India has officially ushered in a new era of digital governance with the notification of rules under the Digital Personal Data Protection Act (DPDP Act) of 2023. While businesses have an 18-month transition period before the law is fully enforced, the countdown has begun, and many organizations are scrambling to assess their readiness.
A Straightforward Path to Compliance
Contrary to widespread apprehension, complying with the DPDP Act is a manageable process. The legislation has a clear, singular focus: regulating the processing of digital personal data. It mandates that any entity handling such data must ensure it is always processed on legitimate grounds. Legal expert Rahul Matthan, a partner at Trilegal, suggests a pragmatic three-step audit to demystify the compliance journey for businesses.
Step 1: Take Stock of Personal Data
The first step for any company is to conduct a comprehensive inventory of the personal data it currently collects. Since most organizations, regardless of size, use software systems for data management, this task is simpler than it seems. Businesses need to list all data fields within their database management systems and identify which ones contain personally identifiable information. This exercise provides a complete picture of all digital personal data being collected.
Step 2: Map Data Usage Purposes
The second step involves determining the specific purposes for which the collected personal data is used. This can be more complex in large corporations with interconnected technology systems where data collected in one department might be utilized in another. Despite the challenge, it is essential to track every usage instance. By the end of this step, data fiduciaries should have a detailed list correlating each data item from Step 1 with all its corresponding uses.
Step 3: Establish Legitimate Grounds
The final and most critical step is to ensure a legitimate basis exists for each data processing activity identified. Companies must verify that they either have the consent of the data principal (the individual to whom the data belongs) or that the processing falls under the permitted legitimate uses specified in Section 7 of the DPDP Act, or is covered by specific exceptions under Section 17. If no such legal ground exists, businesses must either obtain fresh consent or cease that particular data processing activity before the law comes into full force.
Practical Implementation and Next Steps
Much of this three-step audit can be executed by internal IT teams, who are already familiar with the design and architecture of the company's data systems. The process also helps uncover other compliance details, such as data retention periods, as the DPDP Act requires that personal data not be retained beyond the fulfillment of its specified purpose.
Many companies may discover that their broadly worded privacy policies have already secured consent for a majority of their data uses. However, challenges will arise where data is used for new, uncontemplated purposes, or where consent records are missing—a common issue with data acquired from brokers or due to poorly maintained systems. In such cases, obtaining fresh consent or deleting the data are the only viable options.
This straightforward self-assessment empowers businesses to understand their compliance status clearly. With this knowledge, they can strategically engage data protection specialists to address gaps and implement the necessary systems. With the 18-month grace period now active, businesses have no excuse for further delay in aligning their operations with India's new data protection framework.
