Digital Personal Data Protection Act, 2023: (DPDP ACT)
Cyber Risk which only until a few years ago, was thought to be just the problem of the IT department
of a company, now has assumed worrisome proportions for the entire organisation because of the
passage of the Digital Personal Data Protection (DPDP) Act 2023 and exponential growth of a few
risk factors such as the:
• Blurred lines of distinction between personal & official computing equipment & the BYOD
(Bring Your Own Device) & Work-From-Home culture prevailing in most organisations
Especially after the recent pandemic.
• The proliferation of social media
• An increased reliance on outsourced service providers including Cloud Computing
• The dynamics of Big Data Marketing
• Introduction of a stringent fines & penalties framework in the newly passed DPDP act which
Is still to become enforceable through the country.
Today it is very important for a company to create an internal awareness about the risk & a culture
which actively encourages employee participation in mitigating internal risk factors, alerting the
management on finding suspicious network traffic & taking cognisance & corrective action promptly
to avert a major security breach.
Apart from risk management, it would be necessary for a company to be informed about the Cyber
Insurance Policy now available in the Indian market & how it effective it is with respect to the latest
DPDP Act that has been passed in August 2023. Before drawing parallels, let us briefly summarize
(this is by no means articulating all the judicial compliances outlined in the DPDP Act) some of the
relevant points for any company storing personal data of individuals, under the DPDP Act 2023:
• The Act imposes several obligations on Data Fiduciaries which term has been quite widely
defined, so as to include all those who determine the purpose & means of processing of
personal data. Given this definition, most companies store any kind of personal data such as
employee details (including but not limited to names, addresses, Aadhaar details, email
addresses, phone numbers, bank details, etc.) or personally identifiable information or data
of their clients/ vendors, come under the definition of Data Fiduciaries.
• Now such Data Fiduciaries are responsible for the lawful collection, storage, use & erasure of
all personally identifiable data, making them actively responsible for any data leak
emanating from their systems or non-compliance with any DPDP Act rules.
• The Act also establishes a stringent Fines and Penalties regime by setting up a Data
Protection Board tasked with the responsibilities of an adjudicating body with the power to
determine non-compliance with the DPDP Act/rules & impose penalties. These fines &
penalties can range from INR 50 to 250 Crores.
� • The Act demands the same level of compliance should the Data Fiduciary outsource the
handling of their personal data to any third-party data processors. Now this would include
cloud service providers, software providers, SAP system providers, Amazon Web Services
that a Data Fiduciary has a written contract with to handle, use, store, process etc. personal
data. If due to a Data Processors’ negligence, error or omission there is a data leak from a
Data Fiduciaries’ systems, the latter will still be held responsible under the DPDP Act.
• The DPDP Act also mandates that all individuals whose personal data has been compromised
must be notified.
• Given the above regulatory exposures & various Data Privacy & Information Security
exposures that an organization faces, you would want to know how a Cyber Insurance Policy
addresses the insurability of the risk from the point of view of an Insured. It is imperative to
understand that Cyber policy is a hybrid of First Party & Third-party claims, which effectively
combines many modules of providing indemnity for (among other coverages):
• Regulatory Investigations & Fines & Penalties (wherever insurable under law) – as there is a
provision for imposing fines and penalties in the DPDP Act.
• Disclosure Liability arising from outsourced data processors provided they have a written
contract, and this feature is likely to be appreciated in the backdrop of the DPDP Act
provisions as mentioned above.
• Notification Costs incurred by an Insured to inform personnel whose personal data has been
leaked from his systems as instructed in the DPDP Act.
• A host of Crisis Management Costs such as legal fees, forensic investigation expenses, public
relations consultants’ costs – although not specifically outlined in the DPDP Act, these are
essential costs that any Insured incurs the minute there is a Cyber incident.
• Business Interruption Costs & Extra Expenses
Which are all claimable under the Cyber Insurance Policy.
Cyber Protection, or Network Security Insurance as it is often called, aims to ring fence all Data
Privacy & Information Security exposures & provides very wide coverage for most liabilities &/or
expenses that an organisation may suffer in the aftermath of an attack. But like all liability policies,
this policy is also highly customised to suit the Insured’s requirements as may be necessitated by his
unique exposures & often needs a specialised & an expert broker to achieve comprehensive
coverage at competitive premiums.
� DPDP Act, 2023 vs. IT Act, 2000:
• This Act has been introduced to protect the personal data of the citizens of India.
• There are many digital platforms available that misuse the personal data of the individuals
and therefore to curb the misuse of individual’s data by the online platforms, this Act has
been introduced.
Despite of Having “The IT Act, 2000” why we need this act?
• DPDP Act is wider than The IT Act as The IT Act is very much limited. For Example:
• IT Act will provide you the remedy only when you can prove in the court that loss has been
caused to you because of the misuse of the data, but in DPDP Act, remedy can be provided
even if there is only misuse of data without causing any loss.
• The Digital Personal Data Protection Act (DPDP) of 2023 has a wide territorial scope,
applying to the processing of personal data within and outside of India:
• Within India:
o The DPDP Act applies to any personal data that is collected, stored, or processed
within India, including by entities incorporated in India.
• Outside India:
o The DPDP Act also applies to entities located outside of India if they process
personal data in connection with any business carried out within India, or offer
goods or services to individuals in India.
