What is Digital Personal Data Protection Act of India?

The new data protection law of India (DPDP Act) that was passed in August 2023 will affect every business entity in India, and affect every aspect of a business in India. At its core, it states the need for lawful processing and the right to protect personal data. Therefore, all of the data collected – of prospects, customers, employees, partners, suppliers etc – will need to be collected with explicit and clear consent and provide full rights to the data owners to update or revoke processing of data beyond the most essential within the ambit of the data protection laws of India.

What is personally identifiable information (PII) or personal data?

Any data about an individual, when used alone or in conjunction with other relevant information, can identify that individual.

Is the DPDP act similar to the GDPR act in Europe?

Much like the GDPR there are four key pillars to the data protection law:

Data Principal – The data owner (or data subject as in GDPR) who has ultimate control over their personal data and how its processed.

Data Fiduciary – The data controller takes ultimate responsibility for usage and processing of personal data strictly in accordance with the consent received from the data principal.

Data Processor – The data processor helps with the processing and storage of personal data. In most cases the data processer will be data fiduciary themselves but can appoint a third-party organisation to process data on their behalf.

Informed Consent – A clear, unambiguous consent presented to customers before collecting and processing data. Note that the consent can be corrected or revoked at any time by the data principal.

What does the law mean by Data Processing?

Data processing refers to all things that can be done with data such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. In short it refers to anything you do with personal data in your hands.

How does organisations go about protecting personal data as per the Indian Data Protection law?

While this will take an organisation wide change, at the most fundamental level, the key questions that every business need to ask when collecting personal data is:

• What data are we capturing?
• How do we use and process data?
• Where is data getting stored?
• Who has access to data?
• Is the consent plain and clear?
• Do we provide a way to address grievances?

A clear set of answers to the above will keep the organisations compliant with the digital personal data protection law. And the Atlas Dashboard Data Registry helps with the process to get started immediately.

What is Atlas Data Registry and how can it help?

Atlas Data Registry is a set of APIs, SDKs and no code GUI to help you get started on your data protection journey without any delays. You can add your systems and the data they collect and data they share into the data registry. You can create consent pages and enable them during onboarding of your customers across all your channel touch points. Every system capturing personal data will make a registry entry of the consent and the system capturing personal data. Note that no personal PII data is ever stored in the Data Registry. Your systems can query the Data Registry for the consent provided prior to processing data legally. All the requests raised by Data Principals can also be viewed and approved in a single place. In addition, you will have comprehensive reports to ensure you are fully compliant with the data protection law.

Does Atlas Data Registry store any of the personal data?

NO. The Data Registry simply registers the metadata (data about data) when capturing personal data. Your data will reside where they normally reside. The Data Registry will ensure that all of the data processing is done as per the consent given by the customer. So systems registered in the Registry can request for permission to enrol and query the registry to obtain the permission granted prior to processing data. For instance, if a System wants to send you personalised advertisement to your mobile, the system can first query the Registry for the permission granted by you. If you have denied permission for advertisement, the system cannot use your data for the same. Simple as that.

How do I get consent from my existing customers to process data?

This is poised to be the most challenging task for businesses in India. Nonetheless, we have significantly simplified the process. Utilize our consent designer in the Atlas Dashboard to easily create consent pages for various stakeholders—customers, employees, vendors, etc. Simply share the link via email or registered mobile to obtain their informed consent. The consent page allows users to review the collected and processed data shared with third parties. Users can provide informed consent, and this information will be securely stored in the data registry. It's essential to note that this is a one-time exercise to ensure ongoing compliance. And then you use our APIs for real time consent capture.

Will I as a small business have to comply with the Indian Data Protection Law?

Absolutely. The law to protect personal data is not only meant for large organisations such as Banks, Insurance and Telecoms. It applies to every company, big or small, that collect personal data from anyone such as customers, employees, suppliers and so on. If the data is held digitally, then it is incumbent on you to comply with the law. The good news is, it is not scary to get started. With some simple steps, you can get started for free using our Atlas Dashboard. Book a demo to see how you can be on your way to turn compliance into competitive advantage.

If you are a very small entity with few customers and few employees then you can manage with simple email-based consent letters. However, if you are a growing company with many new customers, then its best to use a technology solution such as ours right from the start.

How will organisations be judged by customers for protecting their personal data?

Organisations will be judged not just for their brand value and instead judged by how they safeguard their privacy without the ad bombs and SMS hinderances and more recently wading into our private WhatsApp communications disrupting every aspect of our lives from getting life done.

• What data does the organisation collect?
• Is the consent provided to me clear?
• Is the data collected only for the purposes informed in the consent?
• Is the data adequate (not more) for the product/service I am choosing?
• How does the organisation secure my data?
• What data does the organisation share with others for legitimate processing?
• Is my data sold to third parties (other than the purpose for which it was obtained)?
• What rights do I have to my data?
• Can I control the use of my data? – e.g. restrict access to third parties, erase etc
• Can I download use of my data?
• How easy it is for me to control my data?
• Is there a grievance officer that I can complain if my queries are not heard?

How do I start the DPDP process?

Migrating to the new DPDP regime is not easy. While a reasonable amount of effort was added to protect data, the DPDP law mandates user consent at the centre of data processing which is a step change in how data was handled thus far. Migrating to DPDP regime requires a concerted effort to identify all of the source systems collecting PII data, storage systems, data processors handling PII data, purpose for which PII data is handled and fresh data consent from data owners. A massive effort is needed to get the required consent before going ahead with processing of data from here on which will impact every system handling PII data at the moment. We have largely simplified the process with the system enrolment, consent designer and simple plug and play APIs. Please book a demo so you can see for yourself how you can begin the journey towards lifelong data protection compliance.

What control do data principals have over their data?

Citizens – data principals, have ultimate right to view how their data is being processed and change or revoke their preferences anytime. In particular, data principals have the following rights under the current data protection law.

• Right of access
• Right to correction
• Right to erasure
• Right to withdraw consent
• Right to grievance redressal
• Right to nominate any other individual who, in the event of death or incapacity of the data principal, can exercise their rights under the Act.