Significant Update India Privacy Laws

Digital Personal Data Protection Act, 2023 (DPDPA)

For Private Circulation Only | Confidential | 1

Disclaimer
This presentation is for solely for informational purposes and should not be treated as legal advice.

LegaLogic does not warrant that any content or information contained in this presentation is accurate, correct,
complete or up-to-date, and hereby disclaims any and all liability to any person for any actual or threatened
loss or damage caused by errors or omissions, whether such errors or omissions result from negligence,
accident or otherwise.

LegaLogic assumes no liability for the interpretation and/or use of the content and/or information in this
presentation, nor does it offer any warranty of any kind, either expressed or implied in relation to such content
or information.

For Private Circulation Only | Confidential | 2

Common Questions For Businesses
❖ Does the DPDP apply to my business?
❖ What is the impact of the DPDP on my business?
❖ What is my compliance burden as a business?
❖ If we have implemented other frameworks, then what's my compliance burden? ( ISO 27001, ISO 27701 or
SOC II)?
❖ What are the technical measures or information security measures that may be undertaken to comply with the
DPDP?
❖ How soon to start the compliance journey?
❖ What is consequence of non-compliance?
❖ What is the impact on regulated entities ( BFSI, Telecom)?
❖ What are the implications for India captive units?

For Private Circulation Only | Confidential | 3

What’s Covered
❖ Introducing DPDP
❖ Decoding DPDP
➢ Building Blocks – Digital Personal Data and Processing
➢ Applicability
➢ Stakeholders
➢ Grounds for Processing – Consent and Legitimate use
➢ Compliance Obligations
➢ Rights and Duties for individuals
➢ Data Transfers
➢ Regulatory, Enforcement, Penalties

❖ Practical Challenges
➢ Case Studies
➢ Next Steps/ Takeaways
➢ Sectoral touchpoints
❖ CERT-IN

For Private Circulation Only | Confidential | 4

Balancing Act!

❖ 83 crores Digital Nagriks

❖ 120 crores by 2025
❖ 1 trillion-dollar Digital Economy by 2030
❖ Asymmetrical harm-based regulation (IT
Act)
❖ Inversion Asymmetry – MoS Rajeev C
❖ No incentive for responsible behavior – it’s
the law
❖ Enshrines the data protection as a RIGHT!

For Private Circulation Only | Confidential | 5

 India Data Protection Landscape
CURRENT LAWS
❖ The Information Technology Act,
2000 (IT ACT)
❖ The Information Technology
(Reasonable Security Practices and
Procedures and Sensitive Personal
Data or Information) Rules, 2011
(SPDI Rules 2011)
❖ The Information Technology
(Intermediary Guidelines and Digital
Media Ethics Code) Rules, 2021
(Intermediary Guidelines 2021)
❖ CERT-In Directions for Incident
Reporting
★ Digital Personal Data Protection Act, 2023 (“DPDP”)
SECTORAL LAWS
❖ Healthcare : National Digital
Healthcare Mission - Ayushman
Bharat Digital Mission
❖ Telecom : Obligations under the
licensing regime
❖ Financial : RBI regulations on Data
Localization, RBI Digital Lending
Guidelines
❖ Insurance : IRDIA regulations for
insurance sector
OTHER LAWS (PATCHWORK)
❖ The Constitution of India –
Fundamental Right – “Right to
Privacy”
❖ The Aadhaar Act, 2016
❖ The Indian Contracts Act 1872
❖ The Indian Penal Code 1860 (IPC)
For Private Circulation Only | Confidential | 6
The Journey

August 2017 December 2019 November 18, 2022

Puttaswamy v. Union of Personal Data Protection Digital Personal Data
India- Right to Privacy Bill, 2019 Protection Bill, 2022
Judgment

July 2018 December 16, 2021 August 11, 2023

Justice B.N. Srikrishna Data Protection Bill, 2022 Digital Data Protection
Committee Report Act 2023
The Draft Personal Data Passed by Parliament and
Protection Bill, 2018 received President
acescent

For Private Circulation Only | Confidential | 7

Decoding
The Digital Personal Data
Protection Act, 2023
(“DPDP” or the “ACT”)

For Private Circulation Only | Confidential | 8

Personal Data: Digital
“Personal Data” means any data about an individual who is identifiable by such data or can be related due to such
data.

EXAMPLES

Contact Employment Health and Online Presence:

Information: Data: Job Title, Financial Data: Medical Data: Social Media Geolocation Identity
Name, Address, Resume, Bank Account Medical History, Profiles, IP Data: GPS Documents: PAN,
Phone Numbers, Employment Numbers, Card Prescriptions, Address, Device Coordinates, Aadhaar, Passport,
E-mail Address Records Numbers Biometric Data ID (IMEI) Location History Driving License

For Private Circulation Only | Confidential | 9

Processing of Personal Data
❖ Collection
❖ Recording
❖ Organisation
❖ Structuring
❖ Storage
❖ Adaptation
❖ Retrieval
❖ Use
❖ Alignment or combination
❖ Indexing
❖ Sharing
❖ Disclosure by transmission
❖ Dissemination or otherwise making available
❖ Restriction
❖ Erasure or destruction
❖ Remote Access

For Private Circulation Only | Confidential | 10

Applicability
❖ Type of Data
➢ Processing of Personal Data in Digital
Form, or
➢ Personal Data that is digitised later
❖ Territorial Scope
➢ Within the Territory of India
➢ Outside India in connection with any
activity related to offering of goods or
services in India
❖ Exemptions
➢ Personal or Domestic Use
➢ Publicly available Personal Data By Data
Principal or by anyone under lawful
obligation

For Private Circulation Only | Confidential | 11

Illustrations: Exemptions

A person has posted information on social media Personal data published on company website and
platforms – LinkedIn profiles leadership profiles

X, an individual, while blogging her views, has Data that is published on Ministry of Corporate
publicly made available her personal data on Affairs – Directorship Data
social media

For Private Circulation Only | Confidential | 12

Stakeholders

New Regulator
Data Protection Board of
India

Consent Managers

For Private Circulation Only | Confidential | 13

Grounds For Processing

Processing of Personal Data must be for a lawful purpose and based on one of the
following grounds

Certain Legitimate uses

Consent
(without consent)

For Private Circulation Only | Confidential | 14

 Consent
❖ Must be backed by Privacy Notice
❖ Must be free, specific, informed, unconditional, and
unambiguous
❖ Requires a clear affirmative action
❖ Limited for a specific purpose
❖ Clear plain language
❖ Requests must be in English and Multilingual (22 local
languages)
❖ Right to withdraw consent as easily as it was provided
❖ Consent in violation of law is invalid
❖ Maintain records of consent

★ New concept of consent managers

For Private Circulation Only | Confidential | 15

 Privacy Notice Requirements
❖ Consent must be accompanied or preceded by a Notice
❖ Contents of a Notice (Non-exhaustive):
➢ Personal data collected
➢ Specific purpose of collection
➢ Mechanism for withdrawal of consent
➢ Grievance Redressal Mechanism
➢ Individuals right to complain to the Authorities
➢ Publish details of Data Protection Officer or Compliance
Officer
❖ English and Multilingual (22 local languages)

★ For Legacy Data – Notice must be refreshed as soon as practicable

For Private Circulation Only | Confidential | 16

Illustrations (Consent)
X, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by
Y, an e-commerce service provider, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon
as practicable, give through email, in-app notification or other effective method information to X, describing the personal data
(Legacy Data) and the purpose of its processing.

X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-
Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live,
video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X,
(Notice + Consent) describing the personal data and the purpose of its processing.

X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for
making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both.
Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the
(Purpose) processing of her personal data for making available telemedicine services.

X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for
(i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint
to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be
(Violation of law) invalid.

For Private Circulation Only | Confidential | 17

How To Operationalize Consent

Create holistic privacy notices Employ effective consent

Data Mapping which serves your business mechanisms (explore
needs technology solutions)

For Private Circulation Only | Confidential | 18

 Legitimate Uses
1. Personal Data is voluntarily provided

2. Government subsidies, benefits, services, certificates, licenses, and permits

3. Performance of any function by Government interest

4. Disclosures to government as per established law

5. Compliance with judicial proceedings

6. Medical emergencies

7. Health services during an epidemic, outbreak, and other health threats

8. Assistance during disaster

9. Purposes of employment and those related to safeguarding the employer from loss or liability

August 2023 Private and Confidential - LegaLogic

Illustrations: Legitimate Uses

(Voluntary provision)

X, an individual, makes a purchase at Y, a pharmacy.

She voluntarily provides Y her personal data and
requests Y to acknowledge receipt of the payment made
for the purchase by sending a message to her mobile
phone. Y may process the personal data of X for the
purpose of sending the receipt.

For Private Circulation Only | Confidential | 20

 Compliance Obligations For Data Fiduciaries

Lawful Notice and Consent Completenes, Data Grievance

Purpose Consent Withdrawal Accuracy & Retention Redressal
Consistency & Erasure

Technical & Prevent Reasonable Valid

Public PoC Contracts Data Breach
Organizational Data Security
Details For Data Notification
Measures Breaches Measures
Processors

★ General Violations or non-compliances - Penalty up to INR 50 crore

★ Violations related breach notification - Penalty up to INR 200 crore
★ Violations related to reasonable security and prevention of data breach - Penalty up to INR 200 crore

For Private Circulation Only | Confidential | 21

 Additional Compliances for Children’s Data

❖ Obtain verifiable consent from lawful guardian (also

applicable for disabled persons)
❖ Restrict processing likely to cause detrimental effect
❖ No tracking or behavioral monitoring
❖ Targeted advertising directed at children is not allowed

★ Individuals below the age of 18 = Children

★ Non-Compliance for Children’s Data - Penalty up to INR 200 crore

For Private Circulation Only | Confidential | 22

 Additional Compliances for Significant Data Fiduciary

❖ Criteria for classification Appoint a Data Protection Officer

❖ Volume and sensitivity of personal data
❖ Risk to the rights of Data Principal
Appoint an Independent Data
❖ Potential impact on the sovereignty and integrity of India
Auditor
❖ Risk to electoral democracy
❖ Security of the State
❖ Public Order Conduct Periodic Audits

Conduct “Data Protection Impact

Assessment”

★ Non-Compliance by Significant Data Fiduciary - Penalty up to INR 150 crore

For Private Circulation Only | Confidential | 23

Rights of Data Principal

Businesses will be required to: Right to access information about

personal data
❖ Create a procedure to cater to each right
❖ Meet the timelines* Right to correction and erasure of
❖ Ensure minimal and measured response personal data
❖ Automation for high volumes of requests
Right of grievance redressal
*(to be notified)

Right to nominate

For Private Circulation Only | Confidential | 24

 Duties of Data Principal
❖ Not to impersonate another person
❖ Not to suppress any material information for issuance
of documents by Government
❖ Not register a false or frivolous grievance or
complaint
❖ Furnish only such information as is verifiably
authentic

★ Non compliance with Duties of Data Principal - Penalty up to INR 10,000

For Private Circulation Only | Confidential | 25

Transfer of Personal Data Outside India

❖ Data Transfers allowed outside India

❖ Central government to notify the restricted territories
❖ Expected: Details and modalities of the transfers will be
added to the law via rules
❖ Sectoral Data Localisation Requirements still apply:
➢ RBI (Transactions Data, Digital Lending)
➢ Telecom Data Localisation (User Information)
➢ Insurance Data (Records of Insurance Policies and
Claims)
➢ Aadhaar Data (Aadhaar verification and storage)

For Private Circulation Only | Confidential | 26

Regulatory and Enforcement
❖ Data Protection Board of India
➢ Digital Office
➢ Chief Executive will be appointed by the Central Government
➢ Wide powers to investigate various issues
➢ Determine non-compliance and impose penalties
❖ Financial Penalty
➢ Nature, gravity, duration of breach
➢ Type and nature of personal data
➢ Repetitive nature
➢ Mitigation efforts taken
➢ Proportionate and effective
❖ Voluntary Undertaking
❖ Alternate Dispute Resolution

For Private Circulation Only | Confidential | 27

Financial Penalty
S.No. Subject matter of the non-compliance Penalty

1 Failure of Data Processor or Data Fiduciary to take reasonable Penalty up to INR 250 crore
security safeguards to prevent personal data breach

2 Failure to notify in the event of a personal data breach Penalty up to

3 Non-compliance for Children’s Data INR 200 crore
4 Non-compliance by Significant Data Fiduciary Penalty up to INR 150 crore
5 Non-compliance with Duties of Data Principal Penalty up to INR 10 thousand
6 Miscellaneous provision covering any and all compliances Penalty up to INR 50 crore

For Private Circulation Only | Confidential | 28

Practical Challenges

❖ Data Breach Incidents

❖ Contracts and Aggressive Customer Requirements
❖ Updating Existing Documents
❖ Updating Vendor Management
❖ Updating Customer Contracts
❖ Responding to Data Subject Requests
❖ Maintain and Demonstrate Compliance
❖ Data Retention and Managing Legacy Data

For Private Circulation Only | Confidential | 29

Case Study: Individual Complaints

1 2 3 4

Individual reacts with Asks questions on Asks for consent,

Mass Email
right to access grounds for proof of consent and
Promotions
information processing specific purpose

5 6 7

Complaint with the

Requests withdrawal Demands settlement
Data Protection
of consent and threatens action
Board of India

For Private Circulation Only | Confidential | 30

Case Study: Recruitment
❖ Candidate or Applicants through various channels
➢ Website
➢ Recruitment Agency
➢ Jobs Platforms
➢ Social Media
➢ Mass Hiring
➢ WhatsApp, Emails
❖ Key Issues
➢ Excessive Data Collection
➢ Consent vs. Legitimate Use
➢ Consent Mechanism
➢ Data Retention
➢ Individual Consultants
➢ Recruitment – Vendor’s Risk Management
For Private Circulation Only | Confidential | 31
Case Study: Employees
❖ Scenario 1: Employee Monitoring Tools
➢ Simple employee engagement tools
➢ Biometric Data
➢ CCTV surveillance
➢ Intrusive applications for screen recording and system monitoring
➢ Wellbeing and productivity monitoring tools
➢ Investigation of wrongdoings
❖ Scenario 2: Employee Data Breach or Data Leak
➢ Prevention measures
➢ Whether to report to regulator?
➢ Technical and security measures
➢ Robust SOPs and employee documentation

For Private Circulation Only | Confidential | 32

Case Study: B2B
Service Recipient/Service Provider

Only contractual remedies available against

Indemnity
Data Processors (Service Providers)

Risk for Data Privacy Violations range from

INR 50 Cr. To INR 500 Cr. (multiple Liability Caps and Carve Outs
violations)

Contractual clauses of importance Data Breach related clauses

For Private Circulation Only | Confidential | 33

 Case Study: B2B

Data Breach and Violation of

DPDP attributable to Data
Vendor (Data Processor)

Compromise of your employee data Individual’s file complaint

Processors End customers invoke breach of

contract

End customers claim various costs

End customer data
related to breach mitigation

★ Who notifies the regulator and impacted individuals?

★ Can the Vendor be held accountable?

For Private Circulation Only | Confidential | 34

Practical Takeaways for Compliance
❖ Assessing preparedness
❖ Privacy framework
➢ Data Mapping and ROPA
➢ Privacy Notice and Consent Management
➢ Organisational Compliance Policy
➢ Data Subject Rights and SOPs
➢ Data Breach Management and Reporting SOPs
➢ Data Retention Policy
➢ Vendor Management- Data Processing Agreements
➢ Employee Privacy Policy and HR processes
➢ Privacy Training
➢ DPIA
❖ Recurring process
➢ Periodic audit and remediation
➢ Employee Awareness and Training
❖ Data security and measures to prevent data breach

For Private Circulation Only | Confidential | 35

Touchpoints for IT – ITES
❖ Evaluation of Existing Data Security and Privacy practices – Updating all existing
documents and SOPs
❖ Documented processes and policies
❖ Appointment of compliance process owners
❖ Employee privacy processes
❖ Using certifications and audits as demonstrable proof of compliance
❖ Vendor Management and Standard Data Processing Agreements
❖ Identifying risks associated with Customer accounts and checking data processing
agreements
❖ Data Breach Mitigation and Reporting preparedness
❖ Cyber insurance
❖ Training and Awareness
❖ Recurring process

For Private Circulation Only | Confidential | 36

Touchpoints for SaaS/Product
❖ Privacy by design for products and software
➢ Inbuilt consent and notice
➢ Mechanism to ensure privacy principles
➢ Easy consent withdrawal mechanism
➢ UI/UX designs to enable privacy
❖ Risk assessment based on type of SaaS and Product
➢ What is the nature of personal data is processed?
➢ Whose data is collected?
➢ Which sectors are involved? (BFSI, Telecom, Healthcare, etc.)
❖ Robust security measures and using audits/certifications as way of demonstrable
compliance
❖ Risk assessment for data breach scenarios
❖ Product specific security measures

For Private Circulation Only | Confidential | 37

Touchpoints for HR
❖ Extent and scope of exemption for consent
❖ Privacy for Applicants/ Candidates
❖ Documents and Information collected (BVG, Health Checks, Insurance, Surveillance)
❖ HR specific privacy processes
❖ Vendor Management (Payroll, HR Management Systems, Recruiters, Staffing , Job
portals)
❖ Data Retention schedules
❖ Managing employee grievances
❖ Precautions for employee violations (data theft or data breach)

For Private Circulation Only | Confidential | 38

Touchpoints for IT/ISMS Teams
❖ Identifying dedicated process owners
❖ Adequate Security Measures
❖ Standards/ Certification vs. Compliance with the DPDP
❖ Data Breach Scenarios – Step by Step evaluation on risk and high penalties
❖ Formal Documentation and SOPs
❖ Operationalising Privacy
❖ Evaluating need for Technology Tools
❖ Data Retention
❖ Vendor Management
❖ Managing a Privacy Compliance Framework

For Private Circulation Only | Confidential | 39

Touchpoints for E-Commerce
❖ Updating privacy documents external and internal
❖ Validating consent/purpose vs. actual use of collected data
❖ Creating SOPs and dedicated interface for Data Principal rights
❖ Holistic Compliance Programme
❖ Dedicated process owners
❖ Evaluating customer interfaces (Sign up, consumer interactions and history, payments,
customer support)

For Private Circulation Only | Confidential | 40

Touchpoints for Education Sector
❖ Holistic compliance with DPDP Act requirements for Childrens data
❖ Adopting verifiable parental/guardian consent
❖ Evaluating Prohibited Activities for Children’s Data
❖ Age Determination Mechanisms
❖ Key touch points
❖ Advertising
❖ Enrolment process
❖ Student documentation
❖ Student profile and records
❖ E-learning
❖ Data Security as a pre-requisite

For Private Circulation Only | Confidential | 41

Touchpoints for Gaming
❖ Holistic compliance with DPDP Act
❖ Adopting verifiable parental/guardian consent
❖ Evaluating prohibited activities for Children’s personal data
❖ Age determination mechanisms
❖ Evaluating UI/UX for privacy by design
❖ Consent Management

For Private Circulation Only | Confidential | 42

Touchpoints for BFSI
❖ Sectoral Regulations for Data Protection and Privacy
❖ Identifying data localisation requirements
❖ Cyber Security and outsourcing guidelines under SEBI, RBI, IRDIA
❖ Vendor Management
❖ Restrictions on data sharing and usage with non-regulated entities (FinTech)
❖ Integrating DPDP compliances under existing compliance
❖ Evaluating risk and consequences of non-compliance (Data Breach Scenarios)
❖ Breach Notification for multiple entities
➢ Regulator
➢ CERT-In
➢ Data Protection Board of India
➢ Affected individuals
➢ Customers and Partner (if applicable)
❖ Extensive certification and auditing requirements (SOC, ISO, PCI -DSS)

For Private Circulation Only | Confidential | 43

Touchpoints for Auto
❖ Holistic DPDP Compliance
❖ Mapping and Quantifying Personal Data
❖ Customer Data (Ownership, vehicle registration, warranties)
❖ Connected Vehicles which share data with OEMs
❖ Third party integration for Vehicle tracking (IoT devices with SaaS platform)
❖ Mobile Applications for smart vehicles
❖ Implications for GPS, locational data and Geospatial Data
❖ Compliances for Significant Data Fiduciaries

For Private Circulation Only | Confidential | 44

Touchpoints for Partners Discussion
❖ Information Security as a baseline for privacy
❖ Tools and Technology solutions for privacy management
❖ Dedicated fines for lack of security measures and data breaches
❖ Exploring joint GTMs

For Private Circulation Only | Confidential | 45

CERT-In Directions 2022
Cyber Security Incident
Reporting

For Private Circulation Only | Confidential | 46

 CERT-In Directions
❖ 6 Hours Cyber Security Incident Reporting Timeframe +
Exhaustive List of Reportable Cyber incidents
❖ POC Appointment – before June 28, 2022
❖ Cyber Security Incident reporting format prescribed by CERT-
In
❖ Maintenance of ICT Logs for 180 days on a rolling basis +
Localization of Logs
❖ Synchronization of ICT System Clocks- with NIC, NPL
❖ Crypto Industry + Data Centers, VPS, Cloud Services and VPN
additional compliance

★ Applicable to all Body Corporates and Foreign Entities with India nexus
★ Enforcement Since June 28, 2022
For Private Circulation Only | Confidential | 47
Reportable Cyber Security Incidents

For Private Circulation Only | Confidential | 48

Any Questions?

For Private Circulation Only | Confidential | 49

 Unit 3A, Level 3, PV House, 55, Damle
Road, Off Law College Road, Pune,
411004 Maharashtra, India

www.legalogic.com connectus@legalogic.com

For Private Circulation Only | Confidential