Privacy audit for compliance with the Digital Personal Data Protection Act (DPDP Act) of 2023

By /
Close-up of a smartphone showing cryptocurrency trends with coins in the background.

Privacy audits will be useful for organisations to get their compliance gaps addressed before the Act is finally enforced

To conduct a privacy audit for compliance with the Digital Personal Data Protection Act (DPDP Act) of 2023, an organisation should focus on several key areas, including obligations for data fiduciaries, security measures, and specific requirements for Significant Data Fiduciaries (SDFs). The DPDP Act and its draft rules outline various obligations and measures that need to be in place for compliance.

Here’s a breakdown of what an organisation should consider during a privacy audit:

1. Obligations of Data Fiduciaries:

  • Consent and Notice: Ensure that notices are clear, self-contained, and easily understandable. Notices must inform individuals about the personal data being collected, the purpose of processing, how to exercise their rights, and the procedure for filing complaints with the Data Protection Board. The notice should be presented in a manner that is independent of any other information provided by the Data Fiduciary.
  • Lawful Processing: Personal data should only be processed for a lawful purpose, based on the data principal’s consent or certain legitimate uses. A lawful purpose is one that is not expressly forbidden by law.
  • Data Accuracy and Completeness: Data fiduciaries need to ensure the completeness, accuracy, and consistency of personal data if it is likely to be used to make a decision that affects the data principal or if it is disclosed to another data fiduciary.
  • Grievance Redressal: Establish an effective mechanism to address grievances from data principals. Data Fiduciaries must publish the time frame for addressing grievances on their website or app.
  • Data Retention: Data Fiduciaries must retain logs and personal data for at least one year to detect unauthorised access, investigate incidents, and prevent recurrence, unless other legal obligations require otherwise.

2. Security Safeguards:

  • Technical and Organisational Measures: Implement appropriate technical and organisational measures to ensure effective observance of the provisions of the Act and prevent personal data breaches. These measures should include encryption, obfuscation, masking, or using virtual tokens linked to the data.
  • Access Controls: Enforce appropriate access controls to computer resources. Visibility of data access must be ensured through logs, monitoring, and reviews to detect unauthorised access.
  • Data Backups: Implement measures to ensure continued processing of data in case of a breach. This can include data backups.
  • Data Processor Contracts: Contracts with data processors must mandate the implementation of reasonable security measures.

3. Data Breach Notification:

  • Reporting Breaches: In the event of a personal data breach, the Data Fiduciary must inform the Data Protection Board and each affected data principal without undue delay.
  • Timelines: Provide the board with a description of the breach without delay and within 72 hours provide further details, including the nature, extent, timing, location, and likely impact of the breach.
  • Information for Data Principals: Inform affected individuals about the nature of the breach, measures taken to mitigate risks, safety measures they should take, and business contact information for queries.
  • 72 Hour Window: Companies must provide the Data Protection Board with details of the breach within 72 hours and must also inform the affected data principals within this window.

4. Significant Data Fiduciaries (SDFs):

  • Stricter Obligations: SDFs face stricter obligations under the DPDP Rules.
  • Data Localisation: SDFs must ensure that personal data and traffic data pertaining to its flow do not transfer outside of India.
  • Algorithmic Software: SDFs need to carefully verify that any algorithmic software used does not harm the rights of individuals.
  • Data Protection Impact Assessment (DPIA): Conduct a DPIA every twelve months from their designation or inclusion in the notified class of Data Fiduciaries.
  • Data Audit: Conduct an audit every twelve months to ensure compliance with the Act and its rules. Provide a report containing key findings to the Data Protection Board.
  • Data Protection Officer: Appoint a Data Protection Officer based in India, who acts as their representative under the Act and handles grievance redressal.
  • Independent Data Auditor: SDFs must hire an independent data auditor to review compliance.

5. Additional Considerations:

  • Consent Managers: Data fiduciaries may work with consent managers, although it is not mandatory. Consent managers must register with the Data Protection Board.
  • Data Transfers: Comply with requirements set by the Central Government regarding making personal data available to a foreign state or its entities.
  • Children’s Data: Obtain verifiable parental consent before processing personal data of children. Due diligence is needed to check that the individual identifying themselves as a parent is an adult.
  • Nomination: Data principals can nominate individuals to act on their behalf for data-related matters.

6. Data Protection Board:

  • Compliance Monitoring: The Data Protection Board (DPB) is the privacy enforcement authority responsible for ensuring proper implementation of the DPDP Act.
  • Powers: The DPB has powers to direct companies on how to clean up personal data breaches. The Board has the same powers as a civil court for matters related to summoning and enforcing the attendance of any person, receiving evidence on affidavit, and inspecting documents.
  • Digital Operations: The DPB is intended to operate as a digital-first entity, with complaints, hearings, and decisions handled digitally.
  • Penalties: The Board can impose fines for failing to report a data breach (up to Rs. 200 crore) or for not implementing reasonable security safeguards (up to Rs. 250 crore). SDFs can face penalties up to Rs. 150 crore for breaches of the Act or rules.

7. Audit Process:

  • Regular Audits: Conduct regular audits of privacy programs to ensure ongoing compliance.
  • Documentation: Maintain records of processing activities, including the purpose of processing, the categories of data subjects, the categories of personal data, and the technical and organisational security measures.
  • Independent Review: Consider having an independent data auditor to review compliance, especially for SDFs.
  • Audit Mechanisms: Consent Managers should have in place effective audit mechanisms.
  • Compliance Report: The individual conducting the assessment and audit should provide a report containing key findings to the Board.

By addressing these areas, an organisation can conduct a thorough privacy audit and ensure compliance with the DPDP Act, 2023 and its associated rules. The audit should include a review of policies, procedures, technical measures, and contractual arrangements to ensure the protection of personal data.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top