The Digital Personal Data Protection Act, 2023

What is the Digital personal Data Protection (DPDP) Act?

Text

In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023. India’s Digital Personal Data Protection Act is a ground-breaking legislation that balances the rights of individuals to protect their personal data with the necessity of processing such data for lawful purposes. The Act imposes obligations on Data Fiduciaries, those processing data, and outlines the rights and duties of Data Principals, individuals to whom the data pertains. It also introduces financial penalties for breaches.

The 2023 act is the second version of the bill introduced in Parliament and fourth overall. In 2017, the Supreme Court of India recognized the right to privacy as a constitutionally protected right in the Puttaswamy judgement, also known as the Right to Privacy verdict. The court also noted India’s lack of a comprehensive privacy law and the limitations of the existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules or SPDI Rules, implemented in 2011.

Following the Right to Privacy verdict, the government of India developed draft legislation designed to protect the privacy of Indians. Earlier versions of the Personal Data Protection Act received significant scrutiny and were ultimately unsuccessful, including the Data Protection Bill 2021, which bore some similarities to the European Union’s General Data Protection Regulation (GDPR). It was withdrawn in August 2022.

In November 2022, the Ministry of Electronics and Information Technology proposed the Digital Personal Data Protection Bill 2023, and in August 2023, the President of India formally enacted the “Digital Personal Data Protection Bill” following its approval from both houses of the Indian Parliament. 

Who does India’s Digital Personal Data Protection Act (DPDP Act) apply to?

Text

The DPDP Act applies to the processing of digital personal data, which is broadly defined as data in digital form (whether collected in digital form, or in non-digital form and then digitized) about an individual, who is identifiable by such data. DPDP Act applies to organizations processing data if the following conditions are met: 

Organizations processing “digital personal data,” which is capable of identifying the “data principal.” The Data Principal is the individual to whom the data relates. 

The data an organization processes is either collected in a digitized format or digitized. 

Organizations processing digital personal data within Indian territory. Alternatively, if you process digital personal data outside of India but the processing is in connection with an activity concerning the offering of goods or services to individuals in India 

Text

Aggregated data, data used for household/domestic purposes, and publicly available personal data are outside the scope of the DPDP Act. 

Fortra’s Digital Guardian can help you comply with the Digital personal Data Protection Act

Fortra's Digital Guardian can play a crucial role in helping organizations comply with India’s Digital Personal Data Protection Act, 2023 (DPDP Act). The DPDP Act focuses on the protection and processing of personal data, ensuring data privacy rights for individuals and enforcing accountability for data handlers. Digital Guardian addresses key aspects of this regulation with its comprehensive data protection and security solutions. Here's how: 

Monitoring and Reporting

Digital Guardian provides continuous monitoring and detailed reporting on data access and usage, helping organizations maintain transparency and accountability for compliance audits.

See Digital Guardian DLP in Action

GET A DEMO