GDPR, California’s CCPA, China’s PIPL and many, many more. The past five years have seen both an explosion in public consciousness around data protection, and numerous pieces of legislation designed to keep increasingly wary populations and their data safe from breaches because of negligence, or outright fraud.
India’s proposed Digital Personal Data Protection Bill (DPDP Bill) is another example of this trend. At Crown Records Management, our aim is to elucidate the key aspects of this bill, its potential impact, and how our expertise in information management can help your organization navigate this change.
Key Aspects of the DPDP Bill
Set to replace India’s decades-old IT laws formulated when the age-old process of paper forms was still the rule; the DPDP Bill is an expansive legislation that employs a rights-based framework for data protection, reinforcing user rights while placing stringent responsibilities on entities involved in personal data processing. If you’re already familiar with existing data-protection laws like GDPR, most of this will be familiar to you and (hopefully) your organization. Here’s a quick summary of the main principles.
- Applicability: The DPDP Bill is designed to apply to both government and private entities, at the domestic and international level, if the data in question pertains to Indian citizens.
- Data Localization: A point of contention within the Bill is data localization. This clause requires a copy of all personal data to be stored on servers located within India. Additionally, it stipulates that critical personal data may be processed exclusively within India.
- Consent: The Bill underscores the necessity of informed and explicit consent for data processing, raising the bar for how and when consent is procured.
- Data Protection Authority (DPA): The legislation proposes the creation of a DPA, which will be responsible for enforcing rules, conducting investigations, and imposing penalties for violations.
- Penalties: Non-compliance could result in severe penalties, including fines amounting to 4% of a company’s global annual turnover.
- Individual Rights: The DPDP Bill also grants individuals several rights, such as the right to data portability, correction, and erasure.
Interestingly, it’s also the first data-protection law formulated since the rise of generative AI, which has provoked heated discussion over whether the bill should be amended to reflect the realities of a world with Google’s Bard and OpenAI’s ChatGPT.
Timeline and Global Context
The DPDP Bill, which had been under discussion pre-legislature for some time, was enacted on August 11, 2023 and will acquire the force of law when the central government sets an appropriate date (expected to be within ten months of its enactment, so around May 2024 at the latest).
As mentioned, the DPDP Bill’s overarching principles align closely with other significant data protection laws globally, such as the General Data Protection
Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US. If your business already has established compliance practices for these regulations, adapting to the DPDP will be a smoother process.
Implications for Businesses
So what exactly are the implications if you’re not already aligned, or don’t have an alignment process in place?
- Compliance: Businesses must ensure alignment of their data processing activities with the DPDP Bill. This involves reviewing and revising privacy policies, consent mechanisms, and data management methods.
- Infrastructure Adaptation: The data localization clause may require substantial investments in data centers and storage solutions within India. Much like other such laws, the DPDP is strict about extra-territorial transfers of data concerning Indian citizens.
- Expanded Responsibility: Again, much like GDPR, PIPL and other such laws, organizations will now have to appoint a Data Protection Officer to ensure ongoing compliance and manage interactions with the DPA.
These are the fundamental implications on a day-to-day level, but there is obviously more detail beyond this. For example, a rather broad-range of state entities are exempt from most aspects of the bill and are empowered to have more freedom over the transfer and use of personal data.
The fines, again, are broadly like GDPR in that failure to take reasonable safety measures entails up to US $3 billion in fines, or 2% of global turnover (though only in the most egregious cases, for example, negligence of even the most basic requirements such as the appointment of a DPO). Much like other data-protection laws, the full extent of the bill is enforced, and crucially how the courts interpret it in particularly nebulous situations, will be determined only after the first cases are heard and ruled on, which could take several years.
Don’t know where to start?
- Compliance Consultancy: We can assist you in understanding the DPDP Bill’s intricacies, assessing its impact on your business, and devising a tailored compliance strategy.
- Digital Transformation Support: Our proven expertise with some of the largest multinationals in guiding businesses through digital transitions can help in reducing your reliance on paper and transitioning your data into secure, compliant digital formats. This is perhaps your best place to start, since we can provide a roadmap for digitzation.
The DPDP Bill is poised to revolutionize India’s data protection landscape. As your reliable partner, Crown Records Management is committed to helping you understand, prepare for, and navigate this paradigm shift effectively.
If you’d like to learn more about the potential impact of the DPDP Bill and how Crown Records Management can help, get in touch with us today.