The Digital Personal Data Protection Act 2023 is the first cross-sectoral law on personal data protection in India and has been enacted after more than half a decade of deliberations. The new law applies to the processing of digital personal data within the territory of India, where the personal data is collected in a digital or non-digital form, and digitalized subsequently. The Act applies to processing of digital personal data outside the territory of India, if this activity is related to offering of goods and services to data principals within India. The document gives equal merit for protection to all digital personal data and does not define any data category as sensitive personal / critical data

Key Tenets and Penalties

Consent and Consent Withdrawals

• Consent given should be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and signify an agreement to the processing of personal data;
• Any part of consent, which constitutes an infringement of the provisions of the Act, or the rules made thereunder or any other law, for the time being in force, shall be invalid to the extent of such an infringement;
• Request for consent to be presented in English or any language specified in the eighth schedule of the constitution;
• Data principal shall have the right to withdraw the consent at any time;
• Upon withdrawal of consent, the data fiduciary shall cease processing the personal data of data principal unless such processing is required.

Data Principal’s Rights

• Access information about personal data;
• Correct, complete, update and erase personal data;
• Right to grievance redressal.

Security Safeguards

• A data fiduciary shall implement appropriate technical and organizational measures to ensure effective observance of the provisions of the Act.
• A data fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by the data processor or on data fiduciary’s behalf by a data processor, by taking reasonable security safeguards to prevent personal data breach.

Data Retention

A data fiduciary shall, unless retention is necessary for compliance with any law, erase personal data upon the data principal withdrawing his / her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.

Processing of Personal Data Outside India

• Government by notification, can restrict the transfer of personal data by a data fiduciary for processing to a country or territory outside India.
• Personal data of data principals not within the territory of India can be processed pursuant to any contract entered with such person outside the territory of India this is listed as an exemption in the Act.

The Digital Personal Data Protection Act 2023 proposes up to INR 250 crore (approx. USD 30 million) penalty for failing to take reasonable security safeguards to prevent personal data breach.

Next Steps for Organizations

Step 1: Assess the current state. Review your current compliance with the Act’s requirements and develop an action plan to improve your organization’s cybersecurity posture.

• Prepare a sensitive data inventory. Zecurion Next Generation DLP Discovery Module detects data, and classifies it with 10+ proprietary technologies, including templates, regular expressions and digital fingerprints. If storage policies are violated, the software sends notification, transfers or even deletes information on the endpoint. Report on this case will be available in Zecurion Reports unified console. 
• Make sure you know, how data move / being processed. Discovery Module finds improperly stored sensitive data at local drives, shared folders, MS SharePoint, MS Exchange, and any database using ODBC, to take action before it’s lost or stolen. While Zecurion Data-Centric Audit and Protection ensures supreme file visibility with full history of information lifecycle.
• Define, who has access to sensitive data (both within the organization and third parties outside it, if applicable). Zecurion DCAP ensures efficient management of access rights and detects violations within organization. Traffic Control Module monitors traffic and controls the flow of data across more than 100 services within and outside to minimize the risk of intentional or inadvertent data loss.

Step 2: Determine policies and processes. Create rules for any data or people incidents within your infrastructure.

• Establish data collection and control processes. Suggest report customization capabilities. With Zecurion DLP Security Officer can create new Report/Log with deep filter customizations with multi-level AND, OR, NOT Boolean logic.
• Prepare content around privacy notices and consent. Zecurion DLP includes unified employee profile section where all incidents / leakages and key user statistics are stored. UBA with Staff Control module is also available when required.
• Update or create data privacy policies. Zecurion offers policy-oriented deployment approach. Security Officer can create policy once and broadcast it to selected target channels. Zecurion DLP can also block selected channels.

Step 3: Define incident response plan. Know your actions in case of employee behavior deviations, policies violations or data breach.

• Gather and archive only data needed for actual work processes. Categorize and define the data retention period for various types of data based on the inventory gathered with Zecurion Discovery.
• Evaluate, agree and implement data privacy technologies. Determine and address specific privacy needs with Zecurion DLP.
• Implement incident response and investigation. Zecurion Investigation Module minimizes the cybersecurity team workload by providing a 360° view of current tasks with all statuses, data on the investigation stage, executants and deadlines. The team can leave comments on the task, discuss progress and attach documents and incidents as proof.