Compliance Spotlight: India – Digital Personal Data Protection Act 2023 (DPDPA)
In August 2023, India's Digital Personal Data Protection Act (DPDPA) was enacted, marking a significant advancement in the country's privacy framework. The Act, which includes comprehensive data protection rules, has been delayed in its full implementation due to recent elections.
In August 2023, the Digital Personal Data Protection Act 2023 (DPDPA) received presidential assent. This represents a huge leap forward in the privacy landscape in India and has garnered much attention, and admiration, in the privacy world.
The DPDPA will be supported by data protection rules (DPDPA Rules) on 26 subjects, which will include items such as notice obligations, consent managers' duties, data breach reporting, collection of verifiable parental consent in case of processing of children's personal data, classification of significant data fiduciaries and the scope of their obligations, data principal requests, and the constitution of the Data Protection Board of India ('Board'). However, the publication of these Rules and the coming into full force of the DPDPA has been delayed due to the recent elections.
What Does the DPDPA Cover?
The DPDPA is a principles-based legislation and applies to processing of personal data collected either in digital form OR in non-digital form but subsequently digitised. However, non-automated processing and personal data made publicly available is excluded from its scope. The DPDPA will apply to the relevant processing of personal data within India as well as to the processing of digital personal data outside India if the processing is in connection with the offering of goods or services to individuals within India. Included in the DPDPA are the following provisions: (a) notices, consents, and legitimate purposes of processing (b) rights of individuals (c) processing of children’s data (those under 18) (d) cross border transfer rules, and (e) penalties.
How Does the DPDPA Impact Background Screening?
On the face of it, the impact of the DPDPA on background screening looks quite limited because many of the records accessed in the provision of the services in India remain undigitised. However, the DPDPA is part of the Indian government’s initiative to encourage organisations and data sources to digitise their records. With that in mind, it is likely that we will start to see more and more sources coming “on-line”. This has already been seen, for example with the e-courts database from which criminal records are retrieved.
A change is also occurring in respect to how certain data can be accessed, with many sources introducing one-time password (OTP) codes to stop third parties accessing records unless those same third parties invest in building secure APIs through which the records can be requested and retrieved. This aligns with the intent of the DPDPA as the proper access of data means better controls to prevent misuse of records—and increase data security.
How Can HR Professionals Prepare for the DPDPA?
It is always a good idea to start by conducting a review of record keeping practices to categorise those that are kept “on-line” vs those kept “on-paper”. In addition, a review of any tools used in the recruitment process should be undertaken to assess if any of these tools introduce automation into any selection/screening process. Finally, vendors should be reviewed to establish which may process personal data as part of the services they provide and those vendors should be asked if any processing is completed using digitised records or automation. Once that audit is complete, teams should review processes against the requirements laid down in the DPDPA to ascertain any gaps to be remediated and/or confirm compliance.
In respect to your background screening provider, it is going to be critical that you work closely with them to figure out if any checks are conducted using automation and/or digitised records and if so, if their systems are built to support compliance with the DPDPA. Organisations may also want to review contractual arrangements to ensure they contain adequate provisions in respect to how you expect your screening partner to handle personal data.
Whilst the DPDPA and its Rules are not yet fully in force, it is worth starting to put in place a project plan to manage this process as early as possible.
How Can HireRight Help?
Compliance and the utilisation of best-in-class technology is at the heart of our services and as such HireRight is able to support organisations in meeting compliance requirements under the DPDPA.
For further information, please contact us here.
Release Date: August 22, 2024
Caroline Smith
Caroline is a UK qualified lawyer with over 18 years’ experience and currently serves as HireRight’s Deputy General Counsel for the EMEA and APAC regions. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.