BTG Legal recently held a brainstorming session with various general counsels. The participants raised quite a few interesting questions on the nuances of the Digital Personal Data Protection Act, 2023.

Here are a set of FAQs, answering some of these questions.

[Please note that these responses are indicative, and provided for discussion purposes, and should not be treated as legal advice]

1. What is the DPDP, and how will it affect my organisation?

The Digital Personal Data Protection Act, 2023 ("DPDP Act") is the latest legislation governing how organizations will process, retain and protect the digital personal data of individuals. Each organization that collects and processes digital personal data of any individual, including its own employees, will be required to comply with these new regulations. It is important to note that personal data can only be processed with proper consent and for certain outlined legitimate uses.

2. What is personal data?

The DPDP Act defines personal data as "any data about an individual who is identifiable by or in relation to such data". This will include all sorts of personal identification information such as name, address, phone number, Aadhaar, PAN card, Passport, etc.

3. What consent is required for processing personal data? How do I collect it?

Prior to processing any personal data, the DPDP Act requires the consent of every individual whose data you are intending to collect and process. The request for consent must be accompanied by a notice describing the nature and purpose of collecting that data, the manner of exercising the rights of individuals whose data is being collected, and the manner of making complaints to the (proposed) Data Protection Board of India.

4. How do I know if the data that my organization is processing is covered by the DPDP?

The DPDP Act expressly governs personal data in digital form, which relates to any data which enables the identification of an individual. Therefore, if your organisation collects and processes personal identification information of individual, such as their name, address, phone number, Aadhar, PAN card, Passport, etc., they will be covered within this law. Note that even names and email ids of your counterparts at other organisations will trigger this requirement.

5. My organization is only processing data on behalf of others. Does it still need to comply with the DPDP?

The DPDP Act permits the processing of personal data on behalf of others for any activity related to offering of goods or services to individuals whose data is being collected only under a valid contract. As a "data processor", you will need to comply with the technical and organisational safety standards set out by the person you have contracted with. In addition, you should comply with the contract terms under which you have been provided the data set.

6. Are there any exceptions allowed for employment related data collection, etc.?

Yes. The DPDP Act enumerates certain "legitimate uses" under which data can be processed without the express consent of an individual. One such legitimate use is employment-related data collection. As such, if you are an employer seeking personal data for safeguarding yourself from loss or liability such as prevention of corporate espionage and maintenance of confidentiality of trade secrets, you are allowed to collect and process the same under the new law. However, you cannot use this data for unconnected purposes, such as marketing your products!

7. Am I allowed to transfer data outside of India?

Yes, the DPDP Act allows the transfer of data outside the territorial bounds of India. However, under the Act, the Government reserves the right to restrict cross-border transfers to countries that they may notify from time to time (a "Blacklist" mechanism). Also note that the DPDP Act, 2023 does not affect any other sectoral laws restricting transfer of data, for example the Reserve Bank of India's 2018 strictures on payment data.

8. What all can a 'data principal' ask me for in respect of his/her data?

A 'Data Principal' can request you for a summary of their personal data which is being processed by you and the processing activities undertaken by you with respect to such personal data. Data Principals can also request you for the identities of all other Data Fiduciaries and Data Processors with whom you have shared the personal data, along with a description of the personal data so shared. Note that you have to put in place a grievance redressal mechanism that facilitates this.

9. Does the DPDP deal with encryption?

Not expressly, though anonymised data is a possible exception from the provisions of the Act. The answer here will depend on the type, nature, and purpose of encryption you are applying.

10. How does the DPDP change an organization's response to personal data breaches?

In case of personal data breaches, the DPDP Act requires Data Fiduciaries to intimate the Data Protection Board of India as well as each affected individual intimation of such breach. The manner and timeline of the same, however, will be prescribed in the coming months in Rules. Again, note that your reporting obligations under other laws do not change, for example the CERT IN Directions.

11. What technical standards are to be implemented now?

At the moment, standards that need to be followed are ISO: 270001, or equivalent. This may change once the Rules are implemented.

12. When is the effective / enforcement date of the new regime. And finally, what penalties can be imposed under the new law.

While the Act has been notified, we understand it will be brought into force in phases over the next 6-12 months.

Thankfully, the DPDP Act, 2023 only provides for monetary penalties, and not jail time like some earlier drafts. Fines can range upto Indian Rupees 250 crores (about USD 30 million), for egregious and recidivist breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.