DPDPA Implementation

Challenges
Roadmap for Technical and Organizational measures

Naavi@Bosch, 25th March 2025

Naavi/FDPPI
Naavi/FDPPI

• A combination of a manufacturing company

with a large workforce and a Software solutions
company
• Biometric attendance?
• Home Products?
• Healthcare solutions?
Background •
•
Mobility solutions?
Warranties? Services? Reviews?
• Two Indian Companies
• Sales offices across the globe,
• Robert Bosch Gmbh, Bosch Facebook and
Fan page
• Already ISO 27001/27701/42001 certified?
Naavi/FDPPI

• Bosch is a “Brand” used by the Indian

Company
• More than one entities may collect
personal data directly or indirectly under
the Brand name
Background • Also deals with processing of Employee’s
Personal Data including processing of
biometric attendance.
• Probably already ISO 27001/27701/42001
certified?
Naavi/FDPPI

• India passed DPDPA 2023 on August 11, 2023

• Rules are pending final clearance
• ITA 2000 already has provisions related to
Personal Data Protection and obligations under
Section 43A.

Background
• Section 43 A of ITA 2000 is now replaced with DPDPA
2023
• Considered as “Due Diligence” and “Reasonable
Security” under ITA 2000
• Even after DPDPA 2023 is notified, several provisions
of ITA 2000 will remain for compliance
• Compliance of DPDPA 2023 is not complete
without compliance of ITA 2000
Naavi/FDPPI

Understanding the
Obligations…
Under DPDPA 2023
Obligations..(Section 8) Legal
View
Implementational
View

• A Data Fiduciary shall,

• be responsible for complying with the provisions of
this Act and the rules made thereunder
• in respect of any processing undertaken A Data Fiduciary shall
• by it or implement appropriate
technical and
• on its behalf by a Data Processor. organisational measures
• irrespective of any agreement to the contrary to ensure effective
or observance of the
• failure of a Data Principal to carry out the provisions of this Act and
duties provided under this Act, the rules made
thereunder.

Naavi/FDPPI
Obligations ..(Section 8)
• Are we a Data Fiduciary?
• “Data Fiduciary” means any person who alone or in conjunction with other persons determines the
purpose and means of processing of personal data
• Personal data may be of employees or outsiders
• Data from which an individual is identifiable…Generated in India
• Are we a “Significant Data Fiduciary”?
• A Data Fiduciary has to validate himself as “Significant Data Fiduciary” based on the
• Volume and Sensitivity of the data processed
• “Sensitivity” is dependent on the potential risk to the data principal or to the security,
sovereignty and integrity of state or public order or electoral democracy
• A Significant Data Fiduciary has additional obligations such as a designation of a DPO, Appointment of
an independent Data Auditor and conduct of a DPIA

Naavi/FDPPI
 Hybrid Nature of our Role
Naavi/FDPPI

• An entity may have some processes

• where it is a Data Fiduciary
• Some processes
• where it is a Significant Data Fiduciary
• Some processes
• where it is a Data Processor of another Data Fiduciary
• Some processes where
• it is a Data Controller or a Data Processor or Joint Data Controller under GDPR
• Considering an organization as an aggregation of processes and
building “Process based Compliance” with its distinct
• purpose definition, data collection minimisation, data retention minimization,
data access optimization etc
• is the key to efficient compliance
 Consequences of Non Compliance:
Naavi/FDPPI

Penalties applicable to Data Fiduciaries to be imposed by the DPB

Not meeting the obligations of
securing personal information : • Up to Rs 250 crores
Not meeting the data breach
notification requirements • Up to Rs 200 crores
Not meeting obligations related to
Children data • Up to Rs 200 crores
Not appointing a DPO or conducting a
Data Audit or DPIA: • Up to Rs 150 crores
Any other non-compliance • Up to Rs 50 Crores
 Consequences of Non Compliance:
Naavi/FDPPI

Penalties applicable to Data Processors

• Data Processors are bound by Contractual terms which may include
“Indemnities”
• Will be liable under Section 72A of ITA 2000
• Penalty of Rs 25 lakhs
• Payable to the Data Fiduciary as compensation or the Government
through adjudication under ITA 2000
• Where there is a data breach resulting a damage to a data
Principal, ITA 2000 may impose liabilities under Section 43
and also punishments under Section 66 for both the data
fiduciary and the data processor.
Naavi/FDPPI
Step 1: Initiation
• Understand DPDPA Act and Rules
• Understand the Consequences of Non Compliance
• Make a Business Impact Assessment
• Set up a Governance structure with the DPDPA
Governance Committee
• Identify the right Consultant for conducting a gap
assessment
• Conduct awareness session at the leadership levels

Naavi/FDPPI
Governance Structure
DPDPA Governance Committee with all stake holders and chairmanship
of an Independent Director

Data Protection Officer located in India, with relevant credentials (eg:

[Link]. of FDPPI)..mandatory for Significant Data Fiduciary

Supported by Distributed Responsibility policy with every employee

being accountable for data under his/her control

Independent External Data Auditors for annual/periodical review..

mandatory for Significant Data Fiduciary

Naavi/FDPPI
Step 2: Gap Assessment
• Chose an appropriate framework for
conducting a gap assessment
• Identify the role of the organization as
Significant Data Fiduciary or otherwise
• Create an inventory Processes and
Processor Inventory, Process leaders
• Create an inventory of DPD (DPDPA
protected data)

Naavi/FDPPI
Naavi/FDPPI

Choosing an appropriate framework?.....

ISO27701 or DGPSI?

• Frameworks created for a different

purpose and a different dimension
cannot suffice..
• We need the right solution even if it
is not the vintage celebrity
• We need DGPSI and not be satisfied
with our current compliance
frameworks which might have
served us well in the past.
Step 3: Policy
documentation
• Develop all policy documents for establishing
the legal basis, meeting the obligations under
the Act
• Discuss and Adopt an acceptable policy
framework along with Risk management
policy
• Cover with Cyber Insurance as may be
required.
• Conduct awareness sessions

Naavi/FDPPI
 DPDPA
Compliance
is different…

Naavi/FDPPI
Step 4: Technical
solutions-Set 1
• The first set of technical solutions are
required for establishing the legal basis for
processing.
• Requires discovery of legacy DPD and obtaining
consent
• Setting up a consent management system for
prospective data collection
• Establishing Legitimate Use and Exemption
identification polices
• Conduct awareness sessions on usage of tech
solutions

Naavi/FDPPI
Establishing a Legal Basis For Employment
Purpose,
safeguarding the
organization,
Notice in 22 languages emergencies, legal
with itemised data compulsion etc
collected, purpose of
collection including
Notice
retention limits, links to Legitimate
and
rights execution use
including grievance Consent
redressal and During mergers and
Nomination with acquisitions,
guardian consent Startups by
where required notification
To be authenticated, Exempted
uniquely identified and
stored.

Naavi/FDPPI
Step 5: Technical
solutions-Set 2
• Establish the technology solutions for
managing Data Access rights,
Correction and Deletion rights,
• Set up Grievance Redressal system
• Set up Nomination Management
system
• Set up systems for managing guardian
managed data
• Set up Reasonable Security Practices
for protecting DPD

Naavi/FDPPI
 Rights Management
Duties of the Data Principal

• Adhere to all applicable laws

• No Impersonation
• No suppression of material
Right to information
Right to
Correction • No false complaint
Access
and Erasure • Provision of authentic information
only

Right to
Right to Requirements
Grievance
Nomination
Redressal • System to receive the request,
Validate the Right, fulfil the
requirements, handle grievances,
document..

Naavi/FDPPI
Reasonable Security Practices
Appropriate data security measures including encryption, masking, tokenization

Appropriate access control

Appropriate monitoring of logs enabling prevention of unauthorised access etc

Management of Confidentiality, Integrity and Availability of Personal information

Detection of unauthorized access

Contract with data processors

Appropriate Technical and Organizational measures

Naavi/FDPPI
Step 6: Incident
Management
• Establish Incident Management for
DPDPA Compliance
• Establish a Data breach Management
for DPD
• Establish DRP and BCP systems for
DPD

Naavi/FDPPI
Step 7: Test and
Correct
• Test the compliance system for hypothetical
requirements
• Apply corrective measures including
Liability Insurance Coverage
• Use external audits and Certifications as
may be necessary

Naavi/FDPPI
 Understanding
Privacy, DPPDA
and DGPSI

Naavi/FDPPI
Naavi/FDPPI

Some Complexities of
DPDPA Compliance
 DPDPA Applies both to Legacy Data and
Naavi/FDPPI

Prospective Data
• There is need to discover and classify the existing data as
“DPDPA Protected Data” and others
• There is a need to put in place polices, procedures and
technology to ensure that any future data that comes in is
automatically identified as DPD and classified as required to
facilitate easy compliance.
• If legal basis cannot be established for current data, it may
have to be purged.
 DPDPA Applies both to Legacy Data and
Naavi/FDPPI

Prospective Data
• We need to discover existing Data Principals associated with
us,
• Identify if the information can be processed under Legitimate use?
• Send appropriate notice and collect Consent
• Ensure compliance of Rights such as Data Access, Correction,
Deletion
• Ensure Grievance Redressal and Nomination
• If current Data Principals cannot be accessed?
• Alternative means of obtaining consent should be found
 Data in an Entity has a lifecycle
Naavi/FDPPI

• Personal Data is not always available in one chunk

• We may acquire different data elements at different
points of time at different places in the network in
structured or unstructured form
• Discovery process needs to ensure ability to identify the
data elements, holding it in a transit store, recognizing
the associations of different elements, building personal
data sets, assigning a unique personal data ID etc
• To create a Personal Data Inventory
 Shared Brand Name
Naavi/FDPPI

• Bosch is a company driven by a Strong Brand name.

• Every Data Consumer/Principal interacting with Bosch Products and Services predominantly
recognize the brand and not the individual companies providing the service.
• But users of the brand name include group companies and the vendors which are independent entities

• Data shared with “Bosch” is used by these “Independent entities” who may be Data
Fiduciaries in their own right
• Introduces a “Super Data Fiduciary Status” for the Brand.
• Care needs to be taken to ensure that there is “Transparency” on who collects personal
data of the data principal.
• A Super Data Fiduciary is a “Significant Data Fiduciary” in view of the unknown risks for
which he may be taking liability
 Data Classification
Naavi/FDPPI

• For DPDPA Compliance

• Classification of Data should follow the following steps
• Data May be within DPDPA scope (DPD) and others (eg, Non personal
data or GDPR data)
• Needs to be classified to facilitate compliance to DPDPA
• Current classification for IDO 27001 purpose or GDPR purpose
could be misleading.
• We need to re-classify personal data
• Employee and Others, Minor and others, consent based or
legitimate use based, retention based, etc
 Data Breach Notification
Naavi/FDPPI

• Personal Data Breach is a concept that is broader than “Data Breach”

• Includes any unauthorised processing of personal data or
• accidental disclosure, acquisition, sharing, use, alteration, destruction or
loss of access to personal data,
• that compromises the confidentiality, integrity or availability of personal
data;
• Data Principal is the person who determines who can access the personal data,
for what purpose and how long..
• Hence an “Incident” for DPDPA is different from “Incident” for ISO 27001
• Reporting required to every affected data principal, DPB and also to CERT In
(in certain cases)
Naavi/FDPPI

Cross Border Transfer

• MeitY is setting up a Committee which may specify
• Countries to which data transfer
• Of a specified type
• By a specified Type of Data Fiduciary
• May be restricted.
 The Enigma of Artificial Intelligence
Naavi/FDPPI

• If an entity as a Significant Data Fiduciary deploys AI algorithm, for processing personal

data
• It shall observe due diligence to verify that algorithmic software deployed by it for
hosting, display, uploading, modification, publishing, transmission, storage, updating or
sharing of personal data processed by it are not likely to pose a risk to the rights of Data
Principals. (Rule 12)
• If the AI algorithm is proprietary and the data fiduciary is blind as to the code deployed,
• Either the deployer should get an assurance certificate from the vendor, conduct his own
DPIA on the algorithm and satisfy that the processing as well as storage and disclosure
of AI is under his knowledge and control or consider the vendor of the algorithm as a
“Joint Data Fiduciary” .
• It is our view that an “Unknown Risk” is a “Significant Risk” and all deployers of AI
algorithm as a black box should be considered as Significant Data Fiduciaries.
Naavi/FDPPI

When should we start the implementation?

• DPDPA is a continuation of ITA 2000 which is already a law along with
• Adjudication for claiming of any compensation by a Data Principal of any damages
suffered on account of non compliance and prosecution possibilities for
imprisonment for various time period even for the executives of a Company.
• Every Data breach under DPDPA 2023 is a contravention under Section 43 of ITA 2000
and a cognizable offence under Section 66 read with Section 85 of ITA 2000.
• Hence DPDPA 2023 is over due for implementation as “Due diligence” under Section
43A of ITA 2000, though penalties under DPDPA 2023 may become effective later on.
• Additionally, E Commerce Companies may also be impacted by Consumer Protection
Act 2019 for any “Dark Pattern” usage with imprisonment of upto 2 years.
• Hence the journey for implementation of DPDPA 2023 compliance has already
started.
• Be there before it is late….
Naavi/FDPPI

Discussions
naavi9@[Link]
[Link]
[Link]