Digital Personal Data Protection Act 2023

Understanding India's New Data Privacy Law

ISMS Internal Audit Follow-up Training

C&IT Department, BSL, SAIL

What is DPDP Act 2023?

India's Comprehensive Data Protection Framework

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law, enacted to regulate the processing of digital personal data and protect individuals' privacy rights.

Key Features:

Territorial Scope: Applies to processing of digital personal data within India and outside India in relation to offering goods/services to individuals in India
Rights-Based Approach: Establishes fundamental rights for data principals (individuals)
Consent Framework: Emphasizes informed and meaningful consent
Accountability: Places obligations on data fiduciaries (organizations processing data)
Enforcement: Establishes Data Protection Board with significant penalty powers

Key Definitions You Must Know

Data Principal

The individual to whom the personal data relates (i.e., the data subject/person whose data is being processed)

Data Fiduciary

Any person who alone or in conjunction with others determines the purpose and means of processing personal data (i.e., organizations like SAIL)

Data Processor

Any person who processes personal data on behalf of a data fiduciary (e.g., third-party service providers)

Personal Data

Any data about an individual who is identifiable in relation to such data (name, phone, email, employee ID, etc.)

Important Note:

As employees of SAIL, we handle personal data of employees, customers, vendors, and stakeholders. Understanding these definitions helps us identify our role and responsibilities.

Rights of Data Principals (Individuals)

The DPDP Act grants several rights to individuals:

Right to Information: Know what personal data is being processed and for what purpose
Right to Correction and Erasure: Correct inaccurate data or request deletion
Right to Data Portability: Receive personal data in a structured, commonly used format
Right to Grievance Redressal: File complaints with the Data Protection Board

Impact on Our Organization:

We must be prepared to respond to data subject requests
Clear processes needed for data correction and deletion
Employee training required to handle such requests
Documentation of all data processing activities

Our Obligations as Data Fiduciary

Legal Obligations Under DPDP Act:

Lawful Processing: Process data only for legitimate purposes with proper consent
Purpose Limitation: Use data only for the stated purpose
Data Minimization: Collect only necessary data
Accuracy: Ensure data is accurate and up-to-date
Storage Limitation: Retain data only as long as necessary
Security Safeguards: Implement appropriate technical and organizational measures

                Specific Requirements:
                Appoint Data Protection Officer (if required)
Conduct Data Protection Impact Assessment for high-risk processing
Implement data breach notification procedures
Maintain records of processing activities

            

Understanding Consent

Valid Consent Must Be:

Free: Given without coercion or deception
Specific: For a particular purpose
Informed: Individual understands what they're consenting to
Unconditional: Not bundled with other consents
Clear Affirmation: Positive action, not pre-ticked boxes

Consent Alternatives - Legitimate Purposes:

Employment-related processing (HR data, payroll)
Compliance with legal obligations
Public interest or official authority
Vital interests of the individual
Legitimate interests (with balancing test)

Key Point:

Not all data processing requires explicit consent. Much of our employee data processing falls under legitimate purposes, but we must still ensure lawful and fair processing.

Data Security & Protection Measures

Technical Safeguards Required:

Access Controls: Role-based access to personal data
Encryption: Data encryption in transit and at rest
Network Security: Firewalls, intrusion detection systems
Regular Updates: Security patches and software updates
Backup & Recovery: Secure data backup procedures

Organizational Safeguards:

Staff Training: Regular privacy and security awareness
Clear Policies: Data handling and processing policies
Incident Response: Data breach response procedures
Vendor Management: Due diligence on third-party processors
Regular Audits: Internal and external security assessments

Our Current Status (From Audit):

✅ Good practices: NGFW, NGAV, Access Controls, Backup Policy
🔄 Areas for improvement: Vulnerability management, Incident response for cyber attacks

Data Breach Notification Requirements

What Constitutes a Data Breach?

Unauthorized access to personal data
Accidental loss or destruction of data
Unlawful disclosure or alteration
System compromise affecting personal data

Notification Timeline:

To Data Protection Board: Within 72 hours of becoming aware
To Affected Individuals: Without undue delay if high risk to rights
Assessment Period: Immediate risk assessment required

Information to Include:

Nature of the breach and categories of data affected
Number of individuals affected (approximate)
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact details for further information

Action Required:

We need to develop and implement incident response procedures for cyber attacks as identified in our audit (OFI-8).

Penalties Under DPDP Act 2023

Violation Type	Penalty Amount	Examples
Processing without consent/legitimate purpose	Up to ₹250 Crores	Unauthorized data collection, misuse of data
Failure to implement security safeguards	Up to ₹250 Crores	Inadequate data protection measures
Non-compliance with data principal rights	Up to ₹200 Crores	Not responding to access/deletion requests
Failure to report data breaches	Up to ₹200 Crores	Not notifying authorities within 72 hours
Transfer to non-adequate countries	Up to ₹150 Crores	Unauthorized international data transfers

Additional Consequences:

Reputational damage and loss of customer trust
Operational disruption and regulatory scrutiny
Potential criminal liability for willful violations
Business restrictions and compliance orders

DPDP Act Impact on SAIL Operations

Areas Requiring Immediate Attention:

Employee Data

HR records and personnel files
Payroll and benefits data
Performance and disciplinary records
Health and safety information

Customer/Vendor Data

Customer contact information
Vendor and supplier details
Contract and transaction records
Financial and payment data

IT Systems Data

User access logs and credentials
Email and communication records
System usage and monitoring data
Security incident records

Operational Data

Visitor and contractor information
Training and certification records
Surveillance and access control data
Environmental and safety data

Our DPDP Compliance Action Plan

Phase 1: Immediate Actions (Next 30 Days)

Complete data mapping and inventory exercise
Review and update privacy policies
Conduct DPDP awareness training for all staff
Establish data breach notification procedures

Phase 2: Short-term Actions (90 Days)

Implement consent management processes
Develop data subject request handling procedures
Review and update vendor agreements
Enhance data security measures (addressing audit findings)

Phase 3: Long-term Actions (180 Days)

Conduct Data Protection Impact Assessments
Implement comprehensive data governance framework
Regular compliance monitoring and auditing
Continuous staff training and awareness programs

Integration with ISMS (ISO 27001)

DPDP compliance strengthens our information security management system and addresses several audit findings including document management, risk assessment, and incident response.

Your Role in DPDP Compliance

As SAIL Employees, You Must:

Handle Data Responsibly: Process personal data only when necessary for your job
Follow Security Procedures: Use strong passwords, secure systems, report incidents
Respect Privacy: Don't access or share personal data unnecessarily
Report Issues: Immediately report suspected data breaches or privacy violations
Stay Informed: Keep updated on privacy policies and procedures

Practical Guidelines:

Always verify identity before sharing personal information
Use secure communication channels for sensitive data
Regularly update and patch your systems
Be cautious with email attachments and links
Lock your computer when not in use
Follow clean desk policy for confidential documents

Remember:

Data protection is everyone's responsibility. Your actions directly impact SAIL's compliance with DPDP Act 2023 and our overall information security posture.

Questions? Contact:

IT Security Team: [Contact Details]
ISMS Coordinator: [Contact Details]
Data Protection Officer: [To be appointed]