Home Insights  > Duties of data protection officer under the digital personal data protection act 2023

 

Share :

Introduction

After years of debates, delays and agreements, the Digital Personal Data Protection Act, 2023 (the “Act”) sped through its last steps last week, ending in its publishing in the Official Gazette on Friday, August 11, 2023. The Bill was approved by both the lower and upper Houses of Parliament and got presidential assent. With over 1.4 billion inhabitants, India is the most populous nation in the world, the largest democracy, and the 19th G20 member to implement a complete personal data protection law, which it accomplished when it had the G20 Presidency.

Following Justice K.S. Puttaswamy v. Union of India, a landmark case in which the Supreme Court of India recognized a fundamental right to privacy in India, including informational privacy, within the “Right to Life” provision of India’s Constitution, the Digital Personal Data Protection Bill (the “Bill”) was adopted by the Parliament six years later. A nine-judge Supreme Court panel advised the Indian government to implement “a carefully structured regime” for the protection of personal data in this ruling. There have been numerous rounds of expert discussions and studies as part of India’s continuous efforts to establish this regime, and two prior versions of the bill were tabled in Parliament in 2019 and 2022.

Data protection officer in India

In India, there is no specific requirement that the Data Protection Officer (“DPO”) must be a citizen or resident of India, nor are there any specific enforcement actions or penalties associated with not appointing a DPO correctly. However, the appointment of a DPO is part of the statutory due diligence process and it is thus imperative that such an officer should be appointed. An organization is required to formally appoint a DPO only if it qualifies as a Significant Data Fiduciary. The Act allows principals to give, manage, review, and withdraw their consent through a “Consent Manager” which will be registered with the authorities. In general, Indian data protection requirements are located in multiple diverse sources, including the Information Technology Act, 2000 and rules notified thereunder. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. On August 9, 2023, India passed a data protection law that will govern how entities process users’ personal data.

The Digital Personal Data Protection Act of India: Duties of a Data Protection Officer 

The Act introduces several provisions to protect the personal data of individuals. One important aspect of the Act is the establishment of the role of a DPO. According to Section 8(9) of the Act, data fiduciaries are required to appoint a DPO and publish their contact information. The DPO plays a crucial role in ensuring that the data fiduciary complies with the provisions of the Act. Their duties include:

Ensuring compliance: The DPO is responsible for ensuring that the data fiduciary complies with the provisions of the Act. This involves monitoring the data fiduciary’s data processing activities and ensuring that they are in line with the requirements of the Act.

Publishing contact information: Data fiduciaries are required to publish the contact information of the DPO. This allows individuals to easily reach out to the DPO if they have any concerns or complaints regarding the processing of their personal data.

Handling complaints: The DPO must handle complaints from data principals (individuals whose personal data is being processed) regarding the processing of their personal data. They are responsible for addressing these complaints and taking appropriate actions to resolve any issues.

Cooperating with authorities: In case of an investigation or audit by the authorities, the DPO must cooperate fully. This includes providing necessary information and assisting the authorities in their inquiries.

Training staff: The DPO has the responsibility of training the data fiduciary’s staff on the provisions of the Act. This ensures that all the employees involved in data processing are aware of their obligations and follow the necessary procedures to protect personal data.

Maintaining records: The DPO must maintain records of the data fiduciary’s processing activities. This includes keeping track of the types of personal data being processed, the purposes of processing, and any transfers of data to third parties.

These duties of the DPO are crucial in ensuring that the data fiduciary complies with the provisions of the Act. By having a designated individual responsible for data protection, the Act aims to enhance transparency, accountability, and the rights of individuals.

In addition to the duties of the DPO, the Act grants certain rights to individuals. These rights include the right to obtain information about the processing of their personal data, the right to seek correction and erasure of their data and the right to grievance redressal.

These rights empower individuals to have control over their personal data and seek remedies in case of any violations.

Overall, the Act introduces important measures to protect personal data and ensure compliance with data protection principles. The establishment of the role of a Data Protection Officer and the outlined duties contribute to the effective implementation of the Act and safeguarding individuals’ privacy rights.

How we can help?

By offering the following services, our team can help organizations comply with the Act:

  • Our team can assist by undertaking a comprehensive analysis of the organization’s data privacy standards. This evaluation will assist in identifying the areas where the organisation needs to make improvements in order to adhere to the rules.
  • Our team of professionals can assist in creating a thorough privacy policy that complies with the Act’s standards. This policy will ensure accountability and openness.
  • Our team can assist in setting up solid consent management systems which includes putting in place procedures that allow people to quickly withdraw their consent if they so want.
  • Our professionals can assist in developing a data breach response plan. This plan will detail the actions to be done to lessen the effects of a breach, notify those who might be impacted and adhere to legal requirements.

For more information or queries, please email us at
[email protected]