{"id":2086,"date":"2024-10-25T11:11:36","date_gmt":"2024-10-25T11:11:36","guid":{"rendered":"https:\/\/www.sattrix.com\/blog\/?p=2086"},"modified":"2025-01-27T12:28:58","modified_gmt":"2025-01-27T12:28:58","slug":"data-protection-laws-in-india","status":"publish","type":"post","link":"https:\/\/www.sattrix.com\/blog\/data-protection-laws-in-india\/","title":{"rendered":"Understanding Data Protection Laws in India (DPDPA) 2023"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Data protection laws have become essential as personal data has emerged as a valuable asset, from the details we share online to what companies collect when we use their services. <\/span><span style=\"text-decoration: underline;\"><a href=\"https:\/\/www.sattrix.com\/\"><b>Cybersecurity Solutions<\/b><\/a><\/span><span style=\"font-weight: 400;\"> are crucial to safeguard this data and ensure individuals have more control. To address these concerns, India has introduced the <\/span>Digital Personal Data Protection Act 2023<span style=\"font-weight: 400;\"> (DPDPA). This law sets new rules for how businesses handle personal information and outlines the rights of individuals regarding their data.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Whether you&#8217;re a consumer wanting to protect your privacy or a business aiming for compliance, understanding the DPDPA is essential for navigating the digital landscape.<\/span><\/p>\n<h2>Personal Data vs Sensitive Personal Data<\/h2>\n<p><span style=\"font-weight: 400;\">Here\u2019s a concise comparison of personal data and sensitive personal data:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Aspect<\/b><\/td>\n<td><b>Personal Data<\/b><\/td>\n<td><b>Sensitive Personal Data<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Definition<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Identifies an individual (e.g., name, email).<\/span><\/td>\n<td><span style=\"font-weight: 400;\">A subset of personal data needing extra protection (e.g., health, financial data).<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Examples<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Name, email address, phone number.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Health info, biometric data, sexual orientation.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Risk Level<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Low to moderate risk if mishandled.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Higher risk, leading to significant harm if exposed.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Consent Requirements<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Generally requires consent; more flexibility.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Requires explicit consent for collection and processing.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Regulatory Protections<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Subject to general data protection laws.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Subject to stricter regulations and protections.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Handling and Storage<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Standard data protection measures are sufficient.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Requires enhanced security measures.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>What is the Digital Personal Data Protection Act (DPDPA) 2023?<\/h2>\n<p><b>Data privacy laws in India<\/b><span style=\"font-weight: 400;\"> have taken a significant step forward with the introduction of the\u00a0 DPDPA in 2023. This new law aims to protect the personal data of individuals and regulate how businesses and organizations handle it. The DPDPA was introduced to ensure that people&#8217;s data is processed lawfully, securely, and transparently. Under this act, individuals, known as Data Principals, have specific rights, such as the right to access their data, correct it, and request its deletion.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <\/span><b>Data Privacy Act in India<\/b><span style=\"font-weight: 400;\">, specifically the DPDPA in 2023, outlines responsibilities for businesses, referred to as Data Fiduciaries. These responsibilities include obtaining proper consent from users, protecting the data they collect, and reporting data breaches. The <\/span><a href=\"https:\/\/www.meity.gov.in\/writereaddata\/files\/Digital%20Personal%20Data%20Protection%20Act%202023.pdf\"><b>DPDP Act 2023<\/b><\/a><span style=\"font-weight: 400;\"> also governs how personal data can be shared across borders and imposes penalties on those who fail to comply with the rules. It\u2019s a significant step toward safeguarding privacy in an increasingly data-driven world.<\/span><\/p>\n<h2>Who Does the Data protection and Data privacy laws in India Apply To?<\/h2>\n<p><span style=\"font-weight: 400;\">The DPDP Act applies to anyone who processes digital personal data outside of personal or domestic contexts under the following conditions:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Processing within India:<\/b><span style=\"font-weight: 400;\"> The processing occurs within Indian territory.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Processing Overseas:<\/b><span style=\"font-weight: 400;\"> The processing takes place outside India but involves offering goods or services to individuals in India.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Types of Personal Data:<\/b><span style=\"font-weight: 400;\"> The law covers personal data collected in either digital or non-digital formats that have since been digitized. However, it does not apply to publicly available information or data processed in personal or household contexts.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The term &#8220;person&#8221; under the DPDP Act encompasses more than just individuals or businesses. It includes:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Any individual<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Hindu Joint Family<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Companies<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Firms<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Associations of persons, whether registered or not<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The state, as defined under Article 12 of the Indian Constitution<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Other legal entities not specified above<\/span><\/li>\n<\/ul>\n<h2>Rights of Data Principals Under the DPDP Act<\/h2>\n<p><span style=\"font-weight: 400;\">Chapter III of the DPDP Act outlines the rights of data principals as follows:<\/span><\/p>\n<h3 style=\"font-size: 20px;\">1. Right to Access<\/h3>\n<p><span style=\"font-weight: 400;\">Data principals have the right to request a summary of their personal data that has been processed. This includes information about the activities of data fiduciaries and details of any data fiduciaries or data processors with whom their personal data has been shared.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">2. Right to Correction<\/h3>\n<p><span style=\"font-weight: 400;\">Data principals can ask data fiduciaries to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Correct any inaccuracies in their personal data.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Update their personal data.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Complete their personal data.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Data fiduciaries must respond to such requests within a reasonable timeframe.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">3. Right to Erasure<\/h3>\n<p><span style=\"font-weight: 400;\">Data principals can request the deletion of their personal data. However, data fiduciaries are not required to erase this data if it is necessary for fulfilling the purpose for which it was collected or for compliance with legal obligations.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">4. Right to Grievance Redressal<\/h3>\n<p><span style=\"font-weight: 400;\">Data principals have access to a grievance redressal mechanism to address any issues related to the obligations of data fiduciaries or enforcement of their rights. They must use this mechanism before approaching the Data Protection Board if their grievance remains unresolved.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">5. Right to Nominate<\/h3>\n<p><span style=\"font-weight: 400;\">In the event of their death, mental incapacity, or physical infirmity, data principals can nominate an individual to exercise their rights under the DPDP Act.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">6. Right to Revoke Consent<\/h3>\n<p><span style=\"font-weight: 400;\">Data principals can revoke their consent at any time. However, they are responsible for any consequences that arise from this revocation. Upon revocation, data fiduciaries must cease processing the personal data of the data principal and ensure that data processors do the same.<\/span><\/p>\n<h2>Role of Justice Sri Krishna Committee in Data Protection Laws<\/h2>\n<p><span style=\"font-weight: 400;\">The Justice Sri Krishna Committee, established in 2017, played a pivotal role in shaping India\u2019s data protection framework. Here are the key contributions of the committee:<\/span><\/p>\n<h3 style=\"font-size: 20px;\">Formation of the Committee:<\/h3>\n<p><span style=\"font-weight: 400;\">The committee was tasked with examining issues related to data protection and proposing a comprehensive legal framework.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">Drafting the Personal Data Protection Bill:<\/h3>\n<p><span style=\"font-weight: 400;\">The committee developed the <\/span><span style=\"font-weight: 400;\">Personal Data Protection Bill<\/span><span style=\"font-weight: 400;\"> based on extensive consultations with stakeholders, including legal experts, industry representatives, and civil society.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">Recommendations:<\/h3>\n<p><span style=\"font-weight: 400;\">The committee made several recommendations, including:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Establishing a regulatory authority for data protection.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Defining personal and sensitive personal data.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Outlining individual rights regarding data access, correction, and deletion.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Proposing frameworks for data processing and consent.<\/span><\/li>\n<\/ul>\n<h3 style=\"font-size: 20px;\">Emphasis on Privacy as a Fundamental Right:<\/h3>\n<p><span style=\"font-weight: 400;\">The committee acknowledged that data protection is essential for safeguarding the right to privacy, which the Supreme Court of India recognized as a fundamental right.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">Guiding Principles:<\/h3>\n<p><span style=\"font-weight: 400;\">It emphasized principles like data minimization, purpose limitation, and accountability for data processors, shaping the foundation for subsequent laws, including the <\/span><span style=\"font-weight: 400;\">DPDPA in 2023<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2>Other relevant laws and regulations in India include:<\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Information Technology Act, 2000:<\/b><span style=\"font-weight: 400;\"> This Act, along with its rules, provides a framework for regulating the use of computers, networks, and the internet.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Telecommunications Act, 1997:<\/b><span style=\"font-weight: 400;\"> This Act governs the telecommunications sector and includes provisions related to data privacy and security.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Indian Contract Act, 1872:<\/b><span style=\"font-weight: 400;\"> This Act, along with the Information Technology Act, forms the basis for contractual relationships related to data processing.<\/span><\/li>\n<\/ul>\n<h2>Impact of DPDPA 2023 on Businesses<\/h2>\n<p><span style=\"font-weight: 400;\">It brings significant changes for businesses operating in India. Here\u2019s how it impacts them:<\/span><\/p>\n<h3 style=\"font-size: 20px;\">1. Compliance Obligations:<\/h3>\n<p><span style=\"font-weight: 400;\">Businesses must implement robust data protection policies and procedures to comply with the DPDPA. This includes obtaining explicit consent from users, maintaining records of data processing activities, and implementing security measures to protect personal data.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">2. Increased Accountability:<\/h3>\n<p><span style=\"font-weight: 400;\">Organizations are now accountable for how they handle personal data. This includes being transparent about data collection practices and ensuring that data is used only for the purposes specified at the time of collection.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">3. Need for Data Protection Officers:<\/h3>\n<p><span style=\"font-weight: 400;\">While not mandatory for all businesses, those handling significant amounts of sensitive data are encouraged to appoint Data Protection Officers (DPOs) to oversee compliance and ensure that data protection measures are effectively implemented.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">4. Potential Financial Implications:<\/h3>\n<p><span style=\"font-weight: 400;\">Non-compliance with the DPDPA can lead to hefty fines, which could impact a company\u2019s bottom line. Businesses may need to allocate resources for legal consultations, compliance training, and system upgrades to avoid penalties.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">5. Impact on Data Collection Practices:<\/h3>\n<p><span style=\"font-weight: 400;\">The DPDPA mandates clear consent for data collection, which may lead businesses to rethink their data collection strategies. Companies will need to ensure that their practices are user-friendly and compliant with legal requirements.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">6. Enhanced Consumer Trust:<\/h3>\n<p><span style=\"font-weight: 400;\">By adopting transparent data protection practices, businesses can build trust with their customers. When individuals feel confident that their data is being handled responsibly, they are more likely to engage with a brand.<\/span><\/p>\n<h3>7. Opportunities for Data Privacy Services:<\/h3>\n<p><span style=\"font-weight: 400;\">The demand for data protection services, such as <strong><a href=\"https:\/\/www.sattrix.com\/managed-services\/managed-compliance-services.php\">compliance<\/a><\/strong> consulting, data audits, and security solutions, is expected to rise. Businesses may explore partnerships with specialized firms to ensure compliance with the DPDPA.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">8. Need for Ongoing Training and Awareness:<\/h3>\n<p><span style=\"font-weight: 400;\">Organizations must invest in ongoing training and awareness programs for their employees to ensure everyone understands the importance of data protection and their roles in maintaining compliance.<\/span><\/p>\n<h2>How DPDPA 2023 Affects Individuals<\/h2>\n<p><span style=\"font-weight: 400;\">It has a profound impact on individuals by empowering them with greater control over their personal data. Here\u2019s how it affects them:<\/span><\/p>\n<h3 style=\"font-size: 20px;\">1. Enhanced Rights Over Personal Data:<\/h3>\n<p><span style=\"font-weight: 400;\">Individuals, referred to as Data Principals, are granted specific rights concerning their personal data. These rights include the ability to access their data, request corrections, and demand the deletion of information that is no longer necessary.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">2. Informed Consent:<\/h3>\n<p><span style=\"font-weight: 400;\">The DPDPA requires businesses to obtain clear and explicit consent from individuals before collecting or processing their data. This means individuals have more control over what information they share and with whom.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">3. Data Portability:<\/h3>\n<p><span style=\"font-weight: 400;\">Individuals can request their personal data to be transferred from one service provider to another, making it easier to switch services while retaining their information. This promotes competition and allows users to choose better services.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">4. Right to be Forgotten:<\/h3>\n<p><span style=\"font-weight: 400;\">The act provides individuals with the right to request the deletion of their personal data when it is no longer needed or when they withdraw their consent. This empowers users to manage their digital footprint more effectively.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">5. Increased Transparency:<\/h3>\n<p><span style=\"font-weight: 400;\">Businesses are required to inform individuals about how their data will be used, stored, and shared. This transparency allows individuals to make informed decisions about their data.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">6. Protection Against Data Breaches:<\/h3>\n<p><span style=\"font-weight: 400;\">In the event of a data breach, individuals must be notified, allowing them to take necessary precautions to protect their personal information. This increases accountability among organizations regarding data security.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">7. Access to Grievance Redressal Mechanisms:<\/h3>\n<p><span style=\"font-weight: 400;\">The DPDPA establishes a framework for individuals to lodge complaints against organizations that misuse their data or fail to comply with data protection regulations. This provides a legal recourse for individuals seeking to address violations.<\/span><\/p>\n<h3 style=\"font-size: 20px;\">8. Empowerment Through Awareness:<\/h3>\n<p><span style=\"font-weight: 400;\">As individuals become more aware of their rights under the DPDPA, they are likely to be more proactive in protecting their personal data and seeking accountability from businesses.<\/span><\/p>\n<h2>DPDPA 2023 Vs GDPR: Comparison<\/h2>\n<p><span style=\"font-weight: 400;\">The <\/span><span style=\"font-weight: 400;\">Digital Personal Data Protection Act (DPDPA) 2023<\/span><span style=\"font-weight: 400;\"> in India and the <\/span><span style=\"font-weight: 400;\">General Data Protection Regulation (GDPR)<\/span><span style=\"font-weight: 400;\"> in Europe are both designed to protect personal data, but they differ in certain key areas:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Aspect<\/b><\/td>\n<td><b>DPDPA 2023<\/b><\/td>\n<td><b>GDPR<\/b><\/td>\n<\/tr>\n<tr>\n<td><b>Scope<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Applies to personal data of individuals in India, regardless of where processed, involving Indian citizens.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Covers personal data of individuals in the EU and applies globally if processing data of EU residents.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Consent Requirements<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Emphasizes explicit consent for data collection and processing.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Focuses on consent but allows other legal bases like the performance of contracts and legitimate interests.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Rights of Individuals<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Grants rights such as data access, correction, data portability, and deletion requests.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Offers broader rights, including objection to processing and restriction of processing, alongside access, correction, and deletion.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Data Protection Officers (DPOs)<\/b><\/td>\n<td><span style=\"font-weight: 400;\">DPOs are not mandated for all organizations but are expected for significant sensitive data handlers.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Requires appointment of DPOs for certain businesses, especially those processing large-scale data.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Penalties<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Fines can reach up to \u20b9250 crore (approximately \u20ac28 million) based on violation severity.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Imposes fines up to \u20ac20 million or 4% of global annual turnover, whichever is higher.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Cross-Border Data Transfers<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Allows transfers but requires adequate protection measures for data sent outside India.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Strictly regulates transfers, allowing them only to countries with adequate data protection or appropriate safeguards.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">While both laws focus on protecting personal data and ensuring transparency in data processing, GDPR offers more comprehensive rights for individuals and imposes stricter requirements on businesses, whereas DPDPA is tailored to India\u2019s data privacy landscape and aims to balance privacy with business interests.<\/span><\/p>\n<h2>Recent Updates and Amendments to DPDPA 2023<\/h2>\n<p><span style=\"font-weight: 400;\">Here are some recent updates and amendments:<\/span><\/p>\n<p style=\"font-size: 20px;\"><b>Enforcement Authority:<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The Data Protection Board (DPB) has been established as the enforcement authority under the DPDPA, with the authority to impose penalties of up to INR 250 crore.<\/span><\/p>\n<p style=\"font-size: 20px;\"><b>Appellate Authority:<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The Telecom Disputes Settlement and Appellate Tribunal serves as the appellate authority for the DPDPA.<\/span><\/p>\n<p style=\"font-size: 20px;\"><b>Parental Consent:<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Data fiduciaries are required to obtain verifiable consent from parents or guardians before processing children\u2019s data. However, certain entities, such as healthcare and educational institutions, may be exempt from this requirement.<\/span><\/p>\n<p style=\"font-size: 20px;\"><b>Penalties for Data Breaches:<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The DPDPA imposes significant penalties for data breaches. For instance, failing to notify the board or affected data principals about a personal data breach can result in a penalty of INR 200 crore.<\/span><\/p>\n<h2>What is the Penalty for Violating the DPDP Act?<\/h2>\n<p><span style=\"font-weight: 400;\">India\u2019s privacy law sets penalties for violations based on several factors, including the severity and duration of the breach, the type of personal data affected, the frequency of the violation, and the financial impact on the violator. Penalties can reach up to INR 250 crore (approximately $30 million).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Unlike many other data privacy laws worldwide, India\u2019s privacy law does not specify a cure period for violations. However, violators are entitled to a hearing, reflecting the principle of natural justice.<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Nature of Violation\/Breach<\/b><\/td>\n<td><b>Penalty<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Failure to implement security safeguards<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Up to INR 250 crores (approximately $30.21 million)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Failure to notify a breach to the board<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Up to INR 200 crores (approximately $24.17 million)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Non-compliance with special provisions regarding children<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Up to INR 200 crores (approximately $24.17 million)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Non-compliance with obligations of the Security Designated Framework (SDF)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Up to INR 150 crores (approximately $18.13 million)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Non-compliance with obligations by data principals<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Up to INR 10,000 (approximately $120)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Violation of any voluntary undertaking<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Up to the applicable extent for that breach<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Violation of any other provisions not specified above<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Up to INR 50 crores (approximately $6 million)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">These penalties emphasize the importance of adhering to data protection regulations and safeguarding personal information.<\/span><\/p>\n<h2>Steps to Achieve Compliance with the DPDP Act<\/h2>\n<p><span style=\"font-weight: 400;\">Following these steps will help ensure compliance with the DPDP Act and safeguard personal data effectively.<\/span><\/p>\n<ul>\n<li><b>Obtain Valid Consent<\/b><span style=\"font-weight: 400;\">: Ensure you have explicit consent before processing any personal data.<\/span><\/li>\n<li><b>Provide a Clear Privacy Notice<\/b><span style=\"font-weight: 400;\">: Along with the consent request, offer a straightforward privacy notice detailing data processing practices.<\/span><\/li>\n<li><b>Accessibility of Notices<\/b><span style=\"font-weight: 400;\">: Make privacy notices and consent requests available in English and the 22 languages listed in the Eighth Schedule of the Constitution.<\/span><\/li>\n<li><b>Limit Data Collection<\/b><span style=\"font-weight: 400;\">: Collect only the data necessary for the specific processing purpose.<\/span><\/li>\n<li><b>Implement Security Safeguards<\/b><span style=\"font-weight: 400;\">: Establish appropriate security measures to protect personal data.<\/span><\/li>\n<li><b>Obtain Verifiable Consent for Vulnerable Groups<\/b><span style=\"font-weight: 400;\">: Secure verifiable consent to process data from children and individuals with disabilities.<\/span><\/li>\n<li><b>Timely Data Deletion<\/b><span style=\"font-weight: 400;\">: Delete personal data promptly if consent is revoked, or when the specific processing purpose is fulfilled.<\/span><\/li>\n<li><b>Respond to Data Principal Requests<\/b><span style=\"font-weight: 400;\">: Address requests from data principals within a reasonable timeframe.<\/span><\/li>\n<li><b>Avoid Behavioral Tracking<\/b><span style=\"font-weight: 400;\">: Refrain from behavioral monitoring, targeted advertising, and tracking of children.<\/span><\/li>\n<li><b>Maintain Data Integrity<\/b><span style=\"font-weight: 400;\">: Ensure that personal data is complete, accurate, and consistent.<\/span><\/li>\n<li><b>Conduct Audits and Impact Assessments<\/b><span style=\"font-weight: 400;\">: If classified as a Significant Data Fiduciary, perform regular audits and impact assessments.<\/span><\/li>\n<li><b>Compliance with Negative Lists<\/b><span style=\"font-weight: 400;\">: Confirm that you do not sell personal data to countries listed in the government\u2019s negative list.<\/span><\/li>\n<li><b>Establish Contracts with Data Processors<\/b><span style=\"font-weight: 400;\">: Maintain a contractual relationship with any data processors you work with.<\/span><\/li>\n<li><b>Report Breaches to the Data Protection Board (DPB)<\/b><span style=\"font-weight: 400;\">: Notify the DPB of any data breaches, regardless of the level of risk involved.<\/span><\/li>\n<\/ul>\n<h2>Final Thoughts<\/h2>\n<p><span style=\"font-weight: 400;\">This act is a pivotal advancement for data privacy in India, establishing a solid framework for personal data protection. It defines individual rights and business responsibilities, aiming to create a secure environment for personal information in a digital age. Organizations must prioritize compliance and invest in effective <strong><a href=\"https:\/\/www.sattrix.com\/\">cybersecurity solutions<\/a><\/strong> to safeguard data. The DPDPA is not just a legal requirement; it represents a commitment to trust and accountability in data management, paving the way for a safer digital future for all stakeholders.<\/span><\/p>\n<h2 style=\"text-align: center;\"><span style=\"text-decoration: underline;\"><b>Frequently Asked Questions<\/b><\/span><\/h2>\n<ol>\n<li><b> What is the data protection case law?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">It refers to legal precedents and judgments related to data protection and privacy rights in India.<\/span><\/li>\n<\/ol>\n<ol start=\"2\">\n<li><b>What is the PDP Act in India?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">The Personal Data Protection (PDP) Act is a proposed legislation aimed at regulating the processing of personal data and safeguarding individual rights.<\/span><\/li>\n<\/ol>\n<ol start=\"3\">\n<li><b>What is the Digital Personal Data Protection Act, 2023?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">The DPDPA 2023 is India\u2019s comprehensive law for data protection, outlining individual rights and responsibilities of data fiduciaries.<\/span><\/li>\n<\/ol>\n<ol start=\"4\">\n<li><b>What is the Digital India Act 2023?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">This act aims to create a comprehensive framework for digital governance, including data protection, cybersecurity, and the regulation of digital platforms.<\/span><\/li>\n<\/ol>\n<ol start=\"5\">\n<li><b>What is the new law bill in India 2023?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">This refers to several proposed laws, including the DPDPA 2023 and the Digital India Act 2023, focusing on data protection and digital governance.<\/span><\/li>\n<\/ol>\n<ol start=\"6\">\n<li><b>What are the rules of DPDP in India?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">The DPDP includes provisions for data processing, consent, data principal rights, and penalties for non-compliance.<\/span><\/li>\n<\/ol>\n<ol start=\"7\">\n<li><b>What is the DPDP Act 2023 compliance services?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">These services help organizations ensure they meet the requirements of the DPDP Act, including audits, training, and policy development.<\/span><\/li>\n<\/ol>\n<ol start=\"8\">\n<li><b>Is the DPDP Act passed?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">Yes, the DPDP Act was passed in August 2023 and is expected to come into effect in 2024.<\/span><\/li>\n<\/ol>\n<ol start=\"9\">\n<li><b>What is the difference between GDPR and DPDP Act 2023?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">GDPR applies to EU citizens and has broader rights for individuals, while DPDP is specific to India and includes unique provisions catering to local context.<\/span><\/li>\n<\/ol>\n<ol start=\"10\">\n<li><b>What are the key points of the DPDP Act?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">Key points include individual rights, data fiduciary responsibilities, consent requirements, data breach notifications, and penalties for non-compliance.<\/span><\/li>\n<\/ol>\n<ol start=\"11\">\n<li><b>What is GDPR in India?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">GDPR (General Data Protection Regulation) is the EU\u2019s data protection law that influences data privacy practices globally, including in India.<\/span><\/li>\n<\/ol>\n<ol start=\"14\">\n<li><b>What is the data protection bill in India?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">This refers to the legislative proposals, including the PDP Act and DPDPA 2023, aimed at establishing a regulatory framework for data protection.<\/span><\/li>\n<li><b>Is there any data privacy act in India?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">Yes, the DPDPA 2023 serves as the primary data privacy legislation in India.<\/span><\/li>\n<li><b>Is data privacy a fundamental right in India?<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">Yes, the Supreme Court of India recognized the right to privacy as a fundamental right under Article 21 of the Constitution.<\/span><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>Also read:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"text-decoration: underline;\"><strong><a href=\"https:\/\/www.sattrix.com\/blog\/cyber-law-in-india\/\">Cyber Law in India<\/a><\/strong><\/span><\/li>\n<\/ul>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"FAQPage\",\n  \"mainEntity\": [{\n    \"@type\": \"Question\",\n    \"name\": \"What is the data protection case law?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"It refers to legal precedents and judgments related to data protection and privacy rights in India.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is the PDP Act in India?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"The Personal Data Protection (PDP) Act is a proposed legislation aimed at regulating the processing of personal data and safeguarding individual rights.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is the Digital Personal Data Protection Act, 2023?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"The DPDPA 2023 is India\u2019s comprehensive law for data protection, outlining individual rights and responsibilities of data fiduciaries.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is the Digital India Act 2023?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"This act aims to create a comprehensive framework for digital governance, including data protection, cybersecurity, and the regulation of digital platforms.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is the new law bill in India 2023?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"This refers to several proposed laws, including the DPDPA 2023 and the Digital India Act 2023, focusing on data protection and digital governance.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What are the rules of DPDP in India?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"The DPDP includes provisions for data processing, consent, data principal rights, and penalties for non-compliance.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is the DPDP Act 2023 compliance services?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"These services help organizations ensure they meet the requirements of the DPDP Act, including audits, training, and policy development.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"Is the DPDP Act passed?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"Yes, the DPDP Act was passed in August 2023 and is expected to come into effect in 2024.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is the difference between GDPR and DPDP Act 2023?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"GDPR applies to EU citizens and has broader rights for individuals, while DPDP is specific to India and includes unique provisions catering to local context.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What are the key points of the DPDP Act?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"Key points include individual rights, data fiduciary responsibilities, consent requirements, data breach notifications, and penalties for non-compliance.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is GDPR in India?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"GDPR (General Data Protection Regulation) is the EU\u2019s data protection law that influences data privacy practices globally, including in India.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"What is the data protection bill in India?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"This refers to the legislative proposals, including the PDP Act and DPDPA 2023, aimed at establishing a regulatory framework for data protection.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"Is there any data privacy act in India?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"Yes, the DPDPA 2023 serves as the primary data privacy legislation in India.\"\n    }\n  },{\n    \"@type\": \"Question\",\n    \"name\": \"Is data privacy a fundamental right in India?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"Yes, the Supreme Court of India recognized the right to privacy as a fundamental right under Article 21 of the Constitution.\"\n    }\n  }]\n}\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Data protection laws have become essential as personal data has emerged as a valuable asset,<\/p>\n","protected":false},"author":1,"featured_media":2093,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[22],"tags":[],"_links":{"self":[{"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/posts\/2086"}],"collection":[{"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2086"}],"version-history":[{"count":15,"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/posts\/2086\/revisions"}],"predecessor-version":[{"id":2280,"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/posts\/2086\/revisions\/2280"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/media\/2093"}],"wp:attachment":[{"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sattrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}