By Gajendra Maheshwari (Partner, ReinHeads Legal LLP)
A. Background
The recently enacted Digital Personal Data Protection Act, 2023 (DPDPA) holds immense
significance in safeguarding the personal data of individuals. It is crucial to understand the
key provisions of the law and the impact it could have on various functions of an
organization, including the taxation as well as finance functions.
To begin with, it is relevant to grasp the meaning of the term ‘Personal Data’. It encompasses
the data through which an individual can be identified. For instance, phone number, email
ID, postal address, biometric details, health record etc. can be termed as Personal Data if it is
possible to relate them to the individual to whom such data belongs to.
In the context of Personal Data, DPDPA recognizes rights of individuals (termed as ‘Data
Principals’) as the true owners of their Personal Data and casts several obligations on the
persons processing (i.e., collecting, storing, retrieving, using, sharing etc.) the Personal Data
(referred as ‘Data Fiduciaries’).
Within an organization, the taxation/ finance functions are responsible for processing
various sets of personal data, such as:
• Individual’s name (including individual customers, vendors etc.)
• Postal address
• E-mail identity
• Bank account details
• Date of birth
• Permanent Account Number (PAN)
• Goods and Services Tax (GST) registration number
• Aadhar or other Government ID details
Given these responsibilities, it is imperative for the relevant teams to understand the key
features of DPDPA for ensuring the compliance.
B. Key Features of DPDPA
Key features of DPDPA with relevance to taxation/finance functions include:
- Consent Mechanism
- DPDPA mandates ‘consent’ of the Data Principal for processing of her
Personal Data. - Consent must be free, specific, informed, unconditional, and unambiguous so
as to clearly demonstrating a clear agreement to process Personal Data. - In the case of children (i.e., individuals below the age of 18 years) verifiable
consent must be obtained from their parent or lawful guardian.
- DPDPA mandates ‘consent’ of the Data Principal for processing of her
- Notice
- Consent must be obtained on the basis of a ‘notice’ given to the Data
Principal. - The notice should be presented to the Data Principal in a clear and plain
language. It must be accessible in English or any other language specified in
the Eighth Schedule to the Constitution of India.
- Consent must be obtained on the basis of a ‘notice’ given to the Data
- Purpose limitation
- The notice should explicitly state the ‘purpose’ of processing the Personal
Data. - Accordingly, the Personal Data collected may be processed only for the
specified purpose.
- The notice should explicitly state the ‘purpose’ of processing the Personal
- Data Retention
- Data Fiduciaries must erase the Personal Data if the Data Principal withdraws
consent. - In any event, the Personal Data should be erased once the specified purpose
is fulfilled.
- Data Fiduciaries must erase the Personal Data if the Data Principal withdraws
- Transfer of Personal Data
- DPDPA mandates a valid contract for the transfer of Personal Data by a Data
Fiduciary to Data Processor (i.e., third party who processes Personal Data on
behalf of Data Principal). For example, where a Data Principal shares
Personal Data of vendors with a Chartered Accountant for undertaking
compliance with the tax withholding provisions, the Chartered Accountant
would be treated as the Data Processor. - The Data Principal remains responsible for DPDPA provisions where a Data
Processer is involved. - Personal Data can be transferred outside India for processing, except to
notified country or territory as may be notified by the Central Government.
- DPDPA mandates a valid contract for the transfer of Personal Data by a Data
In addition to the above, DPDPA grants additional rights to Data Principals that includes right
to access information, withdrawing consent etc. This requires compliance readiness by
businesses for honouring such rights.
C. Compliances to be undertaken by Taxation/ Finance Departments
To ensure compliance with the law, the concerned employees should consider conducting a
data mapping exercise. The objective of this exercise is to:
• Identify the type of personal data collected.
• Determine the database where the data is stored.
• Identify team members with access to the data.
• Understand the nature of processes undertaken with respect to the data.
• Identify third parties with whom the data is shared.
• Determine the manner which personal data is shared (e.g., through cloud server,
email etc.)
• Establish data retention periods.
Based on this assessment, the following actions may be required:
• Implementing a consent mechanism for the collection of the Personal Data.
• Issuing notices to Data Principals for obtaining their consent.
• Specifying the purpose for which Personal Data will be processed.
• Assessing the need to create or amend contracts with Data Processors for extending
the responsibility of compliances under DPDPA to them.
• Introducing policies and mechanism for responding to Data Principal rights including
data sharing, retention and erasure.
It is important to note that certain provisions of DPDPA related to consent, notice etc. apply
to the Personal Data collected even before the commencement of the Act. While the law
does not specify any specific deadline for such compliance, it emphasizes that the
compliance should be made ‘as soon as it is reasonably practicable’. In view of the transition
provisions the compliance is required for previously collected Personal Data.
D. Way Forward
As per the recent government announcements, the rules for DPDPA are expected to be
released soon. Initially, the law would be made applicable to large tech companies, allowing
more time to other industries for the implementation.
Nevertheless, organizations must acknowledge that DPDPA will impact various functions and
processes. For many organizations, the data mapping exercise may require a significant
amount of time and effort. The subsequent measures such as introducing consent
mechanism may take even longer. Consequently, there is a need to raise awareness about
this law within an organization, beginning from the top management.
Sooner rather than later, organizations would need to adopt ‘privacy by design’ principles,
whereby business processes are (re)designed in such a way that data collection is minimized,
and the data access rights, retention policies, third party transfers are properly documented
and monitored.
This path-breaking law aims to cultivate a culture of privacy in the country, and organizations
should gear up for its implementation in a timely manner.
Published by – Taxsutra