Applicability
Your company is covered under the scope of the Bill:
- If your company processes Personal Data of individuals.
- If your company processes Personal Data in India:
- If the Personal Data collected is online
- If the Personal Data collected offline, is digitized
- If your company processes Personal Data outside India in relation to profiling or activity of offering goods or services to Data Principals within the territory of India.
Compliance Checklist
| OBLIGATION UNDER THE DPDPB, 2022 | CORRESPONDING REQUIREMENTS | PARTY RESPONSIBLE FOR COMPLIANCE |
| Consent of processing of Personal Data for all purposes | An “itemised” notice has to be given to the Data Principals which contains: 1. Description of Personal Data collected 2. Purpose of the processing of such data. 3. Details of the Grievance or Data Protections Officer In case of children: a. Verifiable parental consent. b. No undertaking for tracking, monitoring or targeting Non-Compliance– Penalty of up to Rs 200 crore | All the applicable entities |
| Deemed Consent (No notice required) for specific purposes | Deemed Consent can be taken in certain cases: 1. For reasonable expectation. 2. For functions of the state. 3. Processing related to employment 4. For vital interest or public interest 5. For Fair and reasonable purposes | All the applicable entities |
| Implementation of security safeguards | Businesses should implement appropriate technical and organizational measures and reasonable security safeguards. Non-Compliance– Penalty of up to Rs 250 crore | All the applicable entities |
| Personal Data Breach | Where the business suffers Personal Data Breach, a notification to be sent to: Data Protection BoardData Principals Non-Compliance– Penalty of up to Rs 200 crore | All the applicable entities |
| Retention of the Personal Data | Businesses need to cease to retain the data of Data Principals if no longer necessary for legal or business purposes | All the applicable entities |
| Point of contact (POC) | Businesses need to publish the contact information of Data Protection Officer or a POC for managing the redressals and questions of the Data Principals. | All the applicable entities |
Significant Data Fiduciary (SDF)
This is yet to be notified by the government for applicable Data Fiduciaries which will be dependent on various factors:
- Volume and sensitivity of the data processed
- Risk of harm to Data Principals
- Impact on sovereignty and integrity of India
- Risk to electoral democracy
- Security of the State
- Public order
Compliance Checklist
| OBLIGATION UNDER THE DPDPB, 2022 | CORRESPONDING REQUIREMENTS | PARTY RESPONSIBLE FOR COMPLIANCE AND PENALTIES |
| Data Protection Officer | Businesses need to appoint a Data Protection Officer based in India, who will be the point of contact for the grievance redressal mechanism | All the applicable entities Non-Compliance– Penalty of up to Rs 150 crore |
| Data Auditor | Businesses need to appoint an Independent Data Auditor for auditing compliance under this act | All the applicable entities Non-Compliance– Penalty of up to Rs 150 crore |
| Data Protection Impact Assessment (DPIA) and audits | Businesses need to undertake DPIA and appropriate periodic audits | All the applicable entities Non-Compliance– Penalty of up to Rs 150 crore |
