Key Things to do in Implementation of Digital Personal Data Protection Act

1. Assess the accuracy of existing personal data - Ensure completeness; accuracy and consistency of personal data of data principal (customers, agents, employees (on-roles; off-roles; visitors) – Section 8 (3)

2. Identify personal data of children/persons with disabilities (to obtain verifiable consent of parent and/or lawful guardian) - Section 9; Rule 10/11;

3. Nomination - start obtaining the nominee details of data principals (Section 14)

4. Notice Preparation - For existing customers/data principals – Section 5 (2) and Rule 3; 9 - prepare a notice with a) itemised description of personal data; b) specified purpose(s) of processing plus specific description of goods or services or uses; c) manner to exercise rights; and d) manner to file a complaint to Board - facilitate options to access in English/other languages in Constitution. - start collecting email ids of the existing customers (for ease of delivery of notices).

5. Withdrawal of Consent - Establish SOPs– (for e.g. update the privacy policy; provide a link on website;) – with same ease as obtaining the consent (Section 5 (2)(b);

6 (4); Rule 3. 6. Erasure of Data - Finalise SOPs for erasure on a) withdrawal of consent; b) when it is reasonable to assume that specified purpose is no longer served (whichever is earlier) – Section 8 (7); c) where Data Principal does not approach for performance of specified purpose/their rights for time specified in Rules applicable to e-commerce entities having not less than 2 Crores users; Online Gaming intermediary with not less than 50 Lakhs users; and social media intermediary with not less than 2 Cr users - Section 8(8) and Rule 8 (1)

7. Specified Purpose - list all specified purposes for which personal data is required (Section 5 (2)(a); 6 (1))

8. Establish Grievance Redressal Mechanism - Appoint an official to respond to communication from data principals in relation to their rights (DPO in case of Significant Data Fiduciaries); To address requests to correct/update/erase the data – Section 8(9) & Section 9.

9. Inventory of all the Data Processors and Data Fiduciaries with whom the personal data has been shared along with the description of the personal data so shared.

10. Valid Contracts with Data Processors - Identify all data processors and ensure valid contracts exists (Section 8(1); 8 (2)).

11. SOPs with Data Processors - on a) reasonable security safeguards to prevent personal data breach; b) in the event of breach – intimation within 72 hours (Section 8 (4);(5) and (6); Rule 6 and 7); c) cause its Data Processor to erase any personal data that was made available by Data Fiduciary for processing – Section 8 (7)(b).

12. Consent Managers - Initiate discussions with prospective consent managers (Section 6(7)).

13. Significant Data Fiduciaries - Await clarity on SDFs for additional compliances (DPIA; Periodic Audits) Section 10; Rule 13.