Guardians of Privacy: Navigating India’s Digital Landscape with the Digital Personal Data Protection Act, 2023

By Manish Sehgal

In an increasingly digital world, the protection of personal data has become a paramount concern for individuals, organisations, and governments alike. The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s first-ever legislation enacted after years of attempts and effort to adopt a comprehensive data protection regime. It became law on August 11, 2023, following assent by the President of India and publication in the official gazette after approval by both houses of Parliament. Prior to the DPDPA, India did not have a standalone law on data protection, and the processing of personal data was largely regulated under the Information Technology (IT) Act, 2000. However, these measures were often deemed insufficient in addressing the complex challenges of the modern digital landscape, especially when related to the historic judgment passed in 2017 by the Honorable Supreme Court of India, announcing the right to privacy as a fundamental right under the Constitution of India.

The DPDPA marks a fundamental change in India’s approach to data privacy. It seeks to strike a balance between the interests of businesses and individuals by establishing a robust framework for the protection of personal data while allowing for legitimate data processing activities. Moreover, it applies not only to personal data processing within Indian territory but also extends its scope outside India if such processing relates to offering goods and services to individuals (referred to as data principals in the DPDPA) within India.

The DPDPA establishes key data protection principles such as consent, purpose limitation, data minimisation, accuracy, security, and accountability. Individuals are granted greater control over how entities process their personal data, with increased choice and consent. Individuals are also granted certain rights, including access, correction, erasure, grievance redressal, and nominating a representative. Organisations are required to obtain consent from individuals before processing their personal data, apart from situations and requirements exempted by law. In the past, many digital platforms and services sought blanket permissions, meaning a user’s single approval covered a wide array of data processing activities. With the DPDPA, the approach has shifted from blanket permissions to specific choices, breaking down permissions into individual components. This means that for every distinct data processing operation or purpose, users have the autonomy to grant or deny consent. Moreover, organisations are required to establish security safeguards to prevent data breaches, undertake risk assessments for data processing activities, conduct audits, and submit reports to the regulatory body.

With the enactment of the DPDP Act, 2023, organisations need to keep a few key principles in mind to effectively safeguard individuals’ data privacy and ensure responsible data management.

 Firstly, it is essential to systematically identify and maintain comprehensive inventories of personal data. Additionally, organisations should align data flows within their application blueprints with a robust consent management system, ensuring compliance with privacy regulations and user preferences. Lastly, fostering a privacy culture within the organisation is crucial. This can be achieved through regular training sessions for employees, emphasising data privacy best practices and security awareness.

Organisations should also be vigilant about avoiding certain practices in order to maintain robust data privacy standards. Firstly, it is imperative to refrain from collecting an excess of data beyond what is strictly necessary for business operations. Transparency regarding the data collected is equally essential to foster trust with users. Secondly, organisations must respond promptly to customer requests pertaining to their personal data, including access or deletion requests. Timely and accurate responses demonstrate commitment to user privacy. Finally, in the unfortunate event of a data breach, organisations should not delay in notifying affected parties and relevant authorities. Swift notification, as mandated by regulations, is crucial in minimising potential harm and ensuring compliance.

Embracing these precautionary measures enhances the security and privacy focus within the organisational environment. By doing so, organisations not only establish a robust foundation for data privacy but also cultivate trust with their customers, effectively mitigating risks associated with data breaches and ensuring compliance with regulatory standards.

(The author is Manish Sehgal, Partner, Deloitte India and Vrinda Kaul, Manager, Deloitte India, and the views expressed in this article are his own)