S3E10 | DPDPA Compliance for MNC Offices in India | #DPDPA #privacycast #mnc

PrivacyCast

28 Aug 202322:16

Summary

TLDRIn this Privacy Class podcast, Arya Tripathi, a partner at PSA and a data protection expert, discusses India's Data Protection and Digital Personal Data Protection Act (Dpdpa). She clarifies misconceptions, emphasizing that while the act is new, its principles are well-established. Tripathi advises businesses to understand the law and evaluate technology options for compliance. She also addresses the act's extraterritorial application, the role of the Data Protection Board of India, and the importance of consent management. Tripathi stresses the need for a cultural shift towards privacy as a fundamental right and the collective effort required for effective implementation.

Takeaways

📚 Arya Tripathi, a partner at PSA and a thought leader in data protection, emphasizes the importance of understanding the DPDP Act, even though it has not yet been fully implemented.
🌐 The DPDP Act applies to both Indian and foreign companies, focusing on data processing within India, regardless of whether the data subjects are Indian or not.
🏢 Arya advises businesses to use the current time to understand the law and evaluate technology options for compliance, rather than rushing into implementation.
🔑 The establishment of the Data Protection Board of India is a key aspect of the DPDP Act, which will oversee the implementation and regulation of data protection.
🔄 Arya highlights the need for a staggered approach to implementation, allowing businesses to prepare and adapt to the new regulations.
🚫 The DPDP Act includes exemptions for certain types of data processing, such as when an Indian processor handles data on behalf of a foreign entity, which may not fall under the Act's purview.
💡 Arya stresses the importance of consent management, suggesting that the current methods of obtaining consent may need to change to meet the Act's requirements.
💼 The role of the Data Protection Officer (DPO) is discussed, with Arya suggesting that while the Act does not mandate independence, it is advisable for the DPO to have a clear focus on privacy governance.
💰 The potential for steep fines under the DPDP Act is mentioned as a deterrent for non-compliance, indicating the seriousness with which the law should be approached.
👥 Arya calls for a collective effort in understanding and implementing the DPDP Act, involving various stakeholders within an organization, from tech personnel to legal advisors.

Q & A

What is the primary focus of the DPDP Act?
-The primary focus of the DPDP Act is to regulate the processing of personal data within India, ensuring data protection and privacy rights for individuals.
Who is Arya Tripathi and what is her role in the privacy domain?
-Arya Tripathi is a partner at PSA, a mondac thought leader awardee for India, and a CIPP certified professional with extensive experience in data protection. She has been working in the privacy space, particularly in a cross-border context.
What is the current status of the DPDP Act in India?
-At the time of the podcast, the DPDP Act has been legislated but not yet implemented. There is anticipation for a separate commencement notification which might take some time.
What is the role of the Data Protection Board of India according to the DPDP Act?
-The Data Protection Board of India is an independent regulator contemplated by the DPDP Act, responsible for the implementation of the law, including setting regulations and guidelines for data protection.
How does the DPDP Act apply to foreign companies processing data in India?
-The DPDP Act applies to both Indian and foreign companies, irrespective of whether they are registered or incorporated in India, as long as the data processing is happening within India.
What are the implications of the DPDP Act for global data analytics companies operating in India?
-Global data analytics companies operating in India must comply with the DPDP Act if they are processing data within India, even if they are not physically present in the country with a permanent establishment or branch office.
How does the DPDP Act handle data processing involving U.S. citizens' data processed in India?
-The DPDP Act will apply to any data processing happening in India, regardless of whether the data belongs to a U.S. citizen or company, ensuring that such data is covered under the Act's provisions.
What changes are expected for e-commerce platforms in India due to the DPDP Act?
-E-commerce platforms will need to overhaul their consent mechanisms, making them more specific, freely given, and revocable. They will also need to ensure that consent is obtained through affirmative actions and not default settings.
What is the significance of the fines mentioned in the DPDP Act?
-The fines under the DPDP Act are steep and intended to act as a deterrent, compelling organizations to comply with the law. The imposition of fines is expected to be a significant motivator for compliance.
What is the role of a Data Protection Officer (DPO) under the DPDP Act?
-A DPO under the DPDP Act is responsible for ensuring compliance with data protection regulations within an organization. While the Act does not mandate independence for the DPO, it is advisable for the role to be distinct from other executive functions to maintain objectivity.
How can individuals become privacy professionals in the era of the DPDP Act?
-Individuals can become privacy professionals by developing a deep understanding of data protection laws, starting with reading and understanding terms of use and privacy policies of various platforms and services.