A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
October 16, 2023
With 1.4 billion people now protected by data privacy rights they previously lacked, businesses interested in serving the Indian market will need to become familiar with the Digital Personal Data Protection Act (DPDPA). Here, we’ll break down all the basics of the DPDPA—what’s unique about the law, what rights it confers to individuals and responsibilities it gives businesses, and more.
Osano’s Head of Privacy, Rachael Ormiston, discusses the act at a high level in the video below. For a more in-depth exploration of the DPDPA, read on.
India’s DPDPA is the culmination of efforts to address data protection and privacy concerns in India. Overall, businesses familiar with the EU’s GDPR will find many of the same concepts and requirements in the DPDPA, such as the need for consent, the provision of data subject rights (or rather, data principal rights—more on that later), and more.
While the DPDPA resembles the GDPR, it does have several unique features. Its language, requirements, history, and concepts all make this law stand out compared to others.
The DPDPA applies to your organization if you:
However, one of the controversial aspects of the DPDPA is its broad set of exclusions. Many government agencies are exempt, and the central government has the power to exclude certain categories of organizations in the future (such as startups). Processing publicly available personal data, processing for research purposes, and processing non-Indian citizens’ data under some circumstances are exempt as well.
Data privacy regulation in India has taken a long road. Here's a brief timeline that illustrates how long the road has been.
It’s clear that both data privacy regulations in general and the DPDPA specifically have been controversial in India. Generally, that means we can expect rules and regulations to be tweaked and changed to satisfy all the different stakeholders as the law matures.
If you’re familiar with other data privacy laws, then some of the terminology in the DPDPA may seem unusual, though their definitions should be mostly familiar. Here are some of the new terms introduced by the DPDPA:
The Indian Digital Personal Data Protection Act holds significant importance for businesses for several reasons—not least because India is home to 1.4 billion people who previously had no data privacy protections.
The India data privacy law aligns with the bulk of international standards regarding data privacy regulation, but it has its own unique spin. The introduction of consent managers, for example, is one such difference. Businesses need to adhere to India's consent manager standards and framework to simplify their compliance.
Under the DPDPA, consent will likely serve as businesses’ primary basis for data processing. The DPDPA does feature legitimate interest as a legal basis for processing as well, just like the GDPR does; but unlike the GDPR, legitimate interest is highly restricted. Most of the time, data principal consent is going to be the main legal basis for processing.
If your organization is considered an SDF (a significant data fiduciary, as designated by the Indian government), then you’ll need to have a data protection officer (DPO) in your organization. Again, this is similar to the GDPR. But where the GDPR allows you to have a DPO based anywhere in the world, the DPDPA requires your DPO to be locally based in India.
Of course, one of the primary reasons any business will want to comply with the DPDPA is to avoid the fines and penalties associated with noncompliance.
The DPDPA grants the government the power to create a board charged with enforcement. The board has a preset list of penalties it may impose depending on the nature of the violation, which ranges from INR 10,000 (roughly $120 USD) to INR 250 Crores (roughly $30M USD).
The DPDPA establishes a comprehensive rights-based framework for data protection, focusing on individual rights and consent as a primary legal ground for data processing. Compared to the GDPR and other privacy laws, however, data principals have fewer rights under the DPDPA. They include:
Note that unlike other data privacy laws, the DPDPA does not include the right to data portability or to not be subject to automated decision-making.
Compliance with any data privacy law is an ongoing endeavor that can’t be summed up in a single blog post. (Despite our best efforts!) However, there are a few key steps that you can take to meet some of the DPDPA’s more particular requirements.
Given the heavy emphasis on consent as a legal ground for data processing, businesses should develop robust consent management processes. Consent should be obtained in clear, plain language, and individuals should have the ability to withdraw consent at any time. Consent management platforms (CMPs) can help businesses handle consent in an automated way without requiring the R&D that it takes to develop a homegrown solution.
You’ll want to establish, document, and budget for a method of grievance redressal. Because grievance redressal is a data principal right under the DPDPA, the act also requires every data fiduciary to appoint a grievance officer. This individual’s contact information must be published and made available to consumers.
If classified as a significant data fiduciary (SDF), businesses must appoint a DPO based in India to oversee compliance with the DPDPA. This individual is responsible for ensuring compliance, managing data audits, and performing other DPO tasks as outlined in the law.
Obviously, this requirement can be quite onerous if you don’t already have an office based in India. The decision to label an organization as an SDF lies solely with the central government, but they have indicated that SDFs will only be organizations that process high-volume, high-risk, and highly sensitive data.
Businesses should also establish processes for:
Compliance with any data privacy law can be complicated, but given the unique provisions of the DPDPA and the sheer number of individuals it protects, businesses may struggle to get compliant quickly.
Fortunately, Osano can help with a number of DPDPA requirements. Businesses using the Osano platform will be able to:
Schedule a demo of Osano today to take your first steps toward DPDPA compliance.
Data privacy compliance is a challenge in the best of times—without an operationally efficient, mature privacy program, it can feel impossible. Osano's Privacy Program Maturity Model helps you identify operational gaps in your privacy program so you can comply without undue effort.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.