Hackers of India

The DPDPA Effect: Jubilation, Twinge and Reticence that followed

 Rahul Sharma 

2023/08/07

Presentation Material

AI Generated Summarymay contain errors

Here is a summarized version of the content:

Data Erasure and Compliance

The Data Protection Act (DPDP) requires organizations to rethink their fundamental processes to ensure compliance. Failure to do so can result in significant penalties, including fines of up to ₹250 crore.

Key Provisions of DPDP

  1. Liberal Regime: The law allows for the free flow of data, except for certain restrictions.
  2. Children’s Data: Processing of children’s data (below 18 years) is heavily restricted.
  3. Consent Manager: A new concept introduced in DPDP, which exempts publicly available data from application of the law.
  4. Grievance Redressal: Built-in mechanisms for grievance redressal are emphasized in the law.

Compliance Aspects

  1. Data Mapping: Organizations need to understand where personal data is interacted with and identify areas that require notice refresh.
  2. Notice Refresh: Notices must be served in multiple languages, as per the 8th schedule of the Constitution.
  3. Grievance Officer Details: Organizations must provide details of grievance officers and data sharing practices.
  4. Processor Contract Review: Contracts with data processors need to be renegotiated to comply with DPDP.
  5. Employee Training: Employees across departments (sales, HR, finance, legal, etc.) require training on data protection practices.
  6. Reasonable Security Audits: Organizations must conduct regular security audits and privacy audits (for significant data fiduciaries).
  7. Documentation: Organizations need to maintain up-to-date documentation of their data protection practices.

Grievance Redressal Mechanisms

  1. Company Level: Grievances can be addressed at the company level.
  2. Data Protection Board: If not satisfied, grievances can be escalated to the Data Protection Board.
  3. Appellate Committee: Further appeals can be made to the Appellate Committee.
  4. Supreme Court: The Supreme Court is the final layer of grievance redressal.

Overall, DPDP requires significant process rethinking and compliance efforts from organizations to avoid penalties and ensure data protection practices are in place.