The Digital Personal Data Protection Act (DPDP) 2023 is a major milestone for India! On August 11th, 2023, the DPDP Act received the assent of the President. This landmark legislation for India provides a legal framework to govern the personal data of citizens and places obligatory requirements to ensure consent-based data processing, accountability, and transparency. Let us understand what the act means for businesses and how CloudSEK can help you.
Overview
The act establishes a sophisticated legal framework for the handling of digital personal data, recognizing the rights of individuals to safeguard their personal information. It delineates 'personal data' as any data concerning an identifiable individual, whether directly linked through elements like full name and contact details, or indirectly associated with attributes such as job title, gender, or city of residence. Within the context of the act, the term 'person' is expansively defined, encompassing not only individuals but also legal entities such as companies, firms, or the State.
The rights and duties of data principals as well as the obligations of data fiduciaries are defined in the act. The data principal, the individual to whom the personal data pertains, possesses rights that encompass obtaining insights into the processing of their data, seeking rectification or deletion of personal data, nominating another person to exercise rights in the event of death or incapacity, and pursuing grievance redressal. Guided by principles of consent, data minimization, purpose limitation, accountability, and lawful and transparent utilization, the act identifies consent as the cardinal foundation for processing personal data. The data fiduciary, the entity tasked with determining the purpose and means of processing, must inform the data principal of the nature and intent of the collected personal data. Such data shall only be processed upon the express consent of the data principal, though the act does stipulate particular legitimate scenarios wherein data may be processed without consent (termed as ‘legitimate uses’ in the act). In specific cases, such as the prevention and investigation of offenses or the enforcement of legal rights or claims, the rights of the data principal and certain obligations of data fiduciaries are exempted. In specific cases, such as the prevention and investigation of offenses or the enforcement of legal rights or claims, the rights of the data principal and certain obligations of data fiduciaries are exempted.
Under the provisions of this act, a Data Protection Board of India (DPBI) has been established and the powers, functions, and procedures to be followed by the board are mentioned. Tasked with implementation, inquiry, and adjudication under the DPDP Act, the board shoulders substantial responsibilities. The schedule attached to the act details penalties for varied offenses relating to breaches of rights, duties, and obligations, including directives for remediation or mitigation of data breaches and the power to investigate such breaches and impose financial sanctions. DPDB 2023 in due course is set to further define the provisions and regulations. Applicable data processing regulations including sectoral ones will continue to apply, provided they do not conflict with the DPDP Act.
What does DPDP 2023 mean for businesses?
The enactment of the DPDP Act is poised to alter the existing state of affairs, making the preparation for compliance a matter of critical importance. The legislation has the capacity to notably impact firms and institutions within and beyond India. Adhering to rigorous compliance rules is mandatory for businesses, and non-compliance could lead to fines of up to INR 250 Crores. Duties for data fiduciaries encompass ensuring data accuracy and completeness, implementing reasonable security measures to thwart breaches, notifying the DPBI and those affected if a breach occurs, and deleting personal data once its purpose is fulfilled and legal retention is unnecessary. Furthermore, there are specific responsibilities regarding the handling of children's personal data. If DPBI determines a breach as 'significant' through inquiry, a second hearing will be provided before imposing penalties. The assessment will weigh factors such as the breach's nature, gravity, duration, affected personal data, recurrence, any gain from the breach, mitigation efforts, appropriate penalties, and potential impact on the person involved.
As per the act, there are specific clauses that relate to safeguarding personal data and addressing data breaches. Clause 8 (5) mandates Data Fiduciaries protect personal data with security safeguards while clause 8 (6) requires notification to the Board and affected Data Principals if a breach occurs. Clause 33 (2) specifies the considerations for determining monetary penalties for a breach, including its nature, impact on the person, and whether the penalty is proportionate and effective. With respect to the processing of personal data outside India, Clause 3 (b) specifies the processing of digital personal data outside the territory of India if goods and services are offered to individuals within India. Further, on purpose and storage limitations, clause 5 (l) (i) mandates the data fiduciary to mention personal data collected and the purpose for which it is being processed.
Let CloudSEK help you
There needs to be technological controls and processes in place for companies to protect personal data from breaches. Real-time monitoring and insights into existing and emerging threats can help businesses take proactive measures against attacks on personal data.
At CloudSEK, we combine the power of cyber Intelligence, brand monitoring, attack surface monitoring, infrastructure monitoring, and supply chain intelligence to give visibility and context to our customer's initial attack vectors (IAV).
Predict threats with CloudSEK
Comprehensive Attack Surface Monitoring (ASM) solution from CloudSEK helps organizations detect, predict, and minimize risks associated with external attack surfaces. Various IAVs from Webapps, SSL, network, DNS, mobile app, API, and cloud are analyzed to identify potential threats.
Monitoring and analyzing data breach with CloudSEK
CloudSEK's threat intelligence platform continuously monitors the dark web, code repositories, documents, hacker forums, and other online sources for any indications of compromised data related to your organization. This early detection helps in swift response and mitigation. We index the data breaches, analyze the breached data, and share reports with information covering the type of breach, duration, and impact on affected clients.
Asset Mapping with CloudSEK
CloudSEK assists in mapping and classifying data, helping organizations understand what data they have, where it resides, and its purpose. Mapping provides visibility into data flow to ensure that data does not inadvertently cross into jurisdictions where it might be subject to different legal requirements or risks. Our product, BeVigil, identifies where data is stored, whether on physical servers, in the cloud, or across different geographic locations. One way we do this is through subdomain enumeration and verifying if the IPs are geographically restricted.
Bringing trusted vendors with CloudSEK
CloudSEK’s SVigil provides a solution that addresses vendor-related risks. We analyze the security or trustworthiness of the known vendors of your organization and identify and monitor any existing or new vulnerabilities in all software, plugins, and dependencies used by your organization to the very detail including assessing the services running on each port.
Takedown with CloudSEK
The takedown involves automated detection and verification of the threat, followed by legal and technical measures to neutralize it. Swift action is taken to prevent further data exposure and potential breaches. Digital assets safeguarding, illegal copying, and distribution of your personal digital assets