8 months ago

After years of debates, discussions, and negotiation delays, the Central Government of India published its https://egazette.gov.in/WriteReadData/2023/248045.pdf on August 11, 2023. Borrowing from the EU’s https://www.upguard.com/blog/how-to-be-gdpr-compliant, the DPDP broadly defines “https://www.upguard.com/blog/personally-identifiable-information-pii and carries a wide scope of applications.

The Indian Digital Personal Data Protection Act (preceded by the Digital Personal Data Protection Bill) establishes a national framework for protecting personal data.

When a data fiduciary requests consent from a data principal, it must also include the following information in the request: The type of personal data that the fiduciary will process and the specified purpose for which the fiduciary will process such data An explanation of the process a data principal can follow to withdraw their consent An explanation of how the data principal can pursue grievance redressal, including the contact information of any relevant POC or consent manager that can assist with the process The process the data principal can follow to submit a formal complaint to the Data Protection Board of India

To achieve compliance with the act, data fiduciaries must: Only appoint or involve third-party data processors who are obligated to follow DPDP procedures by a legal contract Ensure personal data is complete and accurate before using the data to make a decision that affects the data principal or before participating in the transfer of personal data Implement necessary organizational measures and technical protocols to ensure ongoing compliance Implement reasonable security safeguards and audits to protect personal data and prevent personal data breaches Notify all affected data principals and the Data Protection Board of any and all known data breaches Safely erase and destroy all personal data upon a data principal withdrawing their consent (unless retention of such data is required by law)