#DataPrincipal

DPDP Series 1.5: Data Breaches

karthikandsunil, , , , , , , , , , , , , , Leave a comment

What is a Data Breach?

A personal data breach under the DPDP Act, 2023 is any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data — that compromises its confidentiality, integrity, or availability.

In plain terms: if personal data ends up where it shouldn’t, gets changed without authorisation, or becomes inaccessible when it should be available — it is a breach.

How Does a Breach Happen?

Breaches can occur in many ways — through external attacks, internal negligence, or simple system failures.

Example 1 — Cyberattack A hospital’s patient database is hacked. Names, phone numbers, diagnoses, and medical histories of thousands of patients are stolen and published online. This is a breach of confidentiality.

Example 2 — Accidental Disclosure An HR executive accidentally emails salary slips of 500 employees to the wrong mailing list. The data was not stolen — but it was disclosed without authorisation. Still a breach.

Example 3 — Insider Threat A bank employee downloads and sells customer account details to a third party for personal gain. This is unauthorised processing — a serious breach.

Example 4 — Ransomware Attack A company’s servers are encrypted by ransomware. All customer data becomes inaccessible. Even though data was not stolen, loss of availability is a breach under the Act.

Example 5 — Third-Party Vendor Failure A Data Fiduciary shares customer data with a cloud service provider (Data Processor). The vendor suffers a security failure and the data is exposed. The Data Fiduciary remains accountable.

What Must a Data Fiduciary Do After a Breach?

The Act imposes a strict response obligation:

Notify immediately — Inform every affected Data Principal about the nature of the breach, its likely consequences, and the steps being taken to contain it.

Report to the Board — Intimate the Data Protection Board of India with full details: the root cause, timeline of events, persons responsible, mitigation measures taken, and steps to prevent recurrence.

What Are the Consequences?

Failure to implement safeguards that could have prevented the breach attracts a penalty of up to ₹250 crore. Failure to notify the Board or affected individuals attracts up to ₹200 crore — both imposed by the Data Protection Board.

The Key Takeaway

A breach is not just a hacking incident. Sending data to the wrong person, losing a device with unencrypted data, or a vendor’s server going down — all can qualify. The obligation to protect data, and to respond swiftly when things go wrong, rests squarely on the Data Fiduciary.

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.5: Data Breaches

DPDP Series 1.4: Data Fiduciary – Obligations

karthikandsunil, , , , , , , , , , , Leave a comment

Am I a Data Fiduciary? What Are My Obligations?

Q: How do I know if I am a Data Fiduciary?

If your organisation decides why and how personal data is collected and processed — you are a Data Fiduciary. This includes businesses, hospitals, schools, employers, apps, government bodies, and NGOs. Size does not matter; if you collect personal data of individuals in India, you qualify.

Q: Do I need consent before collecting data?

Yes. Before collecting any personal data, you must give the individual a clear notice describing what data is being collected and why. Consent must be free, specific, informed, and unambiguous.

Q: Can I collect more data than I need? No. You may only collect data that is necessary for the stated purpose. Collecting excess data is a violation of the Act.

Q: How long can I keep the data?

Only as long as the purpose requires. Once the purpose is served or the individual withdraws consent, you must delete the data — unless a law requires you to retain it for a specific period.

Q: What security measures must I put in place?

You must implement reasonable technical and organisational safeguards — including encryption, access controls, monitoring logs, and data backups — to prevent unauthorised access or breaches.

Q: What must I do if there is a data breach?

You must immediately notify the Data Protection Board and every affected individual, describing the nature of the breach, its likely impact, and the steps being taken to contain it.

Q: Must I have a grievance mechanism?

Yes. Every Data Fiduciary must establish an effective grievance redressal system and publish contact details of a person who can respond to Data Principal queries.

Q: What are the penalties for non-compliance?

Penalties can reach up to ₹250 crore for failure to implement security safeguards, and up to ₹200 crore for failure to report a breach — imposed by the Data Protection Board.

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.4: Data Fiduciary – Obligations

DPDP Series 1.2: Roles under DPDP Act

karthikandsunil, , , , , , , , , , , , , Leave a comment

Who Am I? Know Your Role Under the DPDP Act

Q: What is a Data Principal?

You are a Data Principal if you are the individual whose personal data is being collected. Every time you fill a form, sign up for an app, or share your details with a business or government portal — you are the Data Principal. You have the right to access, correct, erase your data, and withdraw consent at any time.

Q: What is a Data Fiduciary?

You are a Data Fiduciary if your organisation decides why and how personal data is collected and used. Banks, hospitals, e-commerce platforms, employers, and government bodies are all Data Fiduciaries. You must obtain consent, give prior notice, secure the data, report breaches, and delete data once the purpose is served.

Q: What is a Data Processor?

You are a Data Processor if you handle personal data on behalf of a Data Fiduciary — under a contract, not on your own initiative. Cloud providers, payroll vendors, and IT service companies typically fall here. You follow instructions; the Fiduciary remains legally accountable.

Q: What is a Significant Data Fiduciary?

You are a Significant Data Fiduciary (SDF) if the Central Government notifies you as one — based on the volume or sensitivity of data you process, risk to individuals’ rights, or implications for national security. As an SDF, you must additionally appoint a Data Protection Officer (based in India), conduct annual Data Protection Impact Assessments, and undergo independent data audits.

Q: Can I be more than one?

Yes. A company can be both a Data Fiduciary (for its customers’ data) and a Data Processor (for data it handles on behalf of another business). Roles depend on context, not just who you are.

Q: What if I’m just an individual using data for personal purposes?

The Act does not apply to data processed purely for personal or domestic use. If you’re not collecting data as part of a business or service, you fall outside the Act’s scope.

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.2: Roles under DPDP Act

DPDP Series 1.3: Rights & Duties of the Data Principal

karthikandsunil, , , , , , , Leave a comment

I’m Sharing My Data — What Are My Rights & Duties?

Q: Do I have the right to know what data is collected about me?

Yes. You can request a summary of your personal data being processed, the purpose for which it is used, and the names of all organisations it has been shared with.

Q: Can I correct my data if it’s wrong?

Yes. You have the right to correct inaccurate or incomplete data and to erase data that is no longer needed for the purpose it was collected.

Q: Can I take back my consent?

Yes — at any time. Withdrawing consent must be as easy as giving it. Once withdrawn, the organisation must stop processing your data within a reasonable time.

Q: What if I have a complaint?

Every Data Fiduciary must provide a readily available grievance redressal mechanism. If unresolved, you can escalate your complaint to the Data Protection Board of India.

Q: What happens to my data if I die or become incapacitated?

You can nominate another individual in advance to exercise your data rights on your behalf in the event of your death or incapacity.

Q: Do I have any duties too?

Yes. Rights come with responsibilities. As a Data Principal you must not:

  • Provide false or impersonated information
  • Suppress material information when applying for government documents or benefits
  • File false or frivolous complaints with a Data Fiduciary or the Board
  • Submit unverifiable information when requesting correction or erasure

Breach of these duties can attract a penalty of up to ₹10,000.

Q: Can a child exercise these rights?

A minor’s rights are exercised by their parent or lawful guardian. Organisations must obtain verifiable parental consent before collecting a child’s data, and cannot track, monitor, or target advertising at children.

DPDP Series 1.3: Rights & Duties of the Data Principal