Digital Personal Data Protection

SKMC Global | Services | | Digital Personal Data Protection
Digital Personal Data Protection

The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” - Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union Of India & Ors. (2017)

With over 760 million active internet users, India is the world's second-largest internet market. In August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, a comprehensive data protection measure, after the Supreme Court of India acknowledged the right to privacy in a 2017 ruling.

India passed the Digital Personal Data Protection Act, or DPDP Act, in August 2023. It is a piece of legislation that strikes a balance between peoples' rights to privacy protection and the need to process personal data only for legitimate purposes. The Act describes the rights and responsibilities of Data Principals, the people to whom the data relates, and places requirements on Data Fiduciaries, those who process data. Additionally, it adds monetary fines for violations.

The Personal Data Protection Bill (PDPB) Bill 2022, India's most recent attempt to enact a comprehensive data privacy law, comes after the DPDP. The National IT Governance Framework Policy and the new Digital India Act were two of the laws that the Bill was a part of.

"To provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto," states the draft legislation outlining the purpose of PDPB 2022.

A Brief History of India’s Privacy and Personal Data protection Laws:

India lacked a comprehensive privacy law prior to 2022. In the Puttaswamy Judgement, popularly referred to as the Right to Privacy verdict, the Supreme Court of India declared in 2017 that the right to privacy is a constitutionally guaranteed right. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, or SPDI Rules, which were put into effect in 2011, are limited, and the court also emphasized that India does not have a comprehensive privacy law.

The Indian government created draft laws to safeguard Indians' privacy in the wake of the Right to Privacy ruling. Previous iterations of the Personal Data Protection Bill, such as the Data Protection Bill 2021, which shared some characteristics with the General Data Protection Regulation (GDPR) of the European Union, were subject to intense criticism and ultimately failed. In August 2022, it was taken down.

Section 43A of the IT Act and the SPDI Rules were to be replaced in part by the Digital Personal Data Protection Bill 2022, which was put forth by the Ministry of Electronics and Information Technology on November 18, 2022.

The Data Protection Board of India

The Data Protection Board of India (DPB), the country's first regulatory agency devoted to safeguarding the privacy of personal data, was established by the DPDP. The DPB's objective, like that of other comparable regulatory bodies, is to monitor compliance and penalize non-compliant companies.

Rights of Data Principals

The Digital Personal Data Protection Act of India defines a number of citizen rights, referred to as Data Principals, which may affect enterprises. Among them are:

  • Understand what personal information is being collected about them: People have the right to know what personal information is being collected about them, why it is being gathered, and who else may receive it.
  • Access personal data: People are entitled to see the personal data that a company is handling about them.
  • Individuals have the right to have their personal information updated or deleted if necessary. They also have the right to have any errors in their personal information corrected.
  • Object to the processing of their personal data: Under some situations, people are entitled to object to the processing of their personal data.
  • Transfer personal data to another organization: Under certain conditions, people are entitled to transfer their personal data to another organization.
  • make a complaint with the Data Protection Board (DPB): If someone feels that the way their personal data has been processed does not comply with the DPDP Act, they are entitled to make a complaint with the DPB.

Responsibilities of Data Principals and Organizations

Organizations that process personal data are subject to limitations and requirements under the DPDP Act, which include:

  • Obtain consent from individuals prior to processing their personal data: Unless an exception exists, organizations are required to obtain consent from individuals prior to processing their personal data.
  • The Bill relates to the processing of digital personal data in India, whether it is gathered online or offline and then digitalized (i) or (ii). If processing personal data is done outside of India in order to provide products or services within India, then it will also be covered by this law. Any information about a specific person who may be identified from or through such information is considered personal data. Processing is described as an automated process or collection of procedures carried out on digital personal data, either fully or partially. Collection, storing, using, and sharing are all included.
  • Use personal information exclusively for the purposes for which it was gathered: Unless the individual has given permission for additional processing, organizations are only permitted to use personal information for the purposes for which it was collected. Only legitimate purposes may legitimately process personal data after getting the individual's consent. Prior to requesting consent, notice must be given. Information regarding the personal data that will be gathered and the reason for processing it should be included in the notification. The ability to revoke consent is always available. For "legitimate uses," which include the following, consent will not be needed: (i) a specific purpose for which a person has willingly submitted data; (ii) the government providing a benefit or service; (iii) a medical emergency; and (iv) employment. Consent will be given by the parent or legal guardian for those under the age of eighteen.
  • Prevent unauthorized use, access, disclosure, alteration, and destruction of personal data: Organizations must implement the necessary organizational and technical safeguards to prevent unauthorized use, disclosure, alteration, and destruction of personal data.
  • React to requests for access, correction, deletion, and objection from individuals: Organizations are required to provide a reasonable response to requests for access, correction, deletion, and objection from individuals.
  • Notify the DPB of any data breaches: Organizations are required to notify the DPB of any data breaches within 72 hours of learning about them.

Penalties for Noncompliance

Infractions of the regulations may result in fines of up to 250 crore INR/$30 million, particularly for failing to put information security measures in place that are required to reduce the risk of a breach of personal data.

The punishment is not as harsh as the law from 2022, which sought to fine up to INR 500 crore, or roughly $61 million.

Status of Indias Digital Personal Data Protection Act

On August 9, 2023, India passed the Digital Personal Data Protection (DPDP) Act, 2023, which governs the practices of companies that process digital personal data. The Digital Personal Data Protection Bill, 2022, which was introduced in November of that year, served as the foundation for the DPDP Act.

Personal data is any information that can be used to identify or contact a specific individual. Both governmental and commercial entities process personal data in order to deliver goods and services. Understanding user preferences through the processing of personal data is useful for recommendations, customized ads, and targeted marketing. Law enforcement may also benefit from the processing of personal data. People's right to privacy is recognized as a fundamental one, but unrestricted processing may have detrimental implications on that right. People could suffer from things like financial loss, reputational damage, and profiling as a result.

A Committee of Experts on Data Protection was established by the national government in 2017 to look into matters pertaining to data protection in the nation. Justice B. N. Srikrishna serves as the committee's chair. In July 2018, the Committee turned in its report. In December 2019, the Personal Data Protection Bill, 2019 was presented in the Lok Sabha, based on the Committee's recommendations. A Joint Parliamentary Committee was assigned the Bill, and it turned in its report in December 2021.2. The Bill was removed from Parliament in August 2022. A draft bill was made available for public comment in November 2022. The Digital Personal Data Protection Bill, 2023 was presented to Parliament in August of that year.

How SKMC Global can help you?

As a service provider in the field of digital personal data protection, SKMC Global is essential in assisting businesses in adhering to data protection laws and guaranteeing the security and privacy of personal data. Here's how we get involved:

Regulatory Compliance:

Offer guidance on adhering to data protection rules and regulations, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other local data protection requirements. Help in creating and putting into effect data protection policies and processes that adhere to best practices and regulatory requirements.

Data Protection Strategy:

To find and assess any risks and weaknesses pertaining to personal data, conduct risk assessments. Create plans and strategies for data protection to reduce risks and guarantee the security and privacy of personal information.

Implementation of Controls:

To prevent unwanted access or breaches, use technical controls and security measures including encryption, access controls, and secure data storage solutions. Create organizational measures, such as training curricula, incident response plans, and roles and responsibilities for data protection.

Data Protection Impact Assessments (DPIAs):

Conduct DPIAs to make sure risks are properly managed and to assess how data processing operations affect individual privacy. To prove compliance with data protection laws, compile and record the conclusions and suggestions of DPIAs.

Privacy policy and Consent Management:

Create and maintain privacy rules and notices to enlighten people about the gathering, usage, and protection of their personal information. Establish procedures for getting and handling people's consent for data processing operations, making sure that consent is freely provided, informed, and reversible. Help handle and respond to requests for access, rectification, erasure, and data portability made by data subjects.

Incident Response and Breach Management:

Create and put into action incident response plans to deal with security issues and data breaches. Help oversee the notification of breaches to impacted parties and regulatory bodies, making sure that all legal obligations are met.

Data Protection Audits:

To evaluate adherence to data protection laws and policies, conduct routine internal audits.

Vendor and Third-Party Management:

We conduct due diligence on third-party contractors to make sure they adhere to data privacy laws and have the necessary safeguards in place. To make sure they adhere to legal and regulatory obligations, draft and oversee contracts with third parties that address data protection.

Documentation and Consultation :

Keep documentation of all data processing operations, impact analyses for data protection, and compliance initiatives. Report on a regular basis on compliance status, data protection operations, and any incidents or breaches.

Consultation and Support:

Provide knowledgeable advice on best practices, regulatory interpretations, and complicated data protection challenges. As the regulatory environment evolves and new data protection concerns arise, offer continuing assistance and guidance.

Your enterprises can improve their data security procedures, guarantee regulatory compliance, and efficiently manage and secure personal data by utilizing SKMC Global's experience. This reduces risks, fosters interpersonal trust, and helps people stay out of trouble legally and financially.

Hi, How Can We Help You?