The Digital Personal Data Protection (DPDP) Act, 2023 is India’s comprehensive data privacy law. It establishes a legal framework for how organizations and government bodies collect, process, store, and share individuals’ personal digital data. The law balances citizens’ rights to privacy with the need for lawful data processing.
Key Terminologies
- Data Principal: The individual to whom the personal data belongs (the citizen/consumer).
- Data Fiduciary: The entity (companies, organizations, or government) that determines the purpose and means of processing the data.
Rights of the Data Principal
- Right to Access: Individuals can ask to access their personal data and know how it is being processed.
- Right to Correction/Erasure: Users can request corrections to their data, or have it deleted when it is no longer needed.
- Right to Grievance Redressal: Individuals have the right to file complaints or nominate a representative to act on their behalf if they feel their rights are violated.
- Right to Nominate: Users can nominate someone to manage their data rights in the event of death or incapacity.
Core Obligations for Data Fiduciaries
- Clear Consent: Fiduciaries must provide a clear, itemized notice of what data they are collecting and why, and obtain clear consent from the Data Principal.
- Data Security: Organizations are legally required to implement reasonable security safeguards to prevent data breaches.
- Breach Notifications: If a data breach occurs, fiduciaries must notify both the Data Protection Board of India and the affected Data Principals.
- Child Protection: Organizations must obtain parental or guardian consent before processing the personal data of anyone under the age of 18.
Penalties
Non-compliance can result in substantial financial penalties. Depending on the nature of the violation, fines can range from ₹10,000 up to ₹250 crore for significant breaches.
