top of page

Data Protection
Updated: 06th January 2025
Current data protection regime in India
Currently there is no standalone legal framework to govern data protection in India. The Information Technology Act, 2000 (IT Act) and rules notified thereunder currently forms the basis for Data Protection. This included the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) (or the "SPDI Rules").
On August 11, 2023, the Government of India has published Digital Personal Data Protection Act, 2023 (DPDP Act), which when notified will form the personal data protection and regulatory regime in India.
DPDP Enforcement
DPDP Act will come into force as pre the notification by Central Government in the Official Gazette.
The Central Government may appoint different dates for different provisions of DPDP Act, and the provisions of the Act shall come into force to such effect.
DPDP Framework
Notable definitions
"Data"
A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
"Digital Personal Data"
Personal data in digital form.
"Personal Data"
any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
"Processing"
In relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
DPDP - Scope & Applicability
The provisions of DPDP are applicable to:
Processing of digital personal data:
Within the territory of India
Where the personal data is collected–
(i) in digital form; or
(ii) in non-digital form and digitised subsequently
Outside the territory of India
If such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India
The Process
The definition of "Processing" under the DPDP is non-exhaustive and means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
Although the definition includes variety of activities, the process can be classified into six broad categories:
Collection
Storage
Use
Processing
Transmission
Erasure/ Destruction
Process Stakeholders
Data Principal
The individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf.
Data Fiduciary
Means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
Significant Data Fiduciary
Means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 of DPDP.
Data Processor
Means any person who processes personal data on behalf of a Data Fiduciary.
Access our DPDP Obligations Tool to identify Obligations of stakeholders under DPDP Act.
IMMEDIATE STEPS REQUIRED:
1. Conduct Data Mapping and Assessment
2. Establish effective Consent Mechanisms
3. Review agreements with Data Processors
4. Implement updated Privacy Policies
5. Implement effective Data security measures
hOW WE CAN HELP:
We can help in:
-
Identifying your role as a 'Data Fiduciary', 'Significant Data Fiduciary', 'Data Processor' or 'Data Principal'.
-
Data Mapping and Assessment
-
Implementing Consent Mechanisms
-
Review of agreements with Data Processors
-
Implementing updated Privacy Policies
-
Compliance in implementing effective Data security measures
DPDP Obligations Tool
DPDP Obligations
Select multiple categories to filter Obligations. Use Remove button to clear all applied Filter(s).
Implement reasonable security safeguards to prevent Personal Data breach and protect the Personal Data in its possession
General Obligations
Ensure that Personal Data being processed is complete, accurate and consistent.
General Obligations
Ensure that any transfer of personal data for processing to any country outside India, as permissible under DPDP Act, shall only be done in accordance with terms prescribed by the Central Government.
General Obligations
Consent Notice must contain:
• A description of the Personal Data sought to be collected from the Data Principal and the purpose for its
processing;
• The manner in which the Data Principal may exercise her right to withdraw consent and to grievance redressal; and
• the manner in which the Data Principal may make a complaint to the Data Protection Board.
Notice Obligations
For consent obtained before commencement of DPDP Act, a notice similar to "Consent Notice" shall be provided to Data Principal as soon as it is reasonably practicable.
Notice Obligations
Provide upon request: A summary of the personal data of the data principal which is being processed by you and the processing activities undertaken with respect to such personal data.
Information Access
Ensure that collection of Personal Data of Data Principals is only for a lawful purpose.
General Obligations
Implement appropriate technical and organizational measures to ensure effective observance of provisions of DPDP Act.
General Obligations
Provide option to access contents of Consent Notice in English or any of 22 (twenty-two) languages specified in Constitution of India.
Notice Obligations
Provide a notice to Data Principal, in clear and plain language, along with a request for consent ("Consent Notice").
Notice Obligations
Provide upon request of Data Principal: Such information as may be prescribed by the Central Government.
Information Access
Upon request of Data Principal: Provide identities of any other data fiduciaries and data processors with whom the personal data has been shared.
Information Access
bottom of page