Metatron DPDP Consulting Services
What is the DPDP?
The Digital Personal Data Protection Act (DPDP Act 2023) (DPDP) enacted in August 2023 and scheduled to be enforced from November 2024 onwards, and is intended to harmonize data protection laws throughout the India by applying a single data protection law that is binding throughout each member state.
DPDP protects any information that can be linked to an identifiable individual such as search-engine entries, employee authentication, payment transactions, closed-circuit-television footage, and visitor logs. The information can be in any format (structured or unstructured) and can be transferred in any medium including online, offline, or backup storage.
Key Principles of the DPDP
Right to access: data subjects have the right to obtain information as whether or not their information is being collected, where and for what purposes.
Right of revocation: data subjects have the right to request personal data to be erased, ceased from further dissemination, and stopped from processing by third parties.
Data portability: data subjects have the right to transmit their personal data to another organizations; no institution or organization has data ownership.
Breach notification: all organizations are required to notify customers and controllers about a data breach within 72 hours of first having become aware of the breach.
Privacy by design: organizations are legally required to include data protection when designing their systems.
Data protection officer: DPOs are created to monitor compliance, inform and advise on obligations, and serve as a direct link between data subjects and other authorities in each member states.
The digital transformation gave rise to a data-driven culture where data analytics plays a huge role in business interactions. DPDP is a universal rule and not just limited to India. Its high time for businesses to adopt a customer-first mindset and start implementing an effective compliance environment. Nevertheless, no data-driven business should consider DPDP a threat; instead, they must accept it as an opportunity. An opportunity to future-proof your business and to earn the trust of your customers.
What Data is Covered by DPDP?
GDPR came into effect to protect personal data. By personal data, we mean all the information that relates to an identified or identifiable natural person. The DPDP calls it a ‘data subject’ under compliance policies.
DPDP applies to personal data processed in one of the two ways mentioned below:
Personal data processed wholly or partly using automated means (or information in electronic form); and
Personal data processed using a non-automated process forming a part of or intends to form part of a ‘filing system’ (or written records in a manual filing system).
The data that is covered and protected by DPDP (few examples)
Basic identity information such as name, address, and ID numbers.
Web data such as location, IP address, cookie data, and RFID tags.
Health and genetic data.
Biometric data.
Racial or ethnic data.
Political opinions.
Sexual orientation.
Digital Personal Data Protection Act (DPDP Act 2023) : What You Need to Know
The new Digital Personal Data Protection Act (DPDP Act 2023) laws will come into effect on November, 2024. The DPDP regulation is based on the EU GDPR and UK Data Protection Bill, and have very few changes to how businesses collect, process, and use personal data.
The DPDP wanted to change the way organizations across the region approach data privacy. After the legislation came into effect, it offered greater control to the Indian citizens on the data that belonged to them. The DPDP forced organizations to develop a customer-first mindset. It gave data subjects rights to know where, when, and how the specific organization uses their data. Besides, it granted them rights for easier data access like name, home address, photograph, bank account details or medical information, etc.
DPDP does not apply to the personal data used for national security reasons or law enforcement. However, as a part of DPDP policy, a separate Data Protection Directive for the police and criminal justice department was set. It lays down very stringent rules on exchanging personal data at any level, regardless of whether it is National, European, or International.
How Metatron Infotech Can Help
To comply with the DPDP standards, an organization needs to have an in-depth understanding of the compliance purposes and compliance challenges. The GDPR aims to protect the data privacy rights of Indian citizens.
Here are some ways we can help you establish a comprehensive governance structure,
Mapping company data
We will map sources of all the data you collect and document how you use it or process it. We will locate the data storage points and check your existing data access policy to create a DPDP compliant data protection policy.
Identify data you need to keep
We will help you identify and remove redundant data that adds no value to the business. Storing relevant and worthy data helps in companywide policy implementation of better data access and processing policy.
Ensure proper security controls are in place
We will implement proven cybersecurity methods throughout your infrastructure to help contain any data breaches. It means we will put together solid data security programs capable enough to prevent data breaches and immediately notifying authorities if any breach does occur.
Review compliance risks
Our data protection consultants will review existing privacy policies and will alter privacy requirements if needed. They will create a seamless consumer consent process and also automate consumer requests to ensure DPDP compliant systems.
Establish new procedures for handling personal data
Until now, it is clear that DPDP keeps consumers or data subjects at the forefront, giving them astounding rights. We will establish new procedures to handle personal data ensuring they can tackle challenges of compliance.
For example:
Establishing a procedure that allows individuals to give consent with legal compliance.
Setting up a process to delete the personal information of a subject upon receiving such requests.
The process to take appropriate action is against each data deletion request and recheck its progress.
Creating a compliance strategy to deal with data transfer requests.
Drafting privacy controls to communicate emergency events such as data breaches.
Importance of DPDP Compliance in New Remote-Working Normal
The onset of the Pandemic has forced a massive swath of the global workforce to work remotely. It has shifted organizational focus away from the office environment, pushing them to revisit their DPDP compliance strategy to check whether it will survive in the new normal or needs updating.
When DPDP came into existence, many organizations implemented detailed data security protocols to enhance data privacy and safety. During that time, the focus was predominantly limited to DPDP compliance within the office boundaries. Now, with the new social distancing guidelines and employees working from home, a new compliance strategy to meet DPDP laws has become pivotal.
Technology has played a dominant role in keeping employees productive even though they are working out of the office. However, the sheer problem is to maintain the privacy and security of stored and processed data. Organizations, therefore, need to re-evaluate data security risks and provide a safe remote working experience. Apart from addressing vulnerabilities in their networks and physical data storage facilities, organizations need to face compliance challenges when remote workers move data between the corporate network, the cloud, and the personal laptop.
We can help in Data Protection Impact Assessment (DPIA) to identify data protection gaps and privacy risks. Our assessment and knowledge of risks and gaps empower us to deal with and address each issue accordingly. If needed, will propose data security controls to access and process personal information from the home environment. Besides, we will also ensure the data is handled differently than it was being handled in the office.
These comprise key DPDP compliance solutions including:
DPDP Readiness Reviews
Privacy Impact Assessments
Privacy Architect Reviews and Guidance
Personal Data Audit
Contract Reviews
Policy Reviews
Notifications Review
Awareness Briefings
Training