Overview:
The India Digital Personal Data Protection Act (DPDP Act), enacted on August 11, 2023, regulates the handling of personal data in digital form to safeguard Indian citizens’ privacy. It applies to organizations operating online or through mobile apps, both within and outside India, offering goods or services to Indian citizens.
The law defines “personal data” as any information identifying an individual, including name, address, phone number, or email. It also addresses “sensitive personal data,” such as financial or health records. Under the DPDP Act, individuals have rights to access, modify, and erase their data. Processing personal data without explicit consent is generally prohibited, except in specific circumstances outlined in the legislation.
What Does the DPDP Law Says?
The DPDP lays down the following regulations regarding the collection, utilization, and processing of personal data in India:
- Organizations must obtain consent before collecting, utilizing, or processing an individual’s personal data.
- Personal data can only be utilized for the purposes for which it was collected.
- Organizations are required to implement appropriate security measures to safeguard personal data.
- Individuals retain the right to access, modify, and erase their personal data.
- In the event of suspected misuse of personal data, individuals have the right to lodge a complaint with the Data Protection Authority (DPA).
Organization’s Key Takeaways from the DPDP Act
Organizations must review how they collect and process data, including identifying the types of personal data collected and their purposes.
Consent managers, registered with the Data Protection Board of India (DPBI), will manage data consent on behalf of individuals.
The DPDP creates a DPA to enforce the law, investigate complaints, and issue fines.
Large organizations must appoint a DPO to ensure compliance with the DPDP.
Individuals have the right to file complaints with the DPA if their data is misused.
Individuals can view, correct, and remove their personal data, with organizations required to respond promptly.
Organizations must obtain freely given, specific, informed, and unambiguous consent for data processing, except for legitimate uses outlined in the Act.
Organizations must implement appropriate data security measures to protect personal data.
Meeting DPDP Requirements
Organizations can take the following security measures to comply with the DPDP:
Encrypt personal data at rest and in transit to protect it from unauthorized access.
Implement access control measures such as passwords, multi-factor authentication, and role-based access control.
Use security tools like firewalls, intrusion detection systems, and vulnerability scanners.
Have a plan to respond to data breaches quickly and effectively.
Educate employees about the DPDP and the importance of data protection.
How JISA Softech can help?
JISA Softech is a leading provider of Data Protection and Data Privacy solutions. We assist organizations in preparing for DPDP compliance by offering the following:
Hardware Security Module & HSM as a Service
Key Management Solution & KMS as a Service
Data Privacy Module
Data Discovery & Classification
Vaultbased & Vaultless Tokenisation
Data at Rest, in transit and in use Encryption
Application layer Encryption
Confidential Computing
Authentication (MFA, SSO, FIDO, Password less)
Featured Resource:
https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
