It has been a couple of months since the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), and the compliance deadline for business is expected to be announced very soon (along with the rules which are expected to provide better insight on the manner of compliance with the provisions of the DPDPA). This interim timeframe provides a good opportunity for businesses to make suitable changes to their data processing protocols and measures to ensure that they’re not caught off guard in the event a short timeline is announced to comply with the requirements under the statute.
All businesses should ideally start taking the following steps (after consultation with a legal counsel and information security experts):
- Ascertain the applicable data processing obligations under the DPDPA and prepare a list of applicable compliances.
- Develop a suitable mechanism to obtain consent as per the requirements of the DPDPA.
- Identify third-party data processors and make suitable amendments to the agreements with such entities (to ensure that they are compliant with the provisions of the DPDPA).
- Implement mechanisms to enable data principals to exercise their rights under the DPDPA.
- Analyze whether the personal data of children is being collected and if so, deploy suitable measures to ensure that verifiable consent is being sought from the parent/legal guardian (of such child).
- While the threshold of significant data fiduciaries has not yet been released, large corporations should ideally prepare themselves for added compliances including the appointment of a data protection officer,
Deploy administrative and technical mechanisms to report data breaches to the Data Protection Board of India as well as the affected Data Principals, prepare for independent data audits, etc.