Salient features of the Act

Journey So Far
Hon’ble Supreme Court The PDP Act, 2019 Ministry of Electronics and The President of
of India declared Right introduced in the Lok Information Technology India assents to the
to Privacy as a Sabha and was referred to (MeitY) releases draft Bill to make Digital
fundamental right in Joint Parliamentary Digital Personal Data Personal Data
K.S. Puttaswamy Committee (JPC) Protection Bill (DPDPB) Protection (DPDP)
judgement for public consultation an Act
August 2017 December 2019 November 2022 August 2023

July 2018 December 2021 July 2023

Committee formed under the JPC releases its report Union Cabinet
chairmanship of Justice and a new version of the approves the draft
Srikrishna submits report along Act as Data Protection DPDP Bill, 2023
with draft of PDP Act, 2018 Act (DPA)

Applicability of the Act

Processing of digital and digitized Does not apply to
personal data
► Processing for domestic or personal purposes
► Processing of personal data within the territory of
by individuals
India and outside India
► Personal data made publicly available
► Activity related to offering goods and services to Data
Principals within India

Key Terminologies
Consent Consent Manager Notice
Organizations should seek a A consent manager represents Should be clear, itemized and in simple
consent, which is freely given, the Data Principal and takes language. Data Principals should have the
specific, informed and unambiguous action on their behalf when option to access information in English or
indication of the Data Principal's granting, managing, reviewing in any of the 22 languages (as per Eight
wishes, by a clear affirmative action and revoking consent Schedule of Indian Constitution)

Data Fiduciary Processing outside India Data Principal

Any person who alone or in Government to notify countries ► An individual to whom the personal data
conjunction with other persons to which transfer is not permissible relates
determines the purpose and unlike the whitelisting approach ► A child, includes the parents or lawful
under the General Data Protection guardian of such a child
means of processing of
Regulation (GDPR) ► A person with disability, includes their
personal data
lawful guardian acting on their behalf

Consent is not expressly needed for situations such as

Children’s Data Data Processor ► Voluntary disclosure by data principal
For children < 18 years of ► Reasonable expectation by data principal
Any person who Legitimate
age, consent from ► Performance of function under the law
processes personal Uses
Parents/Guardians is ► Medical emergency among others
data on behalf of a ► Compliance with any judgment issued under any law
required. Behavioural
Data Fiduciary ► Threat to public health
monitoring and Targeted
► Ensure safety in case of any disaster
Advertising is prohibited

The Digital Personal Data Protection Act, 2023 2

Salient features of the Act (Contd.)

Engage with a Data Processor to process personal data on its behalf through a valid contract only

Provide a clear, concise and comprehensible notice to Data Principals

Obtain verifiable parental consent before processing children’s personal data

Abstain from processing personal data that may cause harm to children or undertake behavioral
Obligations monitoring of children or targeted advertising directed at children
of the Data
Implement technical and organizational measures to ensure effective adherence with the Act
Fiduciary
Delete and cause its Data Processor to erase data as soon as the purpose is accomplished

Report Personal Data Beaches to Data Protection Board and Data Principals

Significant Data Fiduciary

Significant Data Fiduciary will be determined based on an assessment which include

The volume and sensitivity of personal data processed Risk to electoral democracy

Risk to the rights of data principal Security of the state

Potential impact on the sovereignty and integrity of India Public order

Obligations of the Significant Data Fiduciary

Appoint a Data Protection Appoint an Independent Data Conduct Data Protection Impact
Officer (DPO) based in India Auditor for evaluating compliance Assessment (DPIA) & periodic audits

Data Principal Rights

Right to information Right to grievance redressal*

Data Principals have the right to Individuals have the right to readily
seek information on how their available means of registering a
data is processed, available in grievance with a Data Fiduciary
clear and understandable way
Data *Timeline to
Principal respond to
grievances
Right to correction and Rights Right to nominate raised by Data
erasure Individuals can nominate any Principals shall
Individuals have the right to other individual to exercise be notified by
correct inaccurate / incomplete these rights in the event of the Central
data and erase data that is no death or incapacity Government
longer required for processing

The Digital Personal Data Protection Act, 2023 3

Salient features of the Act (Contd.)

Personal Data Breach

► A Data Fiduciary is required to protect
personal data, including any processing
undertaken by it or on its behalf by a Data ► No specific timeline for
Processor, by taking reasonable security reporting the breach
safeguards to prevent Personal Data Breach. ► Data Fiduciaries to inform about
► In the event of a Personal Data Breach, the the breach in prescribed form
Data Fiduciary needs to notify the Board and
each affected Data Principal of such breach.

Penalties
Up to INR10,000 Up to INR200 Crore
Breach in observance of Breach in not giving notice of
duty of Data Principal Personal Data Breach

Up to INR200 Crore Up to INR250 Crore

Breach in observance of additional Noncompliance of the
obligation in relation to children provisions by Data Fiduciaries

The Data Protection Board

The Central Government may, by notification shall appoint and establish, an independent board to be called
the Data Protection Board of India (Board).
► This Board should consist of a chairperson and other members, who should be appointed by the Central
Government
► The Board is entrusted with the task of enforcement, including determining non-compliances, imposing
penalties, issuing directions and mediation (to resolve dispute between parties) to ensure compliance
with the law
► The Board is enshrined with powers of a civil court and appeals against its decisions lie to Telecom
Disputes Settlement and Appellate Tribunal

Amendments to Prevailing Laws

Existing IT Act, 2000 and Right to Information Act 2005 are amended as following:

Article 43(A) (Compensation for failure to protect data) of IT Act 2000 is omitted

Section 8 (1)(j) RTI Act 2005 is amended to exempt the personal information which allows
disclosure for public interest

4
The Digital Personal Data Protection Act, 2023 4
Salient features of the Act (Contd.)

Key Highlights
Considering the volume and nature of personal data processed, the Central Government may by notification exempt
certain provisions of the Act for a Data Fiduciary or a class of Data Fiduciaries including startups

When the consent for processing Personal Data was provided before the commencement of this Act, Data Fiduciary
needs to provide detailed privacy notice describing the Personal Data collected and the purpose as soon as
practicable after the enactment of this Act

Certain provisions* of the Act will not be applicable for the processing of Personal Data in India of a Data Principal not
based in India pursuant to a contract signed with a person outside India

The Central Government may upon ensuring if the processing is verifiably safe, notify the age above which a Data
Fiduciary shall be exempt from applicability of children’s personal data obligations

The Data Principal shall exhaust the opportunity of redressing her grievance with Data Fiduciary before approaching
the Data Protection Board of India

Exemptions
The DPDP Act exempts Data Fiduciary from certain obligations (except for being responsible for its data
processor and taking reasonable security safeguards) under specified circumstances including

Processing for Processing for Processing in the Processing of Data Processing

enforcing any performance of interest of Principals outside necessary for a
legal right or any judicial or prevention, detection, the territory of India merger /
claim quasi-judicial investigation or pursuant to any amalgamation or
functions by any prosecution of any contract entered into similar arrangement
Indian offence of any law with any person as approved by a
court/tribunal or outside the territory court or other
other body of India by any authority competent
person based in India

Ambiguities
Below mentioned are the ambiguities in the Act:

01 Children’s Data
The definition of detrimental effect on well-being of a child as a result of processing
their Personal Data has not been specified.

02 Breach Notification
Absence of defined timeline for notifying a Personal Data breach to the Data
Protection Board and the affected Data Principal(s).

03 Publicly available data

The Act exempts any Personal Data that is made available publicly, but it does not
clarify if the information is made available to public can be used for processing or
can be for view-only purposes.

04 Data Principal Request timeline

The Act has not specified a timeframe for Data Fiduciaries to respond to any Data Principal requests.

5
The Digital Personal Data Protection Act, 2023 5
GDPR v/s DPDPA

Difference
Below mentioned are the key differences between DPDPB 2023 and the General Data
Protection Regulation (GDPR):

General Data Protection Regulation Digital Personal Data Protection

(GDPR) (DPDP) Act, 2023

GDPR applies to processing of Personal Data wholly The DPDP Act will apply to digitized personal data
or partly by automated means and to Personal Data and non-digitized personal data which is
which form or will form a part of a filing system subsequently digitized

Penalties under GDPR extend to 20 million euros,

or 4% of the firm’s worldwide annual revenue Penalties under the DPDP Act extend up to
from the preceding financial year, whichever INR250 crore
amount is higher

Minors under age 16 need parental consent.

Children under the age of 18 need consent from
Members states of Europe can lower this age to
parents/ guardian
13 for their regions

Breaches should be notified to the Supervisory

The Act does not specify a timeframe for
Authority within 72 hours and possibly to the
Personal Data breach notification
affected Data Subjects

GDPR does not include right to nominate however The Act comprises of an additional right to
provides for the right to portability nominate while omits the right to portability and
Organizations have 30 days to respond to a Data timeline to respond to the Data Principal requests
Subject request has not been specified

GDPR lays down specific mechanisms for The Act has not identified any transfer
transferring data to third country such as standard mechanisms for transferring Personal Data
contractual clauses and binding corporate rules

Both Controllers and Processors are under the Only the Significant Data Fiduciary shall have to
obligation to appoint a DPO in specific appoint DPO as a point of contact for the Data
circumstance Protection Board

Data Controller and Data Processor are required The Act does not include any obligation for Data
to maintain the records of processing activities Fiduciaries to maintain records of processing
(ROPA) activities (ROPA)

DPDP Act requires the Data Fiduciaries to provide

GDPR does not explicitly specify to provide notice notice in 22 Indian languages in addition to
to regional languages English

Data Protection Impact Assessment (DPIA) is to Significant Data Fiduciaries are obligated to
be conducted by Data Controllers for all the high- conduct periodic Data Protection Impact
risk processing activities Assessment (DPIA)

The Digital Personal Data Protection Act, 2023 6

What’s Now, Next and Beyond

Journey to Compliance
As organizations embark on the journey toward compliance with DPDP Act 2023, there are
multiple facets and requirements as per the Act and could be phased in 3 – 24 months for an
effective and sustainable Data Privacy and Protection Program.

Now Next Beyond

3 – 6 months 6 – 12 months 12 – 24 months

► Undertake a Data Privacy ► Develop/update relevant ► Implement Privacy Enabling

Assessment to understand policies and underlying Technologies (PETs) to
the current posture toward procedures to outlay the reduce manual tasks, and
privacy and the requirements intent and consistent manage your data
► Develop Data Privacy approach toward privacy and governance activities in an
framework to strengthen protection automated manner
your organizations Data ► Conduct Data Privacy Impact ► Undertake external
Privacy Program Assessments (DPIAs) for the certifications to demonstrate
► Establish the Data Privacy high-risk in-scope business compliance toward the
Organization to drive the functions/ applications to Privacy Information
program identify the potential risk Management System
► Data Discovery, exposure
Classification, and Mapping ► Establish mechanisms for:
exercise to identify the ► Consent management
Personal Data touch points, ► Data Principal rights
and structured and ► Breach notification
unstructured data across the
environment and classify
them.
► Develop an inventory of
assets processing personal
information and also the
entire list of suppliers / 3rd
parties leveraged for various
purposes / delivering the
services

► Technical safeguards
► Training and awareness
► Periodic audits
► Establish and drive cyber culture in the enterprise
► Strong cyber governance mechanism sponsored by the Board
► Continuous monitoring of the notifications and amendments by the Data Protection Board / Central
Government

*Note: Conducting DPIAs is a mandatory requirement for a Significant Data Fiduciary

7
The Digital Personal Data Protection Act, 2023 7
How EY can help?

Journey to Compliance
Our broad transformation approach considers the key facets of
the Act across organization’s data management lifecycle

Data Privacy Data Discovery Third-Party Risk Technical Training and

Assessment and Mapping Management Safeguards Awareness
Assess the current Identify the Identify the third Identify the critical Socialization
Data Privacy Personal Data party ecosystem, business workshops for
posture, working touch points and ensure processes/assets/ employees,
practices and organizational and applications which management
conduct data
documentation technical security processes large personnel and third
against the discovery and measures are volume of Personal parties to promote
requirement of mapping implemented Data and implement a privacy inclusive
DPDB activities through inclusion technical security culture throughout
of the same within measures the organization
valid contracts

Data Privacy Privacy Risk Privacy Enhancing Internal Audit

Framework Assessment Technologies Assistance
Development Perform Data Reduce manual Independent
Develop Data Protection Impact tasks with Data Privacy
Privacy Assessment (DPIA) integrated audits to
framework to for the high risk in- workflow through identify the
scope business Privacy Enhancing gaps and risks
strengthen your
functions/ Technologies and on a periodic
organization’s applications to manage your data basis
data privacy identify the governance
program potential risk activities in an
exposure* automated manner

The Digital Personal Data Protection Act, 2023 8