While the Digital Personal Data Protection Act, 2023 has received Presidential approval and has been officially published in the Gazette, it has not yet become enforceable. Specific timelines for its implementation have not been finalized. According to government reports, the provisions of this legislation will come into effect gradually over the next few months, in conjunction with the corresponding Rules designed to complement the new Data Protection Act. Therefore, it is reasonable to assume that businesses should begin preparing to comply with the new requirements of the forthcoming data protection regime. However, it may still be some time before the Data Protection Act of 2023, along with its accompanying Rules, is fully put into practice.
Once the Act and the forthcoming Rules are officially published, and the new data protection framework becomes operational, Section 43A of the Information Technology Act and the SPDI Rules will no longer be in effect, however until then the current Information Technology Act and the SPDI Rules of 2011, along with their associated compliance obligations, will continue to apply as they currently do, and organisations would be required to continue complying to the provisions of the same.
As an organisation* operating in India**, if you are collecting, storing, analysing Digital personal data, this law brings a new set of obligations for you.
In preparation for the new legislation and once it comes into force, please refer to the flow chart below to assist in understanding the responsibilities that organizations that process*** Digital Personal Data****, will have under the new Data Protection and Privacy Act of 2023.
Footnote:
*An organization who alone or in conjunction with other persons determines the purpose and means of processing of personal data is considered a Data Fiduciary liable to comply with the obligations mandated under the Act.
**This Act is also applicable to Organizations operating outside India if processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.
***Processing of data is defined as: a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
****Digital Personal Data means personal data in digital form. While, Personal Data means any data about an individual who is identifiable by or in relation to such data.
Written by: Vidya Mukherjee
Co-authored by: Kanishka Bose
Disclaimer
All material included in this blog is for informational purposes only and does not purport to be or constitute legal or other advice. This blog should not be used as a substitute for specific legal advice. Professional legal advice should be obtained before taking or refraining from an action as a result of the contents of this blog. We exclude any liability (including without limitation that for negligence or for any damages of any kind) for the content of this blog. The views and opinions expressed in this blog are those of the author/(s) alone and do not necessarily reflect the official position of Lexplosion Solutions. We make no representations, warranties or undertakings about any of the information, content or materials provided in this blog (including, without limitation, any as to quality, accuracy, completeness or reliability). All the contents of this blog, including the design, text, graphics, their selection and arrangement are the intellectual property of Lexplosion Solutions Private Limited and/or its licensors.
ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.