How to Implement the DPDP Act 2023, India’s Landmark Data Protection Act

In August 2023, the Government of India enacted its landmark data protection regulation, the Digital Personal Data Protection  Act, 2023 (DPDP Act). It is a significant development in the Indian data privacy ethos and establishes a comprehensive framework for data protection of digitized personal data. 

The DPDP Act, bearing similarities with the EU GDPR, is an overarching law to govern how personal data of data principals within the territory of India is used, processed, and disseminated. However, unlike the GDPR, which covers just over 742 million people, the DPDP Act is applicable to a population of over 1.4 billion. 

The DPDP Act is applicable to processing of digitized personal data in India, and its application extends extra-territorially, when personal data processed outside India is related to offering of goods and services to data principals within the territory of India. 

That means, regardless of  where you or your organization is located , if you deal with digitized personal data of a data principal within the territory of India, you need to comply with the DPDP Act. In this article, we will explain how to do so and how, here at OvalEdge, we are already compliant and can quickly help you implement the guardrails required.

What is the DPDP Act?

Anyone familiar with existing data protection regulations of different countries will recognize the main features of the DPDP Act. The Act aims to ensure that the personal data, of any data principal within the territory of India, is protected and not misused and that processing of personal data is undertaken in a manner which will protect and recognize and retain the right to privacy of residents of India.

Some of the key features include:

1. Applicable outside India in relation with goods or services offered in India.
2. Identifying a lawful basis to collect and process personal data
3. Executing valid contracts to engage data processors. Establishes compliance obligations on any entity or individual that handles personal data
4. Ensuring information security procedures are in place to protect personal data 
5. Obtaining and verifying parental consent 
6. Upholding the rights of data subjects to access, correct, rectify, erase, and complete their data and withdraw their consent.
7. Notifying affected data principals and the Data Protection Board of India in case of a data breach. 
8. Option to appoint a consent manager.

Failure to comply with the DPDP Act can result in significant fines and penalties up to INR 250 crores (approx USD 30.2 million) per breach. 

To avoid the penalties associated with non-compliance, you need to implement a framework that adheres to the various aspects of the regulation. OvalEdge is 100% compliant with the DPDP Act and provides you all the tools you need to achieve compliance. Furthermore, having a local presence in India, we understand the full implications of the DPDP Act and are constantly tracking any developments and nuances in the law.

DPDP Act: How to implement a framework

1. Appoint a Data Protection Officer (DPO) or a designated person in charge of data protection

You need a DPO to oversee your compliance efforts, if you qualify as significant data fiduciary. If not, you need to appoint any designated individual who is responsible to oversee all activities regarding data protection and will be able to answer on your behalf. This can be someone already working in your data team or an external hire. They will be the primary point of contact for data protection authorities and data principals. The roles and responsibilities of a such an officer include monitoring internal compliance, managing budgets and making acquisitions of relevant compliance tools, advising executives on data protection obligations, liaising with regulatory authorities and handling the requests of data principals. 

Your DPO must have experience implementing data protection strategies for other similar regulations, like the GDPR. Although the DPDP Act is new, this knowledge of compliance procedures, such as corresponding with government authorities and auditors, is vital. 

OvalEdge can help you to facilitate this by defining data governance roles and responsibilities so everyone in your organization understands who to contact for specific data questions or concerns. 

Related Post: 3 Data Privacy Compliance Challenges that can be solved with Data Governance

2. Map your data processing activities

All data processing activities within your organization must be documented. These include actions like third-party reporting, analytics, marketing communications, contract processing and more.

You need to identify and keep track of all the personal data you collect during these processes, on what ground the personal data is processed, how it's used, where it's stored, how long it will be stored for, who is the process owner and who has access to it. One of the biggest challenges companies face is locating this personal data and relevant details regarding the myriad of personal data sets. It’s a complex problem that requires a specific solution-based tool or methodology.

Through data crawling and classification, OvalEdge automatically identifies and classifies and maps the all the personal data with your organization. Furthermore, data lineage facilities in OvalEdge enable you to track all the changes made to data from its inception, while the data catalog allows you to identify the location of all your data assets. 

3. Ensure data subjects' rights

You must ensure that every data principal you deal with understands how to exercise their rights under the DPDP Act , such as the right to access, rectify, delete their data, file a complaint, withdraw their consent or nominate another person to exercise their rights under the Act and have measures in place to deal with these requests. You must implement a process in your organization that collects data requests from data prinicpals and, based on the specific subject rights as defined by the DPDP Act.

This process will enable you to create a workflow for how requests are handled and addressed. Ultimately, receipt of requests and action processes must be documented. 

Through OvalEdge, this process is automated. Requests are received and forwarded directly to the correct stakeholder and the entirety of the process is documented by default.

4. Assess and manage risks

You must conduct a Data Protection Impact Assessment (DPIA) for any high-risk data processing activities, such as collecting personal data, biometric and other sensitive data, using new technologies to collect data, and large-scale profiling. As well as evaluating the potential impact on data principals’ rights, you need to have adequate measures in place to mitigate those risks. 

For this, you need to understand the entire data landscape of your organization. This will enable you to know where these high-risk profiling activities are taking place and who is undertaking them.

OvalEdge enables you to identify all of the data connectors in your organization and catalog what and where your high-risk data is. Furthermore, data quality checks and other governance measures ensure data is well organized and suitable for the intended use cases. 

Related Post: What is a Data Catalog? The Ultimate Guide

5. Implement data protection by design and default

Data protection measures cannot be an afterthought. They must be fully integrated into your processes and systems. Ultimately, this means monitoring data protection at every stage of a workflow. 

You must ensure that any new data, programs, or applications that enter your organization or follow the processes you have to ensure it is compliant and personal data is protected. There must be a specific action item in place. 
OvalEdge deploys multiple features that ensure you can track your data projects, from internal conversations to data changes and specify the compliance requirements. 

6. Keep records and document compliance

To stay compliant with the DPDP Act, entities must maintain detailed records of data processing activities, DPIAs, and other relevant documentation that can, if required, be presented to auditors to demonstrate its compliance with the DPDP Act. 

In OvalEdge, this documentation process is integrated out-of-the-box. A built-in audit log is continually updated by default. 

Related Post: Building a Business Glossary - Why and How

The OvalEdge DPDP Act Checklist

To further your understanding of the core rules and requirements of the DPDP, we’ve put together a comprehensive checklist that not only states the specific compliance regulation, but translates it from a complex, technical description into plain English. What’s more, with each section of the regulation, we explain the severity of the regulation and how OvalEdge can enable you to remain compliant without committing to the many hours of manual work required without a dedicated tool in place.