Data Privacy Hub

Six years after India recognized privacy as a constitutional right, the country finally has its national data protection law, the Digital Personal Data Protection Act (DPDPA). DPDPA has officially made its way through both houses of India's parliament, although there is no set date for the law's enactment yet.

The law is heavily modeled after the EU's GDPR, although it does use several different wordings (even where definitions, for de facto compliance, are the same), including these changes:

• Data subjects -> "Data principals"
• Data processors -> "Data fiduciaries"
• Data controllers -> "Significant data fiduciaries"

This law also has the interesting approach of not categorizing anything as "sensitive data" like in the GDPR or US state laws, instead covering all personal data with the same protections. It also lacks either a revenue or data processing threshold, indicating that any company that processes personal data will in theory need to comply with the law.

Business obligations will include:

• Having security safeguards to prevent personal data breach;
• The need to inform individuals and the nation’s Data Protection Board about data breaches that have compromised personal data;
• Erasing personal data when it is no longer needed for the specified purpose;
• Erasing personal data upon withdrawal of consent;
• Putting grievance redressal systems and a Data Protection Officer in place to respond to address requests from Data Principals; and
• Following all other specified obligations required of Data Fiduciaries classified as Significant Data Fiduciaries, including appointing an independent data auditor and conducting periodic Data Protection Impact Assessment

Fines can range from as little as $120 USD to $30 million USD.

For a more complete review of the DPDPA, see our guide here.