Data Privacy Newsletter – Rules Under The New Data Protection Law In India : Jan 2024
Introduction
According to a recent media report, a consultation meeting was convened by the Ministry of
Electronics and Information Technology (MeitY) in December last year, where there were
discussions around the unveiling of the draft Rules under the Digital Personal Data Protection Act
2023 (“DPDPA”). The report further states that the Government of India plans to allow the
industry stakeholders a week’s time, to provide their feedback and subsequently notify the rules
by the end of January this year.
The Anticipated Rules May Provide Clarity On The Below Aspects
1. Sensitive Personal Data: The definition of Personal Data under the DPDPA is broad and
does not distinguish sensitive personal data. This distinction is particularly significant, as
sensitive personal data typically requires additional safeguards and protection measures.
2. Consent And Consent Managers: The manner in which informed consent may be obtained
from a data principal and the appointment, role and functioning of a consent manager.
3. Complaint To The Data Protection Board: The method by which a data principal may
lodge a complaint with the Data Protection Board of India.
4. Exercise Of Rights: Specific nuances on how a data principal may exercise their rights with
regard to the processing of their personal data.
5. Security Measures: The minimum standard for implementing technical and organisational
measures to protect personal data.
6. Data Breach Notification: A procedure for a Data Fiduciary to notify the Data Protection
Board of India and the data principal, in the event of a personal data breach.
7. Children’s Personal Data: The specifications related to processing the personal data of a
child or a disabled person.
8. Significant Data Fiduciary: Clarification on the Data Fiduciary or class of Data Fiduciaries
which may fall into the category of a Significant Data Fiduciary.
DPDPA Compliance
With the enactment of the DPDPA, the major obligations of an organization (i.e. a data fiduciary)
have been identified. It is now imperative for an organization to not delay its journey towards
compliance with the DPDPA. An organisation must adopt suitable organization-level processes
and practices as an initial step. While the Rules associated with the DPDPA may not incur
substantial changes on the obligations of the DPDPA, they are expected to offer enhanced clarity
and specific modifications to the current provisions.
The next steps for organizations could be….
A Privacy Impact Assessment
It is recommended that organisations conduct a comprehensive Privacy Impact Assessment to
evaluate their current practices against the requirements of the DPDPA. A Privacy Impact
Assessment will help an organization to have clear visibility on the flow of personal data at the
organization, data handling practices, vendor management practices and the level of privacy
awareness among stakeholders at the organization.
Uncertain about your privacy practices? You may reach out to us for more information about a
Privacy Impact Assessment.
