DPDP Act 2023 (Digital Personal Data Protection)Digital Personal Data Protection Act

Understanding DPDP Act 2023 (Digital Personal Data Protection)

Enacted on August 11, 2023, the DPDP Act 2023 introduces a rights-based framework for data protection, where individuals (termed 'data principals') have the right to access, correct, or erase their personal data held by entities (termed 'data fiduciaries'). The Act applies to the processing of digital personal data within India, as well as cross-border data flows, with certain exemptions for government agencies in the interest of sovereignty and public order.

<strong>Key obligations</strong> under the Act include obtaining explicit consent for data collection, maintaining data security, reporting data breaches within 72 hours, and appointing a Data Protection Officer (DPO) for entities processing large volumes of data. The Act also introduces penalties for non-compliance, ranging from ₹5 crore to ₹250 crore, depending on the severity of the violation. For instance, failure to report a data breach could attract a fine of up to ₹250 crore.

The Act exempts certain entities, such as startups and small businesses, from strict compliance if they process data in a 'trivial' manner. However, entities handling sensitive personal data—such as financial information, health records, or biometric data—face stricter scrutiny. The Act also empowers the Data Protection Board of India (DPB) to investigate complaints and impose penalties.

For retail investors and taxpayers, the Act has significant implications for financial services, including banks, mutual funds, and insurance companies. These entities must now ensure that customer data is processed transparently and securely, with clear consent mechanisms. The Act also impacts digital lending platforms, fintech companies, and tax filing portals, which must comply with data minimization principles and provide data portability options.

Why it matters

The DPDP Act 2023 matters for Indian investors, borrowers, and taxpayers because it enhances data privacy rights, reduces the risk of data breaches, and ensures that financial institutions handle personal data responsibly. This builds trust in digital financial services, protects against identity theft, and aligns India with global data protection standards like the EU's GDPR.

Example

Rohan, a 30-year-old software engineer in Pune, uses a digital wealth management app to invest in mutual funds. One day, he receives a notification that his personal data—including PAN, Aadhaar, and bank details—was exposed in a data breach. Under the DPDP Act, Rohan can now file a complaint with the Data Protection Board of India (DPB) and demand compensation for the breach. The app must also notify him within 72 hours of the breach and take steps to secure his data.

How to use it

For investors, the DPDP Act 2023 means financial institutions must now provide clear consent forms, data portability options, and easy access to personal data. Always review the privacy policy of your brokerage, bank, or mutual fund before sharing sensitive information. If you suspect a data breach, report it immediately to the Data Protection Board of India (DPB) and your financial institution.

For businesses, compliance with the DPDP Act involves appointing a Data Protection Officer (DPO), implementing data security measures, and ensuring transparent data processing. Regular audits and employee training on data protection are also essential to avoid hefty penalties.

Common mistakes

• ·Assuming verbal consent is sufficient for data collection
• ·Ignoring data breach notification timelines (72 hours)
• ·Storing personal data without encryption or security measures
• ·Not providing data portability options to customers
• ·Misclassifying small businesses as exempt from strict compliance