A 3-Step DPDP Compliance Guide

Now that we know the DPDP Act, 2023 will come into force in just under 18 months, data fiduciaries have begun to panic, worried that they have left it too late. For all the procrastinators out there, here is an easy 3-step guide to assessing where you currently stand.

This article first appeared in the Mint. You can read the original here. If you would like to receive these articles in your inbox every week please consider subscribing by clicking on this link.

Although we have known since 2023 that India’s Digital Personal Data Protection Act of 2023 (DPDP Act) would come into effect sooner or later, most businesses put off taking action until the Rules were notified. Last week, the Ministry of Electronics and Information Technology brought the DPDP Act into force, marking the beginning of a new chapter in India’s digital governance history. Although data fiduciaries have been given a fairly generous 18-month transition period before the entire law comes into force, now that the clock has started ticking, everyone is worried that they may not have enough time to comply.

The DPDP Act is a relatively straightforward piece of legislation designed to do one thing and one thing only: regulate the processing of digital personal data. It goes about doing this by requiring that anyone who ‘processes’ personal data must make sure it is always done on legitimate grounds.

So, what does a business have to do to determine whether its current operations are in compliance with the obligations under the DPDP Act? To all my clients who ask me this question, I recommend a simple three-step process to quickly assess the full magnitude of their compliance burden and identify the steps they could take to address any shortcomings.

The 3-Step Process

Step 1 is to take stock of the personal data they currently collect. Most companies (big and small) use software systems to collect, process and store information. As a result, all they must do to answer this question is make a list of all the data fields in their database management systems and what that field contains. With this information in hand, all the company needs to do is identify which of those data fields contain personally identifiable information—and they will get a complete list of all the digital personal data that is being collected as part of their operations.

Step 2 is determining the purposes for which that personal data is being used by the company. This is a bit more challenging, given that large corporations often have complex, deeply interconnected technology systems that collect data in one place and utilize it elsewhere. Tracking down every last way in which a given piece of personal data is used may seem daunting, but it is essential. 

At the end of Step 2, data fiduciaries should have a list of all the different ways in which each item of personal data identified in Step 1 is being used. Now all the company needs to do is ensure that there is a legitimate basis for using the personal data listed in Step 1 for each purpose listed in Step 2.

Which means that Step 3, the final step, is about ensuring that the company either has the consent of the person to whom the data pertains (the ‘data principal’) for processing that personal data, or is permitted to carry out such processing without consent because it is either one of the permitted legitimate users under Section 7 of the DPDP Act or is covered by a specific exception under Section 17. If no such ground exists for data processing, the company doing it must either obtain the consent of data principals to continue its processing or cease processing that category of personal data in that manner before the law comes into force.

Much of the analysis required for this three-step process can be carried out by internal IT teams, which are already responsible for maintaining these IT systems and will thus be familiar with the design and architecture of their internal data systems. 

Other Details Downstream

There are also other details that companies need to understand in order to assess the extent of their compliance—such as the duration for which personal data is being retained, since the DPDP Act requires that it not be retained after the specified purpose has been served—but most of this information can be derived from what has been gathered through the process described above.

Most data fiduciaries that conduct this exercise will probably realize exactly how well (or not) their operations are aligned with the requirements of the new law. Given the broad and open-ended way in which privacy policies are typically worded, it is possible that the consent already obtained may have been stated in terms so broad that it covers the vast majority of uses.

That said, there could just as easily be situations where personal data is being put to new uses that were not even contemplated at the time consent was obtained. In other instances, companies may not have a record of having sought consent—either because the personal data in question was acquired from a data broker (as sales teams are wont to do whenever they have to initiate a new marketing campaign), or on account of poorly designed systems that have either misplaced or deleted this information. In all such instances, data fiduciaries will have no option but to seek fresh consent from data principals in order to be able to continue to use that information, or, absent such consent, will have to delete that personal data before the DPDP Act comes fully into force in 18 months.

The three-step process outlined above will allow data fiduciaries to quickly assess the extent to which their existing operations align with the new obligations they will soon be subject to. Armed with this information, they can approach data protection specialists to understand what they must do to fill gaps in their compliance and ensure that they have the right systems in place.

And now that the countdown has begun, they have no excuse left to delay action.