INTRODUCTION
The Digital personal Data Protection (DPDP) Act, 2023, came into the effect on September 01, 2023, is a significant law in India with objective to protect the digital privacy of individuals in this digital era. The act is applicable to all the organisations that collect, store and process personal data of every Individuals. The act provides accurate balance between the importance protecting one’s personal data and need to process this personal data for lawful purpose. The law includes guidelines on data management, consent, individual rights, responsibilities of data managers, exemptions, and a Data Protection Board. While the Act applies broadly to all entities handling personal data, startups are also one of the key organisations under this act. The act lays down certain provisions and rules for startups to abide by. The act defines startup as Data fiduciary, startups are entrusted with the responsibility of collecting, storing, processing, and protecting personal data of their users. The act mandates that startups adopt robust data protection measures to ensure the privacy, security, and integrity of this data.
STARTUP AS DATA FIDUCIARY
Under the Act, a “startup” is defined in Section 17(3)[1] as a private limited company, a partnership firm, or a limited liability partnership (LLP) established in India. To qualify as a startup, the entity must meet the criteria and follow the process outlined by the relevant department in the Central Government that oversees startup-related matters. Additionally, the startup must be officially recognized as such according to these criteria. According to the Digital Personal Data Protection act, 2023, a Data Fiduciary is any Person, company or organisation that determines the purpose and means of processing personal data. This includes entities that collect, store, handle and process personal data and take responsibility to manage it without damaging it in accordance with law[2].
As per the DPDP Act 2023, startups are delegated as Data Fiduciary, making them liable for carefully collecting, storing and transparent processing of personal data. There are certain obligations for Data Fiduciary under the DPDP Act, 2023. According to Section 7[3] , startups must obtain explicit consent from data principals before processing their data. They are also obligated under Section 9[4] to adhere to purpose limitation, ensuring data is used solely for the specific purpose for which it was collected. Section 10[5] emphasizes data minimization, requiring startups to collect only the data necessary for the intended purpose. Startups must also ensure transparency by providing clear notices as outlined in Section 8[6], informing individuals about that their data is being collected and its intended use. Moreover, as per Section 11[7], they must ensure data accuracy and allow data principals to access, correct, or delete their data, highlighting the critical responsibilities startups bear under the DPDP Act.
STARTUP AND DATA PRINCIPLE
The relationship between startups and data principals is crucial Data Principle. With reference to the Digital Personal Data Protection act 2023, Data Principle is someone whose data is being processed by the data fiduciary. These include the right to be informed about the collection and use of their data, as outlined in Section 8[8], which mandates startups to provide clear and comprehensive notices. Data principals must also give explicit consent for data processing, as required by Section 7[9], and can withdraw this consent at any time. They have the right to access their data, request corrections, or seek deletion under Section 11[10]. Additionally, data principals are protected by the principles of purpose limitation and data minimization, ensuring that their data is only used for the purposes for which it was collected and that only necessary data is processed. Startups must adhere to these principles, ensuring transparency and respecting the rights of data principals to maintain trust and compliance with the DPDP Act.
DATA PROTECTION OFFICERS
DPDP (Digital Personal Data Protection) Act 2023, the role of a Data Protection Officer (DPO) is essential for ensuring compliance with data protection provisions. According to section 10(2)[11] of the act. A DPO is responsible for overseeing the implementation of data protection policies and practices within any organisation such as start up. This includes monitoring data processing activities, ensuring that personal data is handled in accordance with legal requirements, and serving as a point of contact for data principals and regulatory authorities. The DPO must also conduct regular audits to assess data protection measures and address any issues related to data security or privacy breaches. By maintaining rigorous oversight and promoting best practices in data handling, the DPO helps organizations mitigate risks and ensure that data protection standards are upheld. For startups, appointing a DPO can be particularly beneficial in navigating complex data protection requirements, fostering trust with customers, and avoiding potential penalties for non-compliance.
IMPACT ON STARTUP
Data Fiduciaries, which include start-ups, now face greater responsibilities. In addition to following fundamental privacy principles such as informing Data Principals about the processing of their personal data and its purpose, obtaining their consent, and ensuring a robust grievance redressal system in case of a breach[12] these entities must now meet even more stringent obligations.
Corporate giants must now implement a combination of technical measures including safeguards like firewalls, VPNs, access control systems with timestamps, two-factor authentication, encryption, pseudonymization, physical security measures, and password protections to secure an entity’s systems and networks and organizational measures which encompass internal policies and practices designed to protect data, such as data retention policies, access control protocols, vendor management, business continuity and disaster recovery plans, backup strategies, quality control, knowledge management, and policies ensuring the confidentiality of information assets to comply with the DPDP Act, along with conducting regular Data Protection Impact Assessments (DPIAs). DPIAs play a key role in enforcing Data Principals’ rights and improving risk management. These combined efforts are essential for maintaining robust data protection standards.
The level of responsibility significantly increases for entities classified as ‘Significant Data Fiduciaries’ according to the criteria outlined in the Act. Storage limitation will now become a standard practice, as personal data must be erased once it is no longer necessary. The right to erasure is closely tied to the rights to correct, complete, and update personal data, as specified under Section 12(1)[13] of the Act. Additionally, failing to implement adequate measures to prevent security breaches could lead to penalties of up to ₹250 crores[14].
To remain competitive on a global scale, Data Fiduciaries must adhere not only to national regulations but also to international standards. By complying with these international ISO standards, organizations can demonstrate their commitment to privacy and their ability to operate effectively across different markets. Additionally, the Privacy Information Management System (PIMS) provides specific guidelines for managing PII[15], outlining key principles for both data controllers and processors. Adhering to these global standards helps organizations establish credibility and ensure they are equipped to handle privacy requirements worldwide.
EXEMPTIONS FOR STARTUPS UNDER SECTION 17(3) OF THE ACT
Section 17(3)[16] of the Act, startups are subject to criteria set by the Department of Industrial Policy and Promotion (DPIT), which oversees startup matters. As per DPIT guidelines, an organization can be recognized as a startup for up to 10 years from its inception, provided its annual turnover does not exceed Rs. 100 crores in any financial year. The DPDP Act, 2023 grants the Central Government the authority to exempt certain Data Fiduciaries or categories of Data Fiduciaries, including startups, from specific provisions of the Act based on the volume and nature of the personal data they process. Although the exact implementation date is yet to be determined, these exemptions could include relief from providing detailed notices to Data Principals about the data being processed and its purpose, ensuring data completeness, accuracy, and consistency, erasing data when it is no longer necessary, and disclosing the identities of other Data Fiduciaries and Processors with whom the data has been shared. These provisions aim to ease compliance for startups by addressing their unique operational challenges.
PENALITIES AND LIABILITIES FOR NON- COMPLIANCE
The DPDP (Digital Personal Data Protection) Act 2023, penalties and liabilities for non-compliance are substantial and detailed. Organizations that fail to meet the Act’s requirements may face fines up to ₹250 crores, as stipulated in section 14[17], which addresses financial penalties. Non-compliance can involve various violations, including failing to obtain valid consent from data principals, neglecting to provide adequate notice about data processing practices as required by Section 8[18], and not ensuring data accuracy and security, outlined in Section 11[19]. Additionally, Section 13[20] mandates that organizations must act swiftly to notify affected individuals and authorities in the event of a data breach, and they may be required to implement corrective measures and compensate those harmed. Failure to conduct mandatory Data Protection Impact Assessments (DPIAs), as per Section 12[21], can also result in significant penalties. Regulatory authorities are empowered to investigate non-compliance, impose fines, and require corrective actions, with persistent breaches potentially leading to operational restrictions or suspensions. This framework is designed to enforce strict adherence to data protection standards and safeguard personal data effectively.
FUTURE TRENDS
The DPDP (Digital Personal Data Protection) Act 2023 will significantly impact startups in several ways. Initially, startups will face increased compliance costs due to the need to implement comprehensive data protection measures, such as advanced technologies for secure data management and regular Data Protection Impact Assessments (DPIAs). While these costs may be substantial, they are crucial for avoiding penalties and meeting regulatory standards. In the long term, adherence to the Act will enhance startups’ trust and credibility with customers, as demonstrating a strong commitment to data protection can differentiate them in the market. Startups will also need to adjust their operations to comply with the Act’s requirements, including developing data protection policies and implementing technical measures like encryption. These operational changes may cause initial disruptions but will lead to stronger data handling practices. Moreover, by aligning with international data protection standards, such as those set by GDPR, startups will improve their global market competitiveness, facilitating cross-border data transfers and fostering partnerships with international clients. Overall, while compliance will require investment and adaptation, it will ultimately support robust risk management and enhance market positioning.
CONCLUSION
The Digital Personal Data Protection Act 2023 marks a pivotal shift in personal data protection in India, presenting both challenges and opportunities for startups. Compliance will necessitate substantial investments in data protection technologies and processes, potentially straining resources in the short term. However, these efforts will enhance data security, build customer trust, and mitigate the risk of hefty penalties. The Act will require startups to adapt their operations and policies, fostering a culture of robust data management and accountability. By meeting these requirements, startups will not only ensure legal compliance but also gain a competitive edge in the global market by aligning with international data protection standards. Ultimately, while navigating the complexities of the DPDP Act may be demanding, it will provide startups with the tools to safeguard personal data effectively, strengthen their market position, and support sustainable growth in an increasingly data-centric world.
Author:
Mohit Porwal (VP – Finance & Legal) and
Vidhi Agrawal (Associate)
References:
[1]https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[2] Definition of Data Fiduciary under the DPDP Act 2023.
[3] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[4] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[5] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[6] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[7] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[8] ibid
[9] ibid
[10] ibid
[11] ibid
[12] Fundamental privacy principles under the DPDP Act 2023
[13]https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[14] Penalties for non-compliance under the DPDP Act.
[15] International ISO standards and Privacy Information Management System (PIMS)
[16] ibid
[17]https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[18] ibid
[19] ibid
[20]https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[21] ibid
