Introduction

The Indian government has recently passed the Digital Personal Data Protection Bill 2023, a landmark piece of legislation that aims to protect the privacy of individuals’ personal data. The bill is expected to come into force in the coming months.

How does the Digital Personal Data Protection Bill 2023 work?

The Digital Personal Data Protection Bill 2023 is a comprehensive law that regulates the collection, processing, and use of personal data by organizations in India. In the bill, personal data is defined as any information that can be used to identify an individual, such as their name, address, phone number, or email address.

The bill sets out a number of principles that organizations must follow when collecting, processing, and using personal data. These principles include:

  • Limitation of purpose: Organizations are required to collect personal information only for specific and legitimate purposes.
  • Data minimization: Organizations must collect only the personal data that is necessary for the purpose for which it is being collected.
  • Accuracy: Organizations must ensure that personal data is accurate and up-to-date.
  • Data storage limitation: Organizations must not store personal data for longer than is necessary for the purpose for which it is collected.
  • Integrity and confidentiality: Organizations must take appropriate security measures to protect personal data from unauthorized access, use, disclosure, or destruction.
  • Accountability: Organizations must be accountable for their compliance with the law.

What are the penalties for non-compliance?

Organizations that violate the Digital Personal Data Protection Bill 2023 can be subject to a number of penalties, including:

  • A fine of up to Rs. 5 crore (US$6.7 million), or 2% of the company’s global turnover, whichever is greater.
  • Imprisonment for up to three years.

What does this mean for businesses?

The Digital Personal Data Protection Bill 2023 has far-reaching implications for businesses in India. Businesses that collect, process, or use personal data of Indian citizens will need to comply with the law. This includes businesses that are located outside of India but collect or process personal data of Indian citizens. Businesses that fail to comply with the law could face significant penalties. They could also lose the trust of their customers and partners.

How can businesses comply with the law?

There are a number of steps that businesses can take to comply with the Digital Personal Data Protection Bill 2023. These include:

  • Conducting a data protection impact assessment (DPIA) to identify and assess the risks to personal data.
  • Protecting personal information by implementing appropriate security measures.
  • Obtaining consent from individuals before collecting, processing, or using their personal data.
  • Individuals should have access to their personal data and the right to correct or delete it.
  • Responding to data subject requests in a timely manner.

Conclusion

The Digital Personal Data Protection Bill 2023 is a significant piece of legislation that will have a major impact on businesses in India. Businesses that fail to comply with the law could face significant penalties. It is important for businesses to take steps to comply with the law as soon as possible.