Starting a business | promunim of india - promunim of india

Related Guide

    1. Overview

    The India Digital Personal Data Protection Act (DPDP Act) came into force on August 11, 2023, revolutionizing the data protection landscape in India. This legislation applies to all entities, including individuals, Hindu undivided families, companies, firms, associations of persons, and artificial juristic persons, that offer goods and services to Indian citizens, monitor their behavior, or process their personal data.

     

    2. Review the Legislation Now

    The DPDP Act is a significant update to India's data protection framework, and it is crucial to review the legislation in detail. Familiarize yourself with the key provisions, including:

    - The definition of personal data and sensitive personal data

    - The rights of data principals, including the right to access, correction, and erasure of personal data

    - The obligations of data fiduciaries, including the duty to protect personal data and maintain transparency

    - The consequences of non-compliance, including penalties and fines

    Reviewing the legislation now will help you understand the requirements and obligations under the DPDP Act and ensure that your business is compliant.

     

    3. Understand the New Changes

    The DPDP Act introduces several new concepts and obligations that may impact your current processes. Some of the key changes include:

    - The right to be forgotten: Data principals have the right to request the erasure of their personal data.

    - Subject access requests: Data principals have the right to access their personal data, and data fiduciaries must respond to such requests within a specified timeframe.

    - Data protection impact assessment: Data fiduciaries must conduct a data protection impact assessment to identify and mitigate the risks associated with processing personal data.

    - Data breach notification: Data fiduciaries must notify the relevant authority and affected individuals in the event of a data breach.

    Understanding these new changes will help you update your processes and procedures to ensure compliance with the DPDP Act.

     

    4. Map Out What Data and Personal Data You Store

    It is essential to understand what personal data you collect, store, and process. Conduct a thorough data mapping exercise to identify:

    - The types of personal data you collect, including sensitive personal data

    - The sources of personal data, including online and offline sources

    - The purposes of processing personal data, including marketing, sales, and customer support

    - The systems and processes used to store and process personal data, including databases, servers, and software applications

    - The third-party vendors and service providers that have access to personal data

    Conducting a data mapping exercise will help you understand your data flows and identify areas for improvement.

     

    5. Securely Delete Old Data

    If you are storing personal data that you no longer require, it is essential to securely delete it. Disposing of unnecessary data will help reduce the risk of data breaches and non-compliance.

    Use specialist equipment and software to securely erase personal data, and ensure that you have a robust data retention and deletion policy in place. This policy should include:

    - Procedures for securely deleting personal data

    - Guidelines for determining the retention period for personal data

    - Measures for ensuring that personal data is not accidentally or intentionally deleted

    Having a robust data retention and deletion policy will help you ensure compliance with the DPDP Act.

     

    6. Inform Your Employees and Suppliers

    Ensure that all your employees and suppliers are aware of the changes to your processes and procedures that may impact them. Provide training and awareness programs to help them understand the provisions of the DPDP Act and their roles and responsibilities in ensuring compliance.

    This training should include:

    - An overview of the DPDP Act and its provisions

    - The rights of data principals and the obligations of data fiduciaries

    - The procedures for handling personal data, including collection, storage, processing, and deletion

    - The measures for ensuring data security and preventing data breaches

    Providing training and awareness programs will help ensure that your employees and suppliers are equipped to handle personal data in compliance with the DPDP Act.

     

    7. More Information

    For more information on the DPDP Act and its provisions, you can visit the website of the Ministry of Electronics and Information Technology (MeitY) or the Indian Computer Emergency Response Team (CERT-In). These websites provide guidance and resources to help businesses comply with the DPDP Act.

    Additionally, you can consult with legal and compliance experts to ensure that your business is fully compliant with the DPDP Act.