Demystifying the ‘Digital Personal Data Protection Act 2023’

On 09^th August, 2023, both the houses of the Parliament approved the ‘Digital Personal Data Protection Act 2023’ paving way for its enforcement into India’s new Data Privacy law in the coming days. The act regulates the processing of personal information data in India, and increases the obligations for businesses for closer and more comprehensive oversight over their data processing and data protection measures. The specific date for the enforcement of the act is yet to be confirmed.

Key provisions of the act

Consent and Notice:

Businesses are required to provide an itemised notice in clear and plain language containing a description of personal data sought to be collected by them and the purpose of processing of such personal data to the Data Principal (DP) on which the DP can provide freely given and informed consent; agreement to the processing of personal data for specific purposes. The written notice needs to be clear, plain, and available to DPs in English, with an option to read the same in all languages listed in the Eighth Schedule of the Constitution [Section 6(3)].

The privacy notice to the DP is required to be prominently displayed to the DP at the time of obtaining consent and before processing of PI.

Technological Infrastructure:

Businesses are required to implement necessary and appropriate technological infrastructure for efficient adherence to their duties under the act in order to facilitate DPs in exercising their rights including rights to withdraw consent or to correct or erase their PIs.

Deemed Consent:

The act also provides for ‘deemed consent’ (Section 8) to Data Fiduciaries in instances where there is a fair, reasonable and legitimate basis and interest involved in processing of PI from DPs end. For instance, for employment-related purposes; or for matters where legitimate interests of the fiduciaries outweigh the adverse effects on rights of DPs.

Consent Managers:

As part of the Section 7(6), ‘Consent Managers’ are defined as “third party Data Fiduciary, who are accountable for and act on behalf of the DP to enable them give, manage, review and withdraw their consent through a platform which is accessible, transparent and interoperable”. Businesses need to make secure technological integrations with such Consent Managers in the near future to be compliant and securely share data with such consent managers.

For example – the Banking sector has its own Consent Managers for data sharing and consent management in form of Account Aggregators, which are regulated by the RBI.

Data Breaches:

The act establishes breach notification requirement for DFs and Data Processors, whereby an affected DP and the Data Protection Board of India (Board) established by the Central Government for the purposes of this Act will need to be notified by businesses in the event of a ‘personal data breach.’

‘Personal data breach’ is defined in the act as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”

The definition is wide enough to encompass incidents like loss/ theft of an employee’s laptop containing third party PI to qualify as a data breach. Businesses will need to deploy necessary personnel, breach notification procedures and information security management systems for compliance which will likely to increase the cost of compliance.

Data Transfers:

Upon receipt of consent, businesses are permitted to transfer PI to other Processors (other Fiduciaries), provided a valid contract exists between Businesses and Processors. In cases where the Processor also needs to sub-contract their processing activity to another Fiduciary, the same needs to be done with a valid contract of engagement with such sub-contracted Processor.

Processing of Children’s Data:

Businesses will need to form processes to obtain parental consent for processing data of any individual below age of 18. Businesses are also expected to not carry out any tracking and behavioural monitoring of children or advertisement targeted on them.

Data Retention:

Businesses are expected to cease retention of the PI once its purpose is served and no longer necessary for legal or business purposes. Although, businesses can modify PI in a manner where it cannot be associated with DP (Data anonymisation).

Data Erasure:

Businesses will need to erase data upon receipt of request from DP unless retention is necessary for legal purposes (Section 13(2)(d)).

Significant Data Fiduciaries:

Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including:

1. the volume and sensitivity of personal data processed;
2. risk of harm to the Data Principal;
3. potential impact on the sovereignty and integrity of India;
4. risk to electoral democracy;
5. security of the State;
6. public order; and
7. such other factors as it may consider necessary

Significant Data Fiduciaries (SDF) will be required to appoint a Data Protection Officer who will be based in India and report to the Board of Directors; SDFs will also need to appoint an independent data auditor and undertake a data protection impact assessment.

Who is affected?

The act applies to any business that processes PI either collected online or converted into digital format from physical within the territory of India. The act also applies to businesses based outside India which ‘process’ PI of any Data Principal (defined in the act as “the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child”) in India for the purpose of profiling of, or activity of providing goods and services to Data Principals within territory of India.

What does this mean for businesses?

Upon its likely enactment, practical implications of the act include:

• Increased compliance costs; any business handling PI must ensure that the consent and notice requirements towards DPs are met and that infrastructure and policies are in place for complying with requirements around retention and erasure.
• Increased incident response costs; in the event of data breach the new act widens the scope of culpability and ambit for regulatory investigation. Responses to these investigations may be lengthy and costly.
• Heightened financial penalties; organisations in breach of new regulations may face financial penalties of up to INR 250 Crores.

Next steps

Some of the key aspects to start looking into would be as follows:

• Consult with relevant attorneys to ensure proper privacy disclosure and consent guidelines are followed and “compliance and privacy by design” is well entrenched in processes for obtaining, storing and processing personal information as part of business operations.
• Identify and assess whether information handled (however minimally) by the company qualifies as “personal information” under the statute.
• Develop and implement data management systems and processes that will enable compliance with the statute especially aspects related to notice of consent requirement and recording consent.
• Data classification capabilities and mapping data process flows will be imperative in responding to a consumer exercising his or her rights under the statute. Ignorance is no defence.
• Implement and operationalise intake and resolution of consumer complaints under the statute.
• Develop a fully integrated, comprehensive risk management plan that emphasises people, capital and technology protections to effectively manage cyber and privacy risk across your enterprise and to ensure resiliency.
• Develop and prioritise data privacy and cyber risk awareness and process related trainings for employees which are periodical, repetitive and are continually updated and improved.
• Implement periodical process of auditing the technology and processes implemented by Third party services providers especially data management sub-contractors in ensuring the Confidentiality, Integrity and Accessibility of third-party Personal Information entrusted in their care, custody and control.

Management must be aware of these heightened obligations and empower their business units with touchpoints on personal data (IT, Legal, HR, amongst others) to review and update their IT, data protection, data retention, and cybersecurity policies. It will become imperative for businesses to have processes and safeguards for handling and protecting personal information, procedures for consent withdrawal, correction, erasure, and grievance redressal, and provisions for providing information to data subjects to significantly reduce and avoid the exposure to data breach incidents.

Board obligations around data protection and cybersecurity can no longer be ignored or passed off to IT departments. C-suites are being held accountable on a global scale to make sure data protection procedures are up to par. This act serves to further reiterate and enforce the same in the Indian territory, significantly increasing the implications of a data breach incident involving personal information.

WTW recommendations

Risk transfer considerations to mitigate and minimise losses:

Given the imminent and ever-evolving nature of the cyber and data breach incidents, organisations need to realise that while enhancing data protection and cyber security investments are critical, it can only reduce the exposure but cannot completely eradicate the risk. An organisation's cyber security is only as strong as its weakest link, thus boards should seriously think about boosting the "Recovery" component of their cyber risk management strategy.

Organisations should invest in conducting ‘Impact Assessments’ (also indicated in the act-Section 11.2(C)) not only from a customary operational and legal standpoint but also extend these assessments to include a loss quantification exercise to estimate likelihood and severity of losses from privacy breach and network outage incidents. Planning and testing effective incident response plans and business continuity plans is a crucial component of the "Recover" and "Respond" strategies. This would aid the Boards in setting priorities for spending on necessary cyber security measures as well as in thinking of ways to transfer loss forecasts that exceed their risk tolerance.

Given the regulatory development in India, cyber risk insurance should be a critical component of cyber loss recovery and risk transfer strategy of organisations. Cyber risk insurance programmes have shown to enhance the incident response capability of insured organisations through the cyber claims know-how and relevant incident response resources, in addition to indemnifying costs associated with incident response like forensic investigations, data reconstitution, notifications, credit monitoring, and public relations, as well as covering damages legally payable due to data privacy breach, network security liability, and data breach regulatory implications.

WTW is a leading innovator in addressing the changing risk landscape through cyber analytics solutions and services designed to help organisations mitigate the myriad of risks they are facing today. Our holistic approach to cyber risk management consisting of proprietary cyber risk assessment, cyber loss quantification solutions help organisations in understanding their respective exposures through a scientific and analytical approach and enabling informed decisions in matters related to risk management and risk transfer (cyber insurance).