Digital Personal Data Protection - Act & Rules (India)
Digital Personal Data Protection Act, 2023. It is the primary legislation that defines rights, obligations, and the penalty framework.
To govern the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
Protecting Individual Autonomy: Granting individuals control over their digital identity.
Enabling Data-Driven Innovation: Creating clear rules to foster trust and investment in India’s digital economy.
Ensuring Accountability:Imposing clear obligations and penalties on entities (Data Fiduciaries).
The Act provides protection for “Personal Data,” defined broadly as any data about an individual who is identifiable by or in relation to such data. It requires Data Fiduciaries to implement Reasonable Security Safeguards (Rule 6) to prevent data breaches that compromise confidentiality, integrity, or availability.
DPDP Compliance Process Flowchart: R&R Mapping
Data Principal (Employee/User) – Collection & Consent Gives/Withdraws Consent via a clear affirmative action (check box/click). Receives the Standalone Notice (Rule 3).
Client (Data Fiduciary/Processor) – Issues the Standalone Notice, detailing purpose and rights. Records the valid consent artifact (timestamp, context, log).
Consulting Partner (Cyberyog) – Develops the Standalone Notice and Consent Management System (CMS) requirements. Trains the HR/Compliance team on valid consent procedures.
Data Principal (Employee/User) – Provides accurate and complete data. Is protected by the security safeguards.
Client (Data Fiduciary/Processor) – Implements technical security measures (Rule 6). Ensures all Data Processors (vendors) adhere to Rule 6 via a valid DPA.
Consulting Partner (Cyberyog) – Conducts Vulnerability Assessments/Pen Tests. Audits the implementation of encryption, masking, and Role-Based Access Control (RBAC).
Data Principal (Employee/User) – Exercises a Right (e.g., requests access to data, correction, or erasure) by contacting the Grievance Officer.
Client (Data Fiduciary/Processor) – Receives the request via the DSR portal/Grievance Officer. Verifies the Data Principal’s identity. Executes the action (e.g., correct HR record, provide access report).
Consulting Partner (Cyberyog) – Designs the DSR Request Portal/Workflow. Advises Legal/HR on the legal justification for denying an erasure request (e.g., tax law retention).
Data Principal (Employee/User) – Is Notified in plain language about the breach, its consequences, and mitigation steps.
Client (Data Fiduciary/Processor) – Detects the breach. Notifies the Data Protection Board of India (DPBI) within the mandated time (initial notification followed by detailed report, Rule 7). Remediates the vulnerability.
Consulting Partner (Cyberyog) – Drafts the 72-hour Breach Notification Protocol and Go/No-Go decision matrix. Leads the forensic investigation to determine the root cause and extent of the compromise.
Data Principal (Employee/User) – N/A (Rights are exercised in Stage 3).
Client (Data Fiduciary/Processor) – Deletes/Anonymizes data when the purpose is served or the retention period expires (Rule 8). Maintains an auditable Log of Deletion (Rule 6(1)(e)).
Consulting Partner (Cyberyog) – Develops the final Data Retention Schedule linked to statutory/legal requirements. Verifies the integrity of the secure deletion process used by the IT team (e.g., cryptographic erasure).
Tier 1: Essentials
Best for Startups/Small MSMEs-
Target: < 50 employees, Low Data Volume (B2B).
-
Timeline: 3 Months Implementation.
-
Basic Data Inventory & Mapping.
-
Standard Legal Templates (Privacy Policy, Employee Consent).
-
Basic Security Checklist (Rule 6)
-
1 Online Training Session for staff
Tier 2: Pro Compliance
Best for Mid-Sized/Growing Organization-
Target: 50–500 employees, B2C, or handling Sensitive Data.
-
Timeline: 6 Months Implementation.
-
Everything in Tier 1 +
-
Vendor Risk Assessment (Up to 10 vendors).
-
Implementation Support: configuring their IT/Cloud settings for Encryption/Logs.
-
Breach Drill: A mock data breach simulation.
-
Consent Manager (CMS) selection & integration advisory.
Tier 2: Enterprise 360
For Significant Data Fiduciaries/Large Corps-
Target: 500+ employees, High Volume Data, Health/Fintech.
-
Timeline: 9–12 Months Implementation.
-
Everything in Tier 2 +
-
Automated DSR Portal setup
-
Periodic Data Protection Impact Assessments (DPIA).
-
Board-level reporting & representation