Executive Summary
Organisations that have complied with the IT Act 2000 and its rules face a transition to DPDPA's new framework. While some concepts carry over, significant differences require adjustment. This guide addresses practical transition planning from the old framework to the new.
Key Takeaways
- 1Assess current IT Act compliance as the starting point for DPDPA transition
- 2Identify where DPDPA requirements exceed IT Act obligations
- 3Update consent mechanisms to meet new specificity requirements
- 4Revise privacy notices to include all mandated content
- 5Plan for enhanced rights enablement beyond IT Act requirements
1Understanding the Transition
DPDPA replaces the data protection provisions of the IT Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Organisations compliant with these existing rules are not automatically compliant with DPDPA. The transition requires gap assessment and remediation.
2Mapping Existing Compliance
Start by documenting current compliance status under existing rules.
IT Rules Compliance
Document how the organisation currently complies with IT Rules including privacy policy publication, consent practices, data collection limitations, and security practices.
Contractual Arrangements
Review existing data processing agreements and assess their alignment with DPDPA requirements.
Technical Controls
Inventory security controls implemented for IT Rules compliance. Many will remain relevant under DPDPA.
Sectoral Requirements
Note any sector-specific requirements that will continue alongside DPDPA.
3Identifying Key Differences
DPDPA differs from IT Rules in several significant ways.
Consent Specificity
DPDPA requires more specific consent than IT Rules. Generic consent for all processing is insufficient. Transition to purpose-specific, granular consent.
Data Principal Rights
DPDPA provides broader rights including comprehensive access, correction, and erasure. Update mechanisms to support these rights.
Breach Notification
DPDPA mandates breach notification to the Data Protection Board and affected individuals. IT Rules did not have equivalent requirements.
Cross-Border Transfers
DPDPA's approach to cross-border transfers differs from IT Rules. Reassess transfer compliance under the new framework.
Children's Data
DPDPA has specific requirements for children's data that go beyond IT Rules. Implement enhanced protections.
Penalties
DPDPA penalties are significantly higher than IT Act penalties. The risk calculus for non-compliance has changed.
4Consent Mechanism Updates
Consent under DPDPA requires greater specificity than many IT Rules consent mechanisms provided.
Review Current Consent
Assess existing consent mechanisms against DPDPA requirements. Are consents specific to purposes? Can they be withdrawn easily?
Redesign Collection
Where current consent is too broad, design new collection mechanisms that meet specificity requirements.
Fresh Consent
For processing that continues, determine whether fresh consent under DPDPA standards is needed or whether existing consent can be grandfathered.
Withdrawal Mechanisms
Implement withdrawal mechanisms meeting the 'as easy as giving consent' standard if not already in place.
5Privacy Notice Updates
DPDPA notices must include content that IT Rules did not require.
Content Audit
Compare current privacy policy against DPDPA notice requirements. Identify missing elements.
Restructure for Clarity
DPDPA emphasises comprehensibility. Consider restructuring notices that, while legally complete, are practically incomprehensible.
Add Required Elements
Incorporate all elements required by Section 5 and Rule 5 including grievance mechanism details, rights information, and retention periods.
Timing Adjustment
Ensure notices are provided at or before consent collection, not just available somewhere on the website.
6Rights Enablement
DPDPA rights are broader than IT Rules. Update mechanisms accordingly.
Access Request Procedures
Enhance access request procedures to provide comprehensive information about processing activities, not just data copies.
Erasure Capabilities
If erasure capabilities were limited under IT Rules, expand them to meet DPDPA requirements.
Grievance Mechanism
Formalise the grievance mechanism if the current process is informal. Appoint a grievance officer and publish contact details.
Response Timelines
Review response timelines against Rule requirements and adjust procedures if necessary.
7Transition Planning
Manage the transition systematically.
Gap Analysis
Conduct comprehensive gap analysis between current state and DPDPA requirements. Prioritise gaps by risk and effort.
Remediation Roadmap
Develop a remediation roadmap with timelines aligned to enforcement dates. Account for dependencies and resource constraints.
Stakeholder Communication
Communicate transition requirements to relevant stakeholders including IT, legal, HR, marketing, and business units.
Progress Tracking
Monitor progress against the roadmap. Escalate delays that threaten compliance by enforcement dates.
Testing
Test new mechanisms before relying on them for compliance. Verify that consent systems, rights processes, and breach procedures work as designed.