The Digital Personal Data Protection Act, 2023 (DPDP Act) marks India’s foray into the global regulatory landscape concerning personal data rights. With a focus on standardization, simplicity, and alignment with global data regulations like the General Data Protection Regulation (GDPR) of the European Union, the DPDP Act presents a unique framework tailored to India’s needs. Financial services organizations operating in India, compliant with Reserve Bank of India regulations and international standards, must now prepare for the implications of the DPDP Act(compliance with dpdpa).
Considerations Pertinent to the DPDP Act
Territoriality The DPDP Act governs the processing of personal data both within and outside of India, particularly concerning activities involving the provision of products or services to Data Principals in India. This includes both Indian and non-Indian individuals, regardless of their location or residency status, as long as the data processing occurs in India or is linked to Indian product or service offerings.
Representative Offices/Branch Operations Foreign banks often conduct business in India through representative offices or branches lacking Indian registration. In such cases, if the Data Fiduciary is a foreign entity and personal data processing occurs in India or relates to Indian banking products/services, compliance obligations under the DPDP Act persist.
Lawful Foundation for Data Processing The DPDP Act mandates that the processing of personal data be based on unambiguous, free, specific, informed, and unconditional consent. Exceptions exist for specific legitimate purposes such as compliance with the law, managing medical emergencies, or employment-related matters. Consent must be obtained for both new and existing personal data, necessitating a data audit of legacy data sets and mechanisms for itemized consent.
Retention and Erasure of Data Data Fiduciaries are obligated to delete personal data promptly upon withdrawal of consent or fulfillment of the intended purpose. However, challenges arise regarding data retention when customers delay in approaching the Data Fiduciary for complex cross-border banking and payment services. The DPDP Act requires timely data erasure but provides exceptions for certain processing activities.
The Role of Data Processors Under the DPDP Act, Data Fiduciaries are ultimately responsible for the actions of data processors regarding personal data processing. Foreign financial institutions engaging data processors outside India must ensure compliance with DPDP Act requirements. Technical and organizational security measures for data processors may be specified in DPDP Rules.
Cross-Border Data Transfer The DPDP Act restricts the transmission of personal data across international borders. The Central Government may impose restrictions on data transfer to specific foreign countries or territories. Foreign banks must ensure compliance with these restrictions, especially regarding outsourcing arrangements and cross-border data transfers.
Notification of Breach of Personal Data Unlike GDPR, the DPDP Act mandates Data Fiduciaries to notify Data Principals of personal data breaches. The DPDP Rules are expected to outline the format and specificity of such notifications, necessitating synchronized notification mechanisms.
Significant Data Fiduciaries (SDFs) The Central Government designates SDFs based on the magnitude and sensitivity of data processing. Foreign institutions operating in India may face additional compliance obligations if classified as SDFs, including appointing an independent data auditor and a Data Protection Officer in India.
Data Processing of Children or Individuals with Disabilities Processing personal data of children or individuals with disabilities requires verifiable consent from parents or lawful guardians. Certain forms of data processing, such as surveillance or targeted advertising, are prohibited if they negatively impact the well-being of the child.
Analysis and Research Exemption Exemptions from the DPDP Act apply to processing essential for statistical, research, or archival purposes. However, these exemptions do not extend to making data-principal-specific decisions.
While the DPDP Act aligns with global standards, its unique features necessitate a thorough examination for compliance. Foreign institutions operating in India, accustomed to GDPR standards, must adapt to the distinct Indian regulatory landscape. Conformity to international frameworks alone may not suffice, highlighting the importance of understanding and implementing the provisions of the DPDP Act.
Yes, the DPDP Act applies to foreign banks if they process personal data related to the provision of products or services to Data Principals in India, regardless of where the processing takes place.
Non-compliance with the DPDP Act can result in penalties, fines, and legal action, including injunctions and compensation claims from affected individuals.
Foreign banks may transfer personal data of Indian customers outside of India, but such transfers are subject to restrictions imposed by the Central Government.
Data Fiduciaries are responsible for obtaining consent for data processing, ensuring data security, conducting periodic data protection impact assessments, and notifying Data Principals in case of data breaches.
The DPDP Act requires verifiable consent from the parent or lawful guardian for processing personal data of children or individuals with disabilities. Certain forms of data processing involving children are prohibited to protect their well-being.
