The DPDP Act is a law that sets rules for how organizations should collect, process, and protect personal data. It requires organisations to implement measures to safeguard the privacy of individuals and be transparent about how the organisations use their data.

The DPDP Act covers personal data, which includes any information that can identify an individual, such as names, contact details, financial data, and biometric data.

• Organizations must:

◦ Obtain explicit consent from individuals before collecting or processing their data.

◦ Provide clear and transparent information about how their data will be used. ◦ Implement strong data protection measures to secure personal data.

◦ Allow individuals to access, correct, and delete their data upon request.

◦ Report any data breaches to the relevant authorities and affected individuals.

Yes, organisations must obtain explicit consent from individuals before collecting or processing their personal data, unless there is a lawful basis for processing without consent (such as a contract or legal obligation).

In the event of a data breach, organization must notify the relevant data protection authority and the affected individuals as soon as possible. Organisation must also take steps to prevent further breaches and mitigate any damage caused.

• To comply with the DPDP Act, organisation should:

◦ Conduct regular data protection audits. ◦ Implement security measures like encryption and access controls.

◦ Provide staff training on data privacy and security.

◦ Update privacy policy to reflect the rights of individuals and how to handle their data.

◦ Appoint a Data Protection Officer (DPO) if required by the law.

Organisations can retain personal data as long as it is necessary to fulfill the purpose for which it was collected. Once the data is no longer needed, it should be securely deleted or anonymized.

Non-compliance with the DPDP Act can result in significant fines, penalties, or legal actions. The penalties depend on the severity of the violation, with higher fines for serious breaches of data protection rights.

Yes, organisation must clearly inform individuals about the type of data it collects, the purpose for which it will be used, and who it will be shared with. This should be included in organisation’s privacy policy.

Depending on the size and nature of the organization, and the volume of personal data organization process, organization may be required to appoint a Data Protection Officer (DPO) to look over data protection compliance and serve as a point of contact for individuals and regulatory authorities.

If a customer requests the deletion of their data, organisations must comply, unless there is a legitimate reason to retain the data (e.g., legal obligations or contractual requirements). Ensure that the request is processed promptly and securely.

If organisations share personal data with third parties, it should be ensured that they comply with the DPDP Act and have appropriate security measures in place. Organizations should have clear data processing agreements in place that outline the responsibilities of both parties.

Organization can handle cross-border data transfers by ensuring compliance with government regulations, making sure whether the destination country has adequate data protection laws, as required by the DPDP Act or not.