Workshop on Implementation-Oriented Overview: Digital Personal Data Protection Act (DPDPA), 2023

Digital Personal Data Protection Act (DPDPA), 2023, provides a practical overview of the Act’s implementation, including its impact on businesses and how to achieve compliance. This workshop is designed to help organizations understand the legal and regulatory implications, develop necessary strategies, and implement effective data protection measures.

Contents:

Concept of Privacy and Data

Privacy is a fundamental right recognized by the Supreme Court of India.
Under DPDPA, privacy means safeguarding digital personal data—any data that can identify an individual.
Organizations must justify every instance of data collection and processing by lawfully balancing the individual’s privacy and business or government requirements.

Distinction of Personal and Non-Personal Data from Security Perspective

Personal Data: Data that identifies or relates to an identifiable individual (e.g., name, Aadhaar, email).
Non-Personal Data: Data that does not identify an individual—e.g., anonymized statistical data. DPDPA focuses only on personal data, not non-personal data.
Security: Personal data needs stronger technical and organizational safeguards; non-personal data is generally not regulated under DPDPA.
ITA 2000 and Privacy

Prior to DPDPA, Section 43A, ITA 2000, and its rules governed sensitive personal data.
DPDPA will replace Section 43A and establish more comprehensive requirements.

DPDPA-1: To Whom Applicable and When Applicable

Applies to processing of digital personal data in India (or of Indian residents, even if processed abroad, for goods or services offered in India).
Does not apply to:
Personal/domestic use.
Public information (made public by individual or law).
The Act comes into force in phases as notified by the government.

DPDPA-2: Obligations of Data Fiduciaries

Data Fiduciary: Entity that determines the purpose and means of processing personal data (e.g., companies, government agencies).
Key obligations:
Obtain valid, informed consent.
Ensure accuracy and completeness.
Implement reasonable security measures.
Delete data once the purpose is met or upon withdrawal of consent.
Notify Data Protection Board (DPB) and individuals in case of breach.
Grievance redress mechanism must be established.
For Significant Data Fiduciaries (SDFs):
Appoint Data Protection Officer (DPO).
Appoint an independent data auditor.
Conduct periodic impact assessments and audits.

DPDPA-3: Rights and Duties of Data Principals

Data Principal: The individual to whom the data relates.
Key rights:
Access to their data and processing summary.
Correction and erasure of data.
Withdraw consent at any time.
Data portability.
Grievance redressal.
Right to nominate a person to act on their behalf in case of death/incapacity.

DPDPA-4: Exemptions and Legitimate Uses

Full and partial exemptions to:
Government agencies for national security, public order, research, statistical purposes, etc.
Processing strictly for journalistic purposes (some flexibility under debate).
No consent needed for specific “legitimate uses,” such as providing government subsidies, legal duties, emergencies, or as authorized by law.

DPDPA-5: Data Protection Board and Grievance Redressal Mechanism

The Data Protection Board of India (DPB) will adjudicate non-compliance, data breach issues, and complaints—all processes are online.
Three-tier appeal system: DPB → TDSAT → Supreme Court.
Data fiduciaries must have internal grievance redressal processes.

DPDPA-6: Data Breach and Penalties

Mandatory reporting of all breaches, regardless of severity, to the DPB and affected individuals.
Penalty caps (as per the Act’s Schedule):
Personal data breach: Up to ₹250 crore.
Failure to notify breach: Up to ₹200 crore.
Violation involving children’s data: Up to ₹200 crore.
Miscellaneous/individual breaches: Up to ₹10,000.

Compliance Requirements under ITA 2000 and DPDPA 2023

Map all data collection and processing.
Assess if you are a Data Fiduciary or Significant Data Fiduciary.
Obtain consent, manage privacy notices, and ensure multifactor security.
Respond promptly to data principal requests.
Delete data upon purpose exhaustion or consent withdrawal.
Maintain records, conduct audits (for SDFs), and avoid cross-border transfer to countries on the government’s negative list.

Role of DPOs and Data Auditors

Data Protection Officer (DPO):
Required for Significant Data Fiduciaries (SDFs).
Handles compliance, answers data principal queries, manages grievances.
Must be based in India and report to top management.
Data Auditors:
Conduct independent periodic audits.
Review and ensure compliance with data protection obligations.

Speaker Profile:

Shrikrishna Kulkarni possess more than 26+ years of diverse experience in Banking, Pharma, Manufacturing, Telecom(M&E), and consulting experience in Infrastructure, Cloud, Managed Security Services (MSS), IT Audit, SAP, HANA, technologies supporting infrastructure and applications domain.

Complex IT projects and issues that encompass a wide range of internal and external systems, components, and processes

· Cloud – Private, Public & Hybrid

· Application & infrastructure security

· Business continuity

· Project Management

· Pre-Sales

· Audit & Compliance

Experience in BCP, IT DR solutions (Sanovi, Perpuity) and Implementation, Crisis Management.

Designing “DRAAS” as Service, BCMS/ ISMS, IT Service Continuity.

Implementation Experience includes BCP/DR Planning, Impact Analysis on Business, Database Replications Solutions, DR automation solutions, Infrastructure and Applications DR for Complex projects in Pharma, Banking, Manufacturing, M&E

Delivery: ZOOM Meeting

Contact Details :

Revati Khare || Deputy  Director
Email : revati.khare@bombaychamber.com
Mobile No : 9892029473