The new law, the India Digital Personal Data Protection Act (DPDPA) 2023, marks the country's first-ever comprehensive data protection law. While it made its debut in the Official Gazette on August 11, 2023, it comes into effect in mid-2024.
- Does the India DPDPA apply to your business and obliges you to meet the standards
- The personal data to be processed
- The purpose of processing;
- How to exercise the data principal rights; and
- How to make a complaint to the Data Protection Board of India.
The consent must be informed, which means that the user shall know what she is consenting to. That's why data fiduciaries must provide a notice to the data principals at the consent request. That way, the data principal can read the notice, learn what he gives consent to, and make an informed decision on whether to consent or not.
That leads us to the next important point: the notice must be up-to-date and contain the essential parts prescribed by the law. Otherwise, the consent won't be valid, and that would make the processing of personal data invalid as a whole.
The minimum you must include in your privacy notice is:
- The personal data is to be processed. Here you need to include the categories of personal data that you want to collect and process, such as email addresses, browsing behavior, purchase behavior, IP addresses, device information, and so on.
- The purpose of processing. Here, you need to tell users why you process personal data. The common purposes are marketing, website analytics, providing website or app functionalities, and others.
- How to exercise the data principal rights. Data principals have DPDPA rights, and you must honor their rights. These rights extend beyond withdrawing consent. You need to include them all in the privacy notice and explain to them how they can exercise their rights. In most cases, you'll have to provide them with an email address or a web form where they can submit the data privacy requests.
- How to make a complaint to the Data Protection Board of India. Finally, if the data principals are not happy with some of your privacy practices, they can submit a complaint to the Data Protection Board of India, which is the national data protection authority. Your duty is to briefly explain to users how they could submit a complaint there.
Aside from the essential elements, you can add more transparency to the policy by adding information on the transfer of personal data outside India, who your data processors are, the identity of your Data Protection Officer, if you are a significant data fiduciary, and other information. That could also help you comply with other data protection laws outside of India.
The Data Protection Board is authorized to impose the following penalties:
- INR 10,000 for failure by a data principal to perform duties stipulated under the Act.
- Up to INR 50 crore for breach of any provision of the Act or the implementing rules for which no specific penalty is stipulated.
- Up to INR 250 crore for failure to fulfill the obligation to take reasonable security safeguards to prevent a personal data breach.
The most likely scenarios related to invalid consent and non-compliant privacy notices may lead to a penalty of up to INR 50 crore.
Does the India Digital Personal Data Protection Act 2023 apply to your website?
All these risks apply to your business only if the India Digital Personal Data Protection Act applies to it.
It does apply if you process personal data in digital form or digitized afterward, and your business meets at least one of the following:
- Operates within India, or
- Operates outside of India but offers products or services to Indian residents within the country.
Basically, if you are an Indian business, the law applies. If you are a foreign business targeting Indian data subjects, the law also applies.
A simple way to do this is by using a consent manager that's officially registered with the Data Protection Board of India. As soon as the registration process is open, Secure Privacy plans to register itself. Once that's done, businesses like yours can use Secure Privacy's services to make sure you're following the new law correctly.
We've already got a special feature designed just for DPDPA compliance, including a DPDPA-compliant privacy notice along with a cookie consent banner. So, the moment the new law goes into effect, our tool will be ready to help you not only meet the legal requirements but also build trust with your customers right from day one.
EU Digital Markets Act (DMA): What Businesses Must Know
Explore the European Union's Digital Markets Act (DMA) and its impact on tech giants, gatekeepers, and SMEs. Uncover key provisions, designated companies, and the relevance of compliance for small to medium-sized enterprises.
- Europe GDPR
- Data Protection
The Complete Guide to WordPress GDPR Compliance: Make Your Wordpress Site is Compliant
Learn about the General Data Protection Regulation (GDPR) and its significance for WordPress websites. Discover essential steps, potential consequences of non-compliance, and effective cookie management strategies to ensure GDPR compliance.
- Europe GDPR
Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law
Learn about the Utah Consumer Privacy Act (UCPA), its impact on businesses operating in Utah or targeting Utah customers, compliance requirements, consumer rights, data security measures, and penalties for non-compliance.