Digital Personal Data Protection Act has picked up steam, expect full compliance by next year: Rajiv Khaitan

India's recently enacted Digital Personal Data Protection (DPDP) Bill 2023, brought into legislation in August, ensures the safeguarding of individuals’ personal data and aims to prevent its misuse.

Delivering a keynote address at TechSparks 2023, Rajiv Khaitan, Senior Partner at Khaitan & Co., shared that draft rules aligned with the DPDPA are anticipated to be released within the next 4-6 weeks. “Data is the new oil, they say. And this is one step forward towards protecting the rights of our citizens," he said.

"This law protects all personal data that is digitised. Its aim is to allow sharing of data only for a particular purpose and time and not beyond that," he explained.

On the sidelines of his keynote, Khaitan also told YourStory that the draft rules are likely to be rolled out in November, and by this time in 2024, we should be living in a fully DPDP-compliant environment.

The Data Protection Board of India, the adjudicatory body proposed to be set up under the DPDPA, would be constituted within the next 30 days, he said. "This Act will not cover anonymised data, personal data processed by individual for personal or domestic purpose, and personal data made public by data principal (to whom the data relates) or any person under legal obligation to make it publicly available," he explained.

He added, "Data processed outside India but in collection with offering of goods and services to Data Principals in India will be covered. This also includes data collected non-digitally, but digitised subsequently."

The DPDPA is a major legislative reform, one that seeks a complete overhaul of India's two-decade-old Information Technology Act. Hence, a graded approach for compliance will be taken, with the DPDPA depending on the type of organisation, according to Khaitan.

What it means for startups

The DPDP Act is a critical piece of legislation for startups operating in India because it governs data usage and user consent for the sharing of data. Moreover, under Section 35 of the Act, there is a provision that can get certain startups a few exemptions for periods of time, Khaitan revealed.

"Early-stage startups will be given certain exemptions so that they can conduct their daily operations without glitches. These exemptions will hold for a period until the startups become bootstrapped to a certain scale," he shared.

Government entities with lower levels of digitisation will receive extended transition periods for DPDPA compliance, while early-stage startups and MSMEs, along with specific categories of organisations, will be granted additional time to align with the DPDP Act, Khaitan added.

The DPDP Act, essentially, has three core objectives: a) protecting citizens' rights, b) ensuring growth with minimal compliance for startups and innovation-led companies, and c) offering data access to the government during emergencies.

Data protection covers data in the digital form or any data that is converted into digital form, said Khaitan, adding that the Data Fiduciary holds responsibility for this data.

The DPDP Act 2023 also entails penalties of up to Rs 250 crore for entities found guilty of misusing or inadequately protecting individuals' digital data. The law intends to create a protection framework for not just today's internet users, but also those of the future.