Our previous article introduced the Digital Personal Data Protection (DPDP) Act,  2023.  We enumerated some relevant key definitions and an overall reach and impact of the act across industries. It is the first-ever comprehensive data protection regulation in India. It relies on the principles of fairness, transparency, and accountability and imposes duties and grants rights that have not been seen in India before this Act.

Our article today, will throw light on the rights that Data Principals would have. Data Principals or Data Subjects or Users in everyday language, are the people whose personal information is being processed by the data fiduciary, which is the organization that collects and processes their data.

The rights that Data Principals would be entitled to under the DPDP Act are as follows:

Right to Be Informed: Data principals have the right to access their personal data held by data fiduciaries, including the source of the data, the purpose for which it is being processed, and the categories of data recipients. For example, if the data fiduciary processes only email addresses, they need to tell the user what email address they hold, why they process it, how they got it, and with whom they share the email address.

Right to Rectification of Personal Data: Data principals have the right to have their personal data corrected if it is inaccurate or incomplete.

Right to Restrict Processing Data: In specific situations, data principals have the right to control how their personal data is processed. For instance, if you send cold emails to data principals, they could opt out of receiving emails from you and limit the processing by unsubscribing from your list.

Right to Erasure of Personal Data: If a data principal withdraws their consent or if the data is no longer required for the purposes for which it was collected or processed, Data Principal will have the right to have their personal data deleted. It is crucial to remember that in order to use the right to delete, at least one of the above requirements must be satisfied.

The DPDP Act, 2023 is an all-encompassing Act, covering every organization. Any business processing personal data within India falls under its scope, irrespective of its size or geographical location. Even the organizations based outside India and handling the data of Indian residents are also subject to this law.

As a business handling sensitive personal data, the following are some key considerations:

  • Collecting consent for the use of cookies.
  • Provide data users with a privacy notice.
  • Compliance with laws when transferring data internationally.
  • Honoring data principal rights.
  • Look into the need of appointing Data Protection Officer.
  • Notify data breaches to relevant authorities.

Setting up an internal process for accepting and handling data-related requests will also prove to be beneficial. Staying compliant is a journey, not a destination. And it doesn’t have to be a complicated process. Knowing ahead of time who will receive the request and handle it will make compliance more organized, faster and accurate. Training of the relevant personnel will also streamline the processes in the long run.

Embrace compliance not as a constraint, but as a compass guiding your organization towards ethical excellence. It is the path to enduring success and unwavering integrity.

, , , , , , ,