8 minute read 23 Aug 2023
Digital Personal Data Protection Act, 2023

Decoding the Digital Personal Data Protection Act, 2023

Lalit Kalra
By Lalit Kalra

EY India Cybersecurity Partner and Data Privacy Leader

Cybersecurity Technology Leader, strengthening cybersecurity frameworks across industries

8 minute read 23 Aug 2023
Related topics Cybersecurity Technology Technology leader's agenda Digital
Upvote

Show resources

The DPDP Act is India's first data protection act, and it establishes a framework for the processing of personal data in India.

In brief

  • At a time when technology has become the defining paradigm of the 21st century, India’s on-going Data Protection regulation underscores the nation’s focus on building a strong data privacy regime.
  • Building strong privacy governance programs is not only a reputational and business risk requirement but is also an integral part of building a transparent and long-term sustainable organization of the future.

The Digital Personal Data Protection (DPDP) Act, 2023 applies to the processing of digital personal data within the territory of India collected online or collected offline and later digitized. It is also applicable to processing digital personal data outside the territory of India, if it involves providing goods or services to the data principals within the territory of India

Significant Data Fiduciary (SDF)

DPDP Act underlines the role of significant data fiduciary (SDF), which the government will identify using the volume and sensitivity of personal data processed and risk associated. The specific obligations under this include appointing a data protection officer (DPO) based in India; appointing an independent data auditor; and conducting a data protection impact assessment (DPIA).

Citizens’ rights

The Act will empower the citizens of the country as the data principal rights specifically allow:

At present, no timeline has been prescribed for implementing the grievance redressal and data principal rights.

Penalties

Another salient feature of DPDP Act is the penalty clause. There are penalties for non-compliance of the provisions by data fiduciaries up to INR250 crore. Some of these are:

  • Breach in observance of duty of data principal up to INR10,000
  • Failure to notify the data protection board and affected data principals in the event of a personal data breach is up to INR200 crore
  • Breach in observance of additional obligation in relation to children up to INR200 crore

Exclusions

In the act, non-automated personal data, offline personal data and personal data in existence for at least 100 years have been excluded. The maximum limit of INR500 crore for penalties has been removed. At present, the provision for grievance redressal review is not included. The timeline of 72 hours within which a data breach is to be reported to authorities is excluded. 

Sectors impacted

The act is expected to have an impact on the majority of organizational areas, including legal, IT, human resources, sales and marketing, procurement, finance, and information security because of the type and volume of personal data that is collected, stored, processed, retained, and disposed of in India. Hence, organizations in these and related sectors must develop a strong data privacy and protection implementation program in view of the DPDP Act, 2023.

Welcome to "Gateway to data privacy and protection," a cutting-edge podcast series that delves deep into the realm of data privacy and protection.

Know more

Show resources

Show resources

Navigating the Digital Personal Data Protection Act and Understanding the Impact on the Industry

The Digital Personal Data Protection (DPDP) Act aims to create a framework that respects individuals' right to safeguard their personal data while acknowledging the need for lawful data processing.

Watch now 

How EY can help

Data protection and privacy

EY data protection and privacy services help organizations stay up-to-date with leading services in data security and data privacy, as well as complying with regulation in a constantly evolving threat environment and regulatory landscape.

Read more
Identity and access management

EY Identity and access management (IAM) services help EY clients to manage the lifecycle of digital identities for people, systems, services and users by giving organizations a clear view of who has access to what resource in the company.

Read more
Cybersecurity, strategy, risk, compliance and resilience

EY Cybersecurity, strategy, risk, compliance and resilience teams can provide organizations with a clear picture of their current cyber risk posture and capabilities, giving them an informed view of how, where and why to invest in managing their cyber risks.

Read more

Summary

The DPDP Act is a significant step forward for data protection in India. This act is a step towards showcasing India's dedication to fostering a secure and trustworthy environment for both its citizens and businesses.

About this article

Lalit Kalra
By Lalit Kalra

EY India Cybersecurity Partner and Data Privacy Leader

Cybersecurity Technology Leader, strengthening cybersecurity frameworks across industries

Related topics Cybersecurity Technology Technology leader's agenda Digital
Upvote