India's Digital Personal Data Protection (DPDP) Act is a ground-breaking legislation that balances the rights of individuals to protect their personal data with the necessity of processing such data for lawful purposes. The Act imposes obligations on Data Fiduciaries, those processing data, and outlines the rights and duties of Data Principals, individuals to whom the data pertains. It also introduces financial penalties for breaches.
The DPDP Act is guided by seven key principles, including consent, purpose limitation, data minimisation, data accuracy, storage limitation, security safeguards, and accountability. The Act significantly impacts organisations, both domestic and international, that collect, process or store personal data of individuals in India. Here’s a summary of key impacts on organisations:
- Purpose Limitation: Organisations must collect and process personal data only for specified, explicit, and legitimate purposes and must not further process the data in a manner that is incompatible with those purposes.
- Data Minimisation: Organisations must collect and process only the personal data that is necessary for the specified purpose and must not collect or process excessive amounts of data.
- Storage Limitation: Organisations must not store personal data for longer than necessary for the specified purpose or as required by law.
- Security Safeguards and Accountability: Organisations must be able to demonstrate compliance with the Act and must implement appropriate measures to protect personal data from unauthorised access, use, disclosure, alteration, or destruction.
- Consent: Organisations must obtain explicit consent from individuals before collecting, processing, or using their personal data, except in certain limited circumstances.
- Transparency: Organisations must provide individuals with clear and transparent information about how their personal data is being collected, processed, and used.
Complete the form to download this free guide.