in tracking, behavioural monitoring, or targeted advertising directed at children.
Impact on Businesses:
Non-compliance with the DPDPA may lead to fines of up to INR 250 crores. The DPDPA 2023 marks an important step in India’s increasing commitment towards data protection and security. By safeguarding personal data, businesses can improve their reputation, avoid penalties, and gain a competitive edge in an increasingly data-conscious world.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.