If you’re a business with Indian customers, or your mobile app or website is accessible to them, it’s crucial to familiarize yourself with India’s new data protection legislation: The Digital Personal Data Protection Act, 2023 (DPDP Act, 2023).
The law governs how businesses like yours should collect, use, share, and delete Indian citizens’ personal data.
Enacted in August 2023, the act aims to create a structured framework for managing digital personal data, safeguarding individual privacy, and ensuring that personal data is processed only for legitimate purposes. Although the act has been passed, its provisions will be implemented gradually by the government.
The act sets out obligations on Data Fiduciaries (those processing data) and outlines the rights and duties of Data Principals (individuals to whom the data pertains), including financial penalties for violations.
Additionally, the DPDP Act established the Data Protection Board of India (DPB), the country’s first regulatory authority dedicated to personal data privacy. The DPB’s role is to ensure compliance with the law and to impose penalties on organizations that fail to adhere to the regulations.
Highly akin to the GDPR, the DPDP Act focuses on consent, data minimization, and empowering individuals with the right to access, correct, or delete their information.
Both acts put companies on notice, with hefty fines for mishandling data.
However, while the GDPR is broader in its scope, covering both personal and non-personal data, the DPDP Act focuses specifically on protecting digital personal data within India’s jurisdiction.
Who Is Affected by the DPDP Act?The DPDP Act will apply to businesses that meet the following criteria:
You handle “digital personal data” that can identify the “data principal,” which refers to the individual the data pertains to.
The data you manage is either already in a digital format or will be converted to one. The act explicitly excludes non-digitized and offline personal data.
You process digital personal data within India’s borders. Alternatively, if you process this data outside India, it actively relates to providing goods or services to people in India.
Given the pervasive nature of personal data collection across various organizational functions—such as IT, human resources, finance, and information security—compliance with the DPDP Act is mandatory for organizations in all sectors.
What Are the Rights of Individuals (Data Principals) Under the DPDP Act?The DPDP Act confers several rights upon citizens (Data Principals), which organizations are obligated to uphold. These rights include:
Right to Information: Data Principals have the right to be informed about their personal data being collected, the purpose of its collection, and the third parties with whom it’s shared.
Right to Access: Individuals are entitled to request and obtain access to their personal data being processed by an organization.
Right to Correction or Erasure: Data Principals can request the correction of inaccuracies in their personal data or its deletion under certain circumstances.
Right to Object: Under specific situations, data principals can rightfully object to the processing of their data.
Right to Data Portability: Data Principals can request the transfer of their personal data to another organization under certain conditions.
Right to Redress: Data Principals may file a complaint with the Data Protection Board (DPB) if they believe their personal data has been processed in violation of the DPDP Act.
Responsibilities of Data FiduciariesUnder the DPDP Act, organizations processing personal data are subject to specific responsibilities and restrictions, which include:
Obtain Informed Consent: Organizations are required to secure explicit consent from individuals prior to processing their personal data, except where specific exemptions apply.
Purpose Limitation: Personal data must be used exclusively for the specified purposes. Additional use warrants for additional consent.
Data Protection: Adequate organizational and technical prowess must be put in place to secure personal data from unauthorized access, use, disclosure, alteration, or destruction.
Rights of Individuals: Organizations are obligated to respond to individuals’ requests concerning access, correction, deletion, and objection to the processing of their personal data within a reasonable timeframe.
Data Breach Notification: In the event of a data breach, organizations must notify the Data Protection Board (DPB) within 72 hours of becoming aware of the incident.
.
Additional Responsibilities for Data Fiduciaries and Data ProcessorsBeyond the aforementioned obligations, organizations engaged in data processing should undertake the following measures to enhance their compliance readiness:
Evaluate Data Processing Practices: Organizations should systematically review their data processing practices—identifying any avenues requiring modification to align with the DPDP Act.
Formulate a Data Protection Policy: It is essential for organizations to create a comprehensive data protection policy that demonstrates their commitment to safeguarding personal data and delineates their data processing procedures.
Data Protection Officer (DPO): Organizations handling personal data on a substantial scale must appoint a Data Protection Officer (DPO). The DPO will be tasked with overseeing adherence to the DPDP Act and ensuring regulatory compliance.
Engage an Independent Auditor: To maintain continuous compliance, organizations should appoint an independent auditor to perform regular audits of their data protection practices.
What Are the Penalties for Non-Compliance With the DPDP Act?Consistent with prevailing global privacy regulations, the DPDP Act enforces substantial fines for non-compliance, which include:
Zscaler as a DPDP Partner for Your Compliance EffortsAs a data processor, Zscaler is committed to partnering with you, the data controller, to help keep your organization DPDP-compliant.
The DPDP Act mandates regulatory obligations on your business that focus on how you can obtain consent, how you should respond to access requests, and how you should notify a data breach to authorities—essentially safeguarding personal data through stringent security protocols, data subject rights, and clear data handling practices.
Zscaler’s zero trust framework supports these requirements by enforcing a security model that assumes no implicit trust, regardless of whether a user is inside or outside the corporate network.
The zero trust approach continuously validates and monitors every request for access to applications and data, ensuring that users and devices are authenticated and authorized in real-time. This constant scrutiny helps prevent unauthorized access and data breaches, aligning with the DPDP Act’s emphasis on data security.
Additionally, Zscaler’s platform provides granular visibility and control over data flows, which is crucial for complying with the Act’s stipulations on data protection and privacy.
By integrating Zscaler’s zero trust platform, organizations can implement comprehensive security measures that protect sensitive information, ensure that data is only accessible by authorized individuals, and maintain detailed logs of data access and activities. This not only helps in meeting the DPDP Act’s compliance requirements but also enhances overall data governance and security posture.
There’s more. Watch this space for the next instalment of this blog series to uncover the intricacies of how Zscaler ties into the requirements of the DPDP Act.
Want to learn more about our architecture and privacy policy? Click here.
Want an in-depth analysis of our Data Privacy and protection overview? Click here.
Need to consult an expert? Talk to us.
[#item_full_content] [[{“value”:”If you’re a business with Indian customers, or your mobile app or website is accessible to them, it’s crucial to familiarize yourself with India’s new data protection legislation: The Digital Personal Data Protection Act, 2023 (DPDP Act, 2023).
The law governs how businesses like yours should collect, use, share, and delete Indian citizens’ personal data.
Enacted in August 2023, the act aims to create a structured framework for managing digital personal data, safeguarding individual privacy, and ensuring that personal data is processed only for legitimate purposes. Although the act has been passed, its provisions will be implemented gradually by the government.
The act sets out obligations on Data Fiduciaries (those processing data) and outlines the rights and duties of Data Principals (individuals to whom the data pertains), including financial penalties for violations.
Additionally, the DPDP Act established the Data Protection Board of India (DPB), the country’s first regulatory authority dedicated to personal data privacy. The DPB’s role is to ensure compliance with the law and to impose penalties on organizations that fail to adhere to the regulations.
Highly akin to the GDPR, the DPDP Act focuses on consent, data minimization, and empowering individuals with the right to access, correct, or delete their information.
Both acts put companies on notice, with hefty fines for mishandling data.
However, while the GDPR is broader in its scope, covering both personal and non-personal data, the DPDP Act focuses specifically on protecting digital personal data within India’s jurisdiction.
Who Is Affected by the DPDP Act?The DPDP Act will apply to businesses that meet the following criteria:
You handle “digital personal data” that can identify the “data principal,” which refers to the individual the data pertains to.
The data you manage is either already in a digital format or will be converted to one. The act explicitly excludes non-digitized and offline personal data.
You process digital personal data within India’s borders. Alternatively, if you process this data outside India, it actively relates to providing goods or services to people in India.
Given the pervasive nature of personal data collection across various organizational functions—such as IT, human resources, finance, and information security—compliance with the DPDP Act is mandatory for organizations in all sectors.
What Are the Rights of Individuals (Data Principals) Under the DPDP Act?The DPDP Act confers several rights upon citizens (Data Principals), which organizations are obligated to uphold. These rights include:
Right to Information: Data Principals have the right to be informed about their personal data being collected, the purpose of its collection, and the third parties with whom it’s shared.
Right to Access: Individuals are entitled to request and obtain access to their personal data being processed by an organization.
Right to Correction or Erasure: Data Principals can request the correction of inaccuracies in their personal data or its deletion under certain circumstances.
Right to Object: Under specific situations, data principals can rightfully object to the processing of their data.
Right to Data Portability: Data Principals can request the transfer of their personal data to another organization under certain conditions.
Right to Redress: Data Principals may file a complaint with the Data Protection Board (DPB) if they believe their personal data has been processed in violation of the DPDP Act.
Responsibilities of Data FiduciariesUnder the DPDP Act, organizations processing personal data are subject to specific responsibilities and restrictions, which include:
Obtain Informed Consent: Organizations are required to secure explicit consent from individuals prior to processing their personal data, except where specific exemptions apply.
Purpose Limitation: Personal data must be used exclusively for the specified purposes. Additional use warrants for additional consent.
Data Protection: Adequate organizational and technical prowess must be put in place to secure personal data from unauthorized access, use, disclosure, alteration, or destruction.
Rights of Individuals: Organizations are obligated to respond to individuals’ requests concerning access, correction, deletion, and objection to the processing of their personal data within a reasonable timeframe.
Data Breach Notification: In the event of a data breach, organizations must notify the Data Protection Board (DPB) within 72 hours of becoming aware of the incident.
.
Additional Responsibilities for Data Fiduciaries and Data ProcessorsBeyond the aforementioned obligations, organizations engaged in data processing should undertake the following measures to enhance their compliance readiness:
Evaluate Data Processing Practices: Organizations should systematically review their data processing practices—identifying any avenues requiring modification to align with the DPDP Act.
Formulate a Data Protection Policy: It is essential for organizations to create a comprehensive data protection policy that demonstrates their commitment to safeguarding personal data and delineates their data processing procedures.
Data Protection Officer (DPO): Organizations handling personal data on a substantial scale must appoint a Data Protection Officer (DPO). The DPO will be tasked with overseeing adherence to the DPDP Act and ensuring regulatory compliance.
Engage an Independent Auditor: To maintain continuous compliance, organizations should appoint an independent auditor to perform regular audits of their data protection practices.
What Are the Penalties for Non-Compliance With the DPDP Act?Consistent with prevailing global privacy regulations, the DPDP Act enforces substantial fines for non-compliance, which include:
Zscaler as a DPDP Partner for Your Compliance EffortsAs a data processor, Zscaler is committed to partnering with you, the data controller, to help keep your organization DPDP-compliant.
The DPDP Act mandates regulatory obligations on your business that focus on how you can obtain consent, how you should respond to access requests, and how you should notify a data breach to authorities—essentially safeguarding personal data through stringent security protocols, data subject rights, and clear data handling practices.
Zscaler’s zero trust framework supports these requirements by enforcing a security model that assumes no implicit trust, regardless of whether a user is inside or outside the corporate network.
The zero trust approach continuously validates and monitors every request for access to applications and data, ensuring that users and devices are authenticated and authorized in real-time. This constant scrutiny helps prevent unauthorized access and data breaches, aligning with the DPDP Act’s emphasis on data security.
Additionally, Zscaler’s platform provides granular visibility and control over data flows, which is crucial for complying with the Act’s stipulations on data protection and privacy.
By integrating Zscaler’s zero trust platform, organizations can implement comprehensive security measures that protect sensitive information, ensure that data is only accessible by authorized individuals, and maintain detailed logs of data access and activities. This not only helps in meeting the DPDP Act’s compliance requirements but also enhances overall data governance and security posture.
There’s more. Watch this space for the next instalment of this blog series to uncover the intricacies of how Zscaler ties into the requirements of the DPDP Act.
Want to learn more about our architecture and privacy policy? Click here.
Want an in-depth analysis of our Data Privacy and protection overview? Click here.
Need to consult an expert? Talk to us.”}]]
