In 2023, India’s Parliament approved and published The Digital Personal Data Protection Act (DPDPA). In many ways, the DPDPA is similar to other regulations, like the General Data Protection Regulation (GDPR). It establishes a similar data subject, or in this case Data Principal, rights of notice, consents, access, correction, and erasure. In other ways, the DPDPA creates unique definitions of and requirements for organizations that collect, process, and share personal information.
In preparation for enforcing the DPDPA, the Ministry of Electronics and Information Technology published the Digital Personal Data Protection Rules (Rules). The Rules set out a series of requirements for organizations that need to comply with the DPDPA.
For organizations subject to India’s data protection law, understanding the unique nuances and overarching requirements is critical.
What is the Digital Personal Data Protection Act (DPDPA)?
The Digital Personal Data Protection Act (DPDPA) outlines the people’s rights to protect their personal data balanced against the need to process that data for lawful or other connected and incidental purposes.
The law defines the following parties:
- Data Principal: The person sharing personal data, including parents or lawful guardians of a child and the lawful guardians of someone with a disability.
- Data Fiduciary: Person who alone or with others determines how and why to process personal data.
- Data Processor: Person processing data on a Data Fiduciary’s behalf.
Chapter II outlines the following obligations:
- Ensuring that the Data Principal provides consent.
- Limiting data processing to certain legitimate uses.
- Providing Data Principals with the reason for collecting and processing personal data.
- Providing Data Principals with information about how they can exercise their rights.
Who must comply with the DPDPA?
The DPDPA takes a broad approach to defining Data Fiduciary as any organization that collects and processes personal data, meaning that an of the following fall must comply with the requirements:
- Private companies (e.g., SaaS vendors, retailers, healthcare orgs)
- Government bodies (when processing personal data)
- Startups and small businesses
- Non-profits / NGOs
- Platforms and apps collecting user data
- Employers handling employee data
Significant Data Fiduciary
Additionally, DPDPA’s Section 10 outlines stricter rules for any organization deemed a “Significant Data Fiduciary.” According to Section 10, the Central Government may use the following factors to designate a Data Fiduciary that it is a Significant Data Fiduciary:
- Sensitive data’s volume and sensitivity.
- Risks posed to Data Principal rights.
- Potential impact on India’s sovereignty and integrity.
- Electoral democracy risk.
- State security.
- Public order.
Significant Data Fiduciaries must incorporate the following additional controls:
- Ensure a Board of Directors or similar governing body appoints an India-based Data Protection Officer as a point of contact for redressing grievances.
- Appoint an independent auditor to carry out a data audit.
- Periodically complete a Data Protection Impact Assessment.
How Does the DPDPA Define Personal Data?
The DPDPA takes a broad approach by defining personal data as “any data about an individual who is identifiable by or in relation to such data.” Unlike other data protection laws that define specific data types, the DPDPA focuses on how someone could use the data expanding the protection requirements to:
- Any information linked to a person.
- Any data that someone could directly or indirectly use to identify a person.
- Any data that can identify a person when combined with other data points.
By expanding this definition, the DPDPA goes beyond the traditional sensitive data types, like name, birthdate, ID number, device identifier, online identifier, or email. It can include information in any dataset that someone could tie back to an individual.
What Rights Do Data Principals Have under the DPDPA?
At a high level, the right to provide consent is embedded throughout the DPDPA. When aggregating the various sections, this right to consent comes from the following:
- Section 4: Data Fiduciaries can only process personal data with the Data Principal’s consent or for legitimate uses.
- Section 5: Data Fiduciaries must have consent from or given a notice to Data Principals.
- Section 6: Data Principals must give free, specific, informed, unconditional, and unambiguous consent.
- Section 9: Data Fiduciaries must obtain verifiable consent from a child’s or disabled person’s parent or legal guardian prior to processing personal data.
The DPDPA’s Chapter III outlines the enforceable rights that Data Principals have and defines them as follows:
- Right to access information (Section 11): The right to know what information the Data Fiduciary processes, know who the Data Fiduciary shares information with, and receive a summary outlining processing activities.
- Right to correction, completion, updating, and erasure (Section 12): The right to fix inaccurate data, complete missing data, update outdated data, and delete data.
- Right to grievance redressal (Section 13): The right to send a formal complaint about violations and receive a resolution from the Data Fiduciary.
- Right to nominate: The right to appoint someone to act on the Data Principal’s behalf in the event that the individual dies or becomes incapacitated to ensure ongoing privacy protections.
What security requirements does the DPDPA contain?
The DPDPA sets out requirements for security outcomes, including:
- Section 8(5): Data Fiduciaries must protect personal data by taking reasonable security safeguards to prevent a personal data breach.
- Section 8(6): Data Fiduciaries must tell the board and each affected Data Principal if a personal data breach occurs.
- Section 8(7): Data Fiduciaries must erase data they no longer need unless a law requires that they retain it.
What fines and penalties does the DPDPA list?
Under the DPDPA, the Data Protection Board of India (the Board) has the authority to determine the monetary penalties that apply to a data breach based on its review of the following:
- Nature, gravity and duration of the breach.
- Type and nature of the personal data affected.
- Repetitive nature of the breach.
- Realized gains or losses to a person as a result of the breach.
- Any mitigating actions or consequences that the person took, including action timeliness and effectiveness.
- Proportional and effectiveness of a monetary penalty’s ability to ensure observance of and deter breach provisions of the DPDPA.
- Likely impact that the monetary penalty has on a person.
Where do the Digital Personal Data Protection Rules fit into the DPDPA?
The DPDPA defines the outcomes that a Data Fiduciary’s data protection program should achieve. The Rules define the activities Data Fiduciaries must take when implementing “reasonable security safeguards.”
What are the “reasonable security safeguards” in the Rules?
Section 6 of the Rules outlines the following reasonable security safeguards that a Data Fiduciary must implement to prevent a personal data breach. At a minimum, a Data Fiduciary must implement:
- Data encryption, obfuscation, or masking or map virtual tokens to personal data.
- Access controls that apply to Data Fiduciary or Data Processor computer resources.
- Visibility into unauthorized access through collection, monitoring, and review of the appropriate logs as well as the ensuring investigation and remediation.
- Processes and tools to ensure continued processing when personal data’s confidentiality, integrity, or availability is compromised, like data backups.
- Capabilities to detect, investigate, and remediate any unauthorized access and retain logs proving compliance and personal data for one year.
- Contracts with Data Processors to ensure they implement reasonable safeguards.
- Technical and organizational measures to ensure security safeguards remain effective.
Significant Data Fiduciaries must implement the minimum security safeguards and include the following additional obligations:
- Engage in a Data Protection Impact Assessment every twelve months and an audit to ensure compliance.
- Provide the Board with a report containing significant observations from the Data Impact Assessment and audit.
- Verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed are not likely to pose a risk to Data Principals’ rights.
- Ensure that personal data and traffic data pertaining to its flow remain inside the territory of India.
What are the data breach notice provisions in the DPDP Rules?
Section 7 outlines the following data breach notification timing requirements.
Without delay, Data Fiduciaries must provide notice to the affected Data Principals of a breach and include the following information in the notification:
- Breach description outlining nature, extent, and timing.
- Likely relevant impact to the Data Principal.
- Measures implemented and being implemented to mitigate risk.
- Safety measures the Data Principal can take to protect interests.
- Data Fiduciary contact information so the Data Principal can ask questions.
Without delay, Data Fiduciaries must provide the Board with a description of the breach, including its nature, extent, timing, location, and likely impact.
Within 72 hours of identifying a data breach, a Data Fiduciary must provide the Board with:
- Updated and detailed information that includes broad facts related to the breach
- Implemented or proposed risk mitigation measures.
- Findings regarding the person who caused the breach.
- Remedial measures to prevent a recurrence of the breach.
- Report regarding notification to affected Data Principals.
Best Practices for DPDPA Monitoring, Logging, and Control Assurance
As organizations work to implement DPDPA compliance, following these best practices can reduce time to audit readiness.
Visibility Through Centralization
Using a security information and event management (SIEM) solution to centralize, normalize, and correlate logs enables security teams to achieve the visibility that the DPDP Rules require. A SIEM enables organizations to correlate data from:
- Operating systems.
- Authentication systems.
- Endpoints
- Network devices.
- Cloud services.
- Security tools.
By correlating this data, organizations can monitor the effectiveness of their security safeguards and create alerts to detect potential unauthorized access.
Implement Audit Trails
Audit logs provide the verifiable security activity record that security operations and compliance require. Effective audit logging can help answer many of the questions that the DPDPA requires in a breach notification:
- What action occurred?
- Who performed the action?
- When did the action take place?
- Where did the activity originate?
- What system or resource did the activity impact?
Additionally, if a SIEM incorporates generative artificial intelligence (AI) capabilities that can generate an event’s timeline, then the organization can rapidly provide the data and meet the 72-hour notification requirement.
Monitor User Behavior and Privileged Activity
Data breaches can be caused by external or internal threat actors. User behavior and activity monitoring enables organisations to detect policy violations or compromised accounts faster. By establishing baseline behavior and monitoring for deviations, organisation can detect security incidents with insight into:
- Credential misuse.
- Insider threats.
- Abnormal access patterns.
- Unauthorised configuration changes.
These capabilities ensure faster incident detection, investigation, and response, enabling organizations to reduce a data breach’s impact and improve operational resilience.
Enrich and Correlate Data to Prioritise Risk
By centralizing log data in a single solution, organisations can augment the raw logs with context. Correlating enriched log events allows teams to prioritise high-risk security alerts and reduce false positives, improving investigation speed and accuracy. Some examples of context that organisations should apply to their data include:
- User identity.
- Geolocation
- Asset classification.
- Threat intelligence.
- User and asset risk scores.
Adding context to log data helps organisations align with ACSC mitigation strategies like identifying:
- Suspicious login behavior.
- Lateral movement.
- Malware execution.
- Exploit attempts.
Build Relevant Dashboards to Automate Compliance Reporting
Security and compliance teams often struggle to prove that controls function as intended. A SIEM enables these teams to:
- Generate compliance dashboards.
- Create scheduled reports.
- Visualise security trends.
- Provide documentation to auditors.
Teams can use these dashboards to build reports around ACSC mitigations like:
- Privileged account activity.
- Patch status.
- Authentication failures.
- Endpoint protection alerts.
Graylog: Improved Compliance and Audit-Readiness for Digital Personal Data Protection Act
Using Graylog, organisations can accelerate compliance readiness by using our cloud-native capabilities and out-of-the-box content to gain immediate value from their logs. Our anomaly detection ML improves over time without manual tuning, adapting rapidly to new data sets, organisational priorities, and custom use cases so that you can automate key user and entity access monitoring.
Our purposeful approach to AI-powered security operations speeds up investigations, reduces errors, and gives teams confidence in their decision-making capabilities. With Graylog context-rich investigations, threat-smart prioritization, and frictionless workflows, security teams cut through noise and reduce alert fatigue, all while documenting their security controls’ effectiveness and response activities to achieve compliance outcomes.
