Key Features of the New DPDP Act

1. Scope and Coverage

The New DPDP Act covers all organizations.

Private Companies

Government Agencies

Non-Profit Organizations

Foreign Organizations with Indian Clients or Data

The New DPDP Act has a wide applicability that is directed at different industries like healthcare, finance, e-commerce, telecom, and social media platforms. It brings organizations dealing with personal data to adopt leading-level privacy principles.

2. Management of Consent

One of the cornerstones of the New DPDP Act is securing clear and informed consent from an individual prior to collecting and processing his/her personal data. Organizations must:

Evidently specify the purpose for collecting data.

Make withdrawal of consent by users easy.

This consent model seeks to enable people to take control of their data to make it more accessible and impossible for other people to access.

3. Data Minimization and Purpose Limitation

The New DPDP Act mandates that only the minimum amount of personal data necessary for a specific purpose should be gathered. Businesses cannot gather too much data which are irrelevant to the product or service being offered. This ensures that data is gathered only for a specific, legitimate purpose and not beyond that.

4. Data Security Measures

New DPDP Act puts stringent obligations on companies to adopt strong data protection measures to safeguard personal data against breaches, theft, and abuse. Organizations are required to:

Adopt encryption and anonymization methods.

Apply access controls and authentication methods to limit unauthorized access to data.

Periodically audit and monitor systems to detect and counter possible security threats.

The Act stresses that data protection is not only the responsibility of the data controller but also of data processors who process personal information on behalf of others.

5. Data Subject Rights

The New DPDP Act grants various significant rights to individuals in relation to their personal data:

Right to Rectification: One can ask for correction in the event of inaccuracy or incompleteness of information.

Right to Deletion: One has a right to have one’s information deleted in some situations, for example, where the information is no longer required.

Right to Portability: One has a right to move one’s information from one provider of services to another in an accessible format.

These rights allow people to have more control over their data and maintain their privacy.

6. Data Protection Impact Assessments (DPIAs)

The New DPDP Act requires organizations to carry out Data Protection Impact Assessments (DPIAs) of processing operations that are likely to result in a high risk to individuals’ rights and freedoms. It implies assessing the privacy risks arising out of new technology or processing activity and applying mitigants against the same.

7. Data Breach Notification

The New DPDP Act provides for mandatory data breach notification for companies. 

Notify the concerned parties in a timely manner, particularly if the breach has a potential to affect their privacy.

Notify the Data Protection Authority (DPA) of the breach and furnish information about the breach, including the type of breach and remedial measures taken.

The duty to alert people to data breaches guarantees transparency and allows aggrieved persons to take swift action in defending themselves against subsequent damage.

8. Data Protection Authority (DPA)

The New DPDP Act creates a Data Protection Authority (DPA) that is entrusted with the power of imposing provisions under the Act. The DPA will:

Investigate and address complaints involving data breaches and invasions of privacy.

Issue regulations and rules to enforce compliance with data protection standards.

Take action against non-compliant organizations as a form of penalty.

Impact of the New DPDP Act on Businesses

1. Compliance Requirements

Companies that have operations in India or have Indian customers will be required to modify and realign data privacy practices and policies to meet the New DPDP Act. These include setting effective data protection measures, having consent handling, and applying data subject rights. Companies will need to employ data protection officers (DPOs) and invest funds on compliance programs in meeting regulatory requirements.

2. Fines and Penalties

Non-compliance with the New DPDP Act may attract huge fines. The DPA may impose penalties for contraventions, varying from minor offenses to serious contraventions. For serious contraventions, entities may be fined up to 4% of worldwide annual turnover or Rs 10 crore (the higher of the two).

3. Data Transfers and Cross-Border Implications

Companies will be required to provide the assurance that personal data leaving India is under an adequate level of protection, as prescribed by the DPA. The regulation is bound to impact international businesses based on cross-border data flows.

4. Greater Transparency and Trust

With well-defined rules of handling data and rigorous security measures, the New DPDP Act will assist in instilling consumer confidence. Consumers will definitely be more interested in those companies that ensure the protection of their data and keep them confidential. Hence, organizations adhering to the New DPDP Act can leverage a competitive advantage through advertising their data protection credentials.

Challenges Facing Organizations

1. Conformity Cost

Rollout of the New DPDP Act will involve massive technology expenses, employee training, and auditing. Small and medium-sized businesses (SMBs) will not have budgetary allowances to make for the changes that will be necessary to provide space for the requirements of the Act.

2. Data Subject Requests

Data subject requests like access, rectification, and erasure take time to process and handle, especially for large companies with a huge amount of data.

3. Changing Regulations

Since the New DPDP Act is new law, certain provisions of law could be difficult to interpret. Businesses would need to stay ahead of changing rules and compliance advice by the Data Protection Authority.

Conclusion

New DPDP Act is a milestone on India’s journey to empower data protection and privacy. Under introduction of proper guidelines and norms for individuals as well as business firms, the Act will make the digital world a secure world. With an increase in relevance accorded to data, businesses are required to guarantee security as well as secrecy, following certain measures according to the New DPDP Act demands.

Enforcement of the Act will not only safeguard individuals’ privacy but also introduce more transparency and trust in the digital economy. When companies come to terms with coping with this new regime, they will be put on an equal footing to deal with data responsibly in a manner conducive to sustainable growth and consumer confidence.

Disclaimer

Information included here is for general information purposes only and must not be interpreted as financial, professional, or legal advice. While we do our best to make it accurate and useful, the New DPDP Act may vary and will be subject to the policy for enforcement and building regulation. You are advised to seek the opinion of your compliance or lawyer adviser who shall advise you on how the New DPDP Act would suit your particular circumstances. Lumiverse Solutions does not warrant the accuracy and completeness of information provided in this blog. Consult professional advice to adhere to the law and regulations applicable to your case.