Rules Under Digital Personal Data Protection Act Expected Within A Week: Know Key Details
All companies handling personal data online will be subject to these rules.
The long-awaited rules under the Digital Personal Data Protection Act are anticipated to be released within a week, sources told NDTV Profit. Although the DPDP Act was passed last year, the specific rules necessary for its implementation have been pending.
These new guidelines will provide companies, including edtech startups like Byju's, social media platforms, and internet firms with a framework for managing user consent. Rather than imposing strict regulations, the rules will offer an overall structure for consent management.
A key focus of the guidelines is the requirement for verifiable consent when processing children's data. Companies must ensure that the consenting individual is not a child and may be asked to utilise government-issued ID cards or tokens for age and consent verification, as per the persons privy to the development.
There will also be flexibility for companies to develop their own age verification systems in the future, they added.
All companies handling personal data online will be subject to these rules.
Additional requirements for entities include making key information accessible on their websites or apps to help users understand their rights. This includes providing access to previously granted consents and clear instructions on how to nominate someone to act on their behalf or change such nominations. The information must be easily accessible from the main screen or homepage.
Furthermore, entities are required to respond to user complaints in accordance with the law. If no specific timeline is provided, they should reply within 72 hours.
Each request for consent will need to be accompanied or preceded by a notice. This notice will be presented as an independent document, making it clear and accessible for users, without requiring them to refer to any other information from the entity. The notice’s format will aim to ensure that users can easily understand what data is being requested and why.
The notice will contain a detailed list of the personal data to be processed, along with an explanation of the specific purpose for which this data will be used. It will confirm that only necessary data is being processed to achieve this purpose and will specify how long this data will be retained or when the processing will conclude.
Additionally, the notice will outline any goods or services provided as a result of this data processing, or the benefits the user will receive from allowing their data to be used in this way. The notice will also clearly list the rights users will have concerning their data.
A link to the entity’s website or app will be included in the notice, where users will be able to withdraw consent, access their data, correct inaccuracies, or file complaints. They will also have the option to nominate someone else to act on their behalf. If users need to escalate a complaint, the notice will include information on how to contact the Data Protection Board of India.
The notice itself will be created in a format that the entity can store independently, separate from other data. This format will allow users to easily save or keep a copy for future reference. A 'Consent Artifact' may be used to deliver this notice and gather user consent for processing personal data.
Once consent is given, the notice will need to be retained until the end of the data processing period. Even after this period has expired, entities will be required to retain the consented notice for any potential legal needs, such as for lawsuits, appeals, or applications related to the data.
