Digital Personal Data Protection Act 2023: Key Insights & Compliance Guide

For instance, consider a partnership between a bank and an ATM switch provider. The bank opens an account and shares the data with the outsourced company or switch partner, which then generates the card number and facilitates ATM transactions. In this scenario, the bank assumes the role of a data fiduciary, while the switch provider operates as a data processor.

Significant Data Fiduciary : Government designates organizations handling extensive sensitive data as “Significant Data Fiduciaries.”

It’s worth noting that there are additional responsibilities for significant data fiduciaries, and based on the provisions of the act, banks that handle data have a higher likelihood of being classified as significant data fiduciaries. However, the determination of who qualifies as a significant data fiduciary ultimately rests with the central government, and we can expect notifications on this matter in due course.

Obligations of Significant Data Fiduciary:

• Shall appoint a Data Protection Officer & must be based in India
• Appoint a Data Auditor to assess Data Fiduciary compliance through a data audit.
• Implement measures for Periodic Data Privacy Impact Assessments, adhering to the Act. 

Consent Management: Central to DPDPA

Consent can be defined as an individual’s voluntary, informed, and clear agreement to allow a data fiduciary (an entity that collects and manages personal data) to process their personal information for specific purposes.

Consent management involves the establishment of clear and effective mechanisms by data fiduciaries to obtain, record, and manage this consent. It ensures that data principals are fully informed about the data processing activities and have the ability to exercise their rights related to their personal data. Effective consent management is a fundamental element of data privacy regulations, and plays a crucial role in building trust between data fiduciaries and data principals.

Actions for Data Fiduciary to build mechanism for Consent Management:

• Ensure the accuracy and completeness of data
• To provide notice to data principals regarding data being processed and purpose for the same
• Notice should be easily understandable and must be in multiple languages
• Discover efficient ways to notify users about data processed before via email/app alerts.
• Make users aware regarding their rights and duties and to make complaints
• Build agreements to have Free, Explicit, Specific, Informed, Unambiguous & Unconditional consent with Clear Affirmative Action
• For Children below 18 years of age, or Individual with Disability consent will be provided by the parent or the legal guardian.
• Erase personal data as soon as the purpose has been met
• In case of breach have mechanism to timely inform Data Protection Board and Affected Individual

Consent Manager:

Serves as a centralized platform for Data Principals to control and review consent transparently and interactively. Data Fiduciary may appoint Consent Manager themselves or get Third-party Consent Manager.

Role of Consent Manager:

• The Data Principal may Give, Manage, Review or Withdraw her consent to the Data Fiduciary through a Consent Manager
• Consent Manager is responsible for acting on behalf of and being accountable to the Data Principal as prescribed.
• Consent Manager shall be registered with the Board with subject to such Technical, Operational, Financial adhering to prescribed conditions.
• Data Fiduciary is responsible to prove Notice & Consent.

Rights & Duties of Data Principals:

• Right to Grievance Redressal: The data fiduciary & consent manager must respond to grievance of Data Principal within a prescribed time frame.
• Right to Nominate: Nominate any other individual, who shall, in the event of death or incapacity of data principal, exercise the rights of the data principal
• Right to Access Information: Seek information about processed data and information in case shared with other data fiduciaries or processors.
• Right to Seek Correction: Data Principal can reach out to Data Fiduciary in order to exercise their right to correct, complete, update and erasure of their personal data
• Right to Withdraw consent: Data principals have the right to crease processing by withdrawing their consent. The process will be facilitated by consent manager.

The advent of the Digital Personal Data Protection Act (DPDPA) marks a pivotal moment for the Banking, Financial Services, and Insurance (BFSI) sector, underscoring the imperative of safeguarding personal data in an increasingly digitized landscape. This legislation imposes rigorous measures and obligations on BFSI organizations, emphasizing the secure management of the personal data they collect, store, and process.

Given the BFSI industry’s substantial volume of customer data, proactive compliance with the DPDPA becomes paramount. To this end, a set of concise directives takes center stage, guiding BFSI entities in aligning their practices with the DPDPA’s principles. These directives span critical areas, including consent management and cybersecurity, facilitating the sector’s adept navigation of data protection complexities and the maintenance of trust among its esteemed customers. 

Let’s delve deeper into the structural impact that entities will undergo: 

• Data Identification: It is imperative to identify all the data collected to date, including historical data, and the purposes for which it was collected. Determine the current location of this data, whether it resides with the banks or third-party vendors, and the system in which it is stored. Identify which processor is responsible for maintaining the data or if it is held by any technical partner. Additionally, ascertain the availability of consent records for the collected data.
• Consent Management: Develop a transparent mechanism for obtaining consent, create the necessary technology for consent acquisition, and establish procedures for notifying data principals. Challenges may arise when seeking consent for previously collected data, which can impact the organization at various levels.
• Data Impact Assessment: Understand the risks, breaches, and threats associated with potential data misuse. Identify the level of impact that different scenarios could have.
• Data Audit: Organizations must define technical and people-related controls to enhance data protection. Ensure that data minimization processes are consistently followed, and each unit monitors and maintains records of data processing activities.
• Organizational Impact: If banks are designated as significant data fiduciaries, they will need to appoint a Data Protection Officer (DPO). This poses a challenge as banks already have Compliance Officers, Risk Officers, and Chief Information Security Officers (CISOs). Product managers may face difficulties in obtaining approvals from these heads, and the same will be required from the DPO. The DPO will play a pivotal role in driving technological and product changes, holding an influential position within the organization.
• Technology Impact: Organizations will face significant technological challenges, particularly in developing a robust consent framework and security controls. The impact will extend to interconnected internal technologies, such as API interfaces. Entities must also establish a control mechanism for strict oversight of data processors.
• Product Design-Level Impact: Customer digital journeys will undergo changes as organizations must now provide clear notifications for each data point collected. For instance, when an individual downloads a new app and it requests access to location, camera, microphone, etc., entities must clearly define the purposes for which these accesses are requested in plain and specific terms. Entities will need to review the personal data collected and eliminate unnecessary data collection. This will affect the entity’s cross-selling strategy, as collected data cannot be used for promotional messages or product offers without explicit consent notification. This necessitates changes across multiple layers.
• Risk Management Impact: While entities already have operational risk management in place, they must begin factoring in challenges stemming from previously collected data. Entities must ensure that self-control assessments are conducted for each unit, product team, and technology team. They should actively manage data-related risks, continue monitoring, and report on risk-related activities.

Overall, the DPDPA will require banking and financial institutions to invest in data protection infrastructure, processes, and training to ensure they comply with the Act’s provisions and protect the privacy and security of their customers’ personal data. Failure to do so can result in significant financial penalties and damage to their reputation.