Digital Personal Data

Protection Act, 2023

September 2024
The Digital Personal Data Protection Act, 2023
What’s the buzz- Recent data breaches
At a time when technology has become the defining paradigm of the 21st century, India’s on-going Data Protection regulation underscores the
nation’s focus on building a strong data privacy regime. Some of the recent cases of data breach in India have been listed below for your easy
reference.

Page 2
The Digital Personal Data Protection Act, 2023
What’s the buzz- Recent data breaches

Nov 2023

Oct
2023

May
2023

April
2023

March 2023

Building strong privacy governance programs is not only a reputational and business risk requirement but is also an integral part of building a
transparent and long-term sustainable organization of the future.

Taj Hotels Suffer Data Breach, Personal Data Of 15 Lakh People At Risk - News18
ICMR data leak reveals personal info of 81.5 cr Indians: Report, ET HealthWorld (indiatimes.com
RentoMojo security breach exposes user data; hackers claim financial details leaked - The Hindu
Zivame data breach: Personal info of thousands of Indian women customers up for sale online - India Today
RailYatri penalised for data leak, app restored after security measures (business-standard.com)

Page 3
The DigitalPersonal
The Digital Personal Data
Data Protection
Protection Act, Act,
20232023
- An Overview
An overview
Journey so far
Ministry of Electronics and India's Digital Personal Data
Right to Privacy recognized The PDP Bill 2019 was introduced in
Information Technology (MeitY) Protection Act, 2023
as a fundamental right in the Lok Sabha and was referred to
releases draft (DPDPB) 2023 for
Puttaswamy judgement Joint Parliamentary Committee (JPC)
public consultation

August 2017 December 2019 November 2022 August 2023

July 2018 December 2021 July 2023

Justice
JPC releases a new version of the Union Cabinet approves the draft
Srikrishna committee submits draft
bill as Data Protection Bill (DPB) DPDP Bill, 2023
PDP bill 2018

Applicability

Within India Territory Outside the India Territory

Where personal data is collected in

Processing of
personal data
Digital Form
related to
Law does not apply to offerings of goods
or services
Non digital form  Processing for domestic or
and digitised personal purposes by
subsequently individuals
 Personal data made public by
Data Principal *Details on timelines for compliance shall be notified by the govt in the
rules

Page
Page 4 4
The Digital Personal Data Protection Act, 2023
Key terminologies

12 34 5
Data
Principal
Data Principal
Data
Fiduciary
Data Fiduciary
Consent
Consent means
any freely given,
specific, informed
Processing
Processing means a
wholly or partly
automated
Certain
Legitimate
uses
• Data voluntarily
means the means any person provided by data
individual to and unambiguous operation or set of principal.
who alone or in
whom the indication given operations • To provide any
conjunction with performed on
personal data other persons by Data Principal subsidy, benefit,
of their wishes by digital personal
relates and where determines the service, certificate,
way of a clear data, and includes
such individual is : purpose and licence or permit.
affirmative action, operations such as
means of collection, • Performance of
• a child, includes signifying
processing of recording, any law.
the parents or agreement to the • Comply with any
personal data. organisation,
lawful guardian processing of their judgement or
of such child structuring,
personal data for decree.
storage, adaptation,
• A person with the specified • In case of any
retrieval, use,
disability, purpose. alignment or epidemic,
includes the combination, pandemic, disaster
lawful guardian indexing, sharing, or threat to public
acting on their disclosure by health.
behalf transmission, • Responding to
dissemination or medical
otherwise making emergency.
available,
Page 5
restriction, erasure
or destruction.
The Digital Personal Data Protection Act, 2023
Key requirements

Notice and Consent

A notice is required to be given by Data fiduciaries to Data Principal for obtaining consent to process the data. The notice shall state the
purpose of processing the data, manner in which Principals can exercise their rights and make a complaint to the Board. Data Principal will
be given an option to access the notice in English and other regional languages as specified in the constitution.

Grievance Redressal
Data Fiduciary or Consent Manager shall respond to the grievances of Data Principals within such period as may be specified. In case of any
failure, Data principal may approach the Board and further file an appeal with the Appellate Tribunal.

Rights of Data Principal

Data Fiduciary to establish policies that enable Data Principal to exercise their rights as given under the Act such as right to access
information about personal data, right to correction and erasure of personal data, right of grievance redressal and right to nominate.

Personal data breach

Data Fiduciary or Data Processor as the case may be, shall notify Board and each affected Data Principal, in such form and
manner as may be prescribed.

Correction and erasure

Upon receiving a request for correction or erasure of collected personal data from a Data Principal, Data Fiduciary shall correct, complete,
update or erase such personal data that are no longer necessary for the specified purpose unless retention is necessary for a legal purpose

Page 6
 Snapshot of indicative touchpoints for KKR
KKR is a global investment firm that has invested in a variety of businesses in India, including healthcare, life sciences,
Overview technology, and consumer-focused sectors

Indicative personal data elements Indicative key business processes

► Name, address, date of birth

The following processes are the indicative processes of KKR:
Employee etc.
Financial &
► Medical records Technology Human Resources Operations
accounting
► Professional qualifications
► Platform teams ► Talent acquisition ► CoE – Data ► Accounts
► Performance records payable/receivabl
Third ► Point of Contact (POC) ► Identity and access ► Employee engineering
name management onboarding CoE - Asset e
party Proces
►
People ► POC email ID ► IT Support ► Performance servicing ► Fund accounting
s
► POC contact number ► Application support management ► Payroll processing
► Information security ► Employee exit
Visitor/ ► Name, address, date of birth
process
Candidate etc.
► Email ID Investor relations IT Client services
Legal & Compliance
► Contact details

Investor Portfolio
information companies

Indicative key applications

KKR office locations in India: ► Salesforce ► Palo Alto

Technolo ► Workday ► Success Factors
Gurugram gy ► AWS ► Okta
► Azure

Page 7
The Digital Personal Data Protection Act, 2023
Industry Impact
Policies and procedures
Draft and implement policies and procedures regarding
processing of personal data, consent management, data
breach management, grievance redressal etc.
Cross-border transfers
The Act restricts cross border transfer of personal sensitive
data to country or territory outside India that the
government will notify.
Significant data fiduciary (‘SDF’)
Certain companies may qualify as SDF due to large volume and
nature of processing of data. Additional obligations such as
performing audit, appointment of Data Protection officer (‘DPO’)
will be appliable
Periodic Assessments
Periodic assessment and management of personal data to
maintain high-quality standards in order to achieve the
objectives of the Act.

Summary of monetary penalty

Penalty (in
S.No. Subject matter of the non-compliance Penalty (in INR)
USD)
Failure to take reasonable security safeguards to prevent personal data
1 Up to ₹250 crores Up to 30 Mn.
breach
Failure to notify the Board and affected Data Principals of a personal data
2 Up to ₹200 crores Up to 24 Mn.
breach
Non-fulfilment of additional obligations in relation to processing data of
3 Up to ₹200 crores Up to 24 Mn.
children
4 Non-fulfilment of additional obligations of Significant Data Fiduciary Up to ₹150 crores Up to 18 Mn.
5 Non-compliance with duties of Data Principal Up to ₹10,000 Up to 120

6 Breach of any term of voluntary undertaking accepted by the Board At the discretion of Board
Page 8
7 For all other non-compliances under this Act Up to ₹50 crores Up to 6 Mn.
Impact on business

Customer Brand Competitive Complianc

Trust Image Advantage e
Respecting Privacy of Mishandling Privacy conscious Adherence to Privacy Laws
your customers/employees customer’s data may organizations can leverage avoids hefty fines. Non-
and processing data lead to negative publicity their commitment and compliance can lead to legal
securely builds trust and and can tarnish brand make it a unique selling repercussions.
foster loyalty. image. point and gain
competitive advantage.

Impact on the Sector

Digital transformation in the recent years has enabled organizations to collect significant volume of
personal data.
The DPDP Act 2023 will significantly impact the industry as it is designed to regulate the processing of
personal data and establish rights and obligations for both individuals and organizations.

Page 9
How EY can help
EY India – Data Protection and Privacy Practice
How EY can help

Rich experience working on Data Privacy Enablers*

EY India has over over 200+ Projects Data Privacy Framework

across
1600+ 80+ clients,
resources out of which
in Data Mapping – DFD/RoPA
200+ 12+
Are Techno-Legal full-
Consent Management
time privacy
professionals Sectors
Our association with the
Cookie Compliance
80+ Industry:
certified team members  IAPP  OSAC Data Subject Request
on data privacy Handling
 DSCI  FICCI
(CIPPE, CIPM, DSCI, ISO)
 ISACA  NASSCOM
Our association and experience
Privacy Incident & Breach
of working with leading Industry Management
Experience on players:

35+ Personal Data Onetrust Data Privacy Impact Assessment (DPIA



 BigID
Protection Regulations
 Security.ai
* Enablers include toolkits, frameworks, templates,
 and much more..
documents

Page
Page 1111
EY India – Data Protection and Privacy Practice
Compliance roadmap

Analyse and
determine
Review/ modify
existing privacy
policies, consent
Modifying customer
facing platforms to
Develop an inventory
of
assets processing
NOW
eligibility under comply with consent 0-2 MONTHS
mechanisms, and personal
the Act data-handling requirement information and list of
procedures suppliers

Appoint and engage a

Preparation of Data Protection Process for consent Establish a robust data
notice for Officer and Data from Data Principal breach response plan
obtaining consent
to collect data
Processor to process
personal data
along with details of
DPO or any other
person
and comprehensive
grievance redressal NEXT
policy 2-4 MONTHS

Regularly updating Certifications

on new compliances/ Erasure of personal demonstrating
changes introduced data on completion

BEYO
compliance with the
by authorities of processing Act

ND
4-6 MONTHS

Page 12
 Thank you!

Page 13 October 25, 2024

Annexure
Unified privacy framework

Data privacy and security The unified privacy framework is

Region of principles structured around common privacy
operations* and security domains
Territorial scope

Enforcement
Security and
breach Governance
Accountability
USA notifications

Confidentiality and Integrity

Data
Individual’s KKR unified privacy
Masking/Toke
Access rights requests rights
nization framework
India
Consent and choice
Collection
Integrity
and use
Data breach notification

UK Encryption
Data localization

International data transfers

Secure disposal / retention

*The in-scope laws and regulations to be considered for the unified privacy framework will be based on region
of operations
Page 15
 Consent considerations as per data lifecycle

Consent requirements through the data lifecycle

Retention
Collectio Disclosur
Use Sharing and
n e
Disposal

• Privacy notice laying down • KKR will only be • KKR will only be able to • KKR will be permitted to • Personal data will need to
various personal data permitted to use share personal data of share personal data be archived after the
categories and related personal data for the individuals who have with third parties (e.g., consented purpose is
processing activities will need consented purposes provided consent for vendors) where the fulfilled
to be provided to customers (marketing, analytics, sharing within the group individuals have • In case an individual
• Purpose wise consent to sharing within the • Sharing of personal data provided consent or it is withdraws consent, the
be obtained group, etc.) only for consented needed for providing the processing activity that
purposes service relies on this consent will
have to be halted

KKR actions for obtaining and maintaining consent

• Application forms • Customers will need • Onboarding LoB will • Contracts with third • Personal data for
• Login pages for to provide consent to need to ensure other parties and vendors which consent is
app and website different purposes KKR entities use the will need to lay down withdrawn/expired
• Chatbot separately personal data only as obligations in case will need to be
• Call center • Consent cannot be per available consents customer withdraws archived and not
• WhatsApp merged with terms • In case another KKR LoB consent processed further
and conditions that wishes to use personal • Contracts will need to • Archival period will be
customers sign data for other purposes, define processing in line with regulatory
fresh consent to be activities requirements
obtained from
customers
Page 16
Third-party management

Third-party management lifecycle

Shortlist & Due diligence & Renewal &

RFP/RFQ
Onboarding Service Delivery termination
Proposal Stage
stage stage stage

Key consideration for KKR

Terms and Conditions 1. Third party risk 1. Audit 1. Data deletion

for DPDPA compliance 2. Updating contracts 2. Ongoing requirements
and other applicable with DPDPA clauses monitoring 2. Data retention
laws 3. Define role and 3. Review requirements
responsibilities with 4. Request
respect to data fulfilment as per
fiduciary & data DPDPA e.g. Data
processor, Principal
4. Categorization as requests, etc.
per criticality of
processing data

Page 17
Data breach notification

Below is the use case for data breach notification and management for KKR’s existing SIEM & SOAR tools
Notification &
Integration of applications with existing SIEM and SOAR Monitoring & Analysis • Follow up
Reporting
report
• Incident
analysis,
containment
Build policies measures &
Identify
On-premise within existing KPIs
applications
tools as per in- • Lessons
storing personal
scope privacy learned
data
regulations
Compile
dashboard for
incident KPIs
Is the personal Provides incident
data stored: Integrate with SIEM logging,
• Acquire
• On prem? and SOAR monitoring &
evidence
• Cloud? response
• Contain
incident
• Recover from
incident
Identify Build compliance
applications policies for in- Analyse the Notify relevant
storing personal scope privacy potential impact authorities &
Cloud
data regulations & determine affected data
immediate action principals

Security Controls
1. VAPT for applications and components
2. Threat modelling for all integrations
3. Authentication function testing
Page 18
Personal data mapping and inventory

Implementation of personal data mapping and inventory

Conduct discussions to
identify systems and
business functions DATA
Manual Data processing personal INVENTORIES
data Compliance
discovery Security Controls reporting
• Process oriented Draft data flow diagrams
• Vendor assessments 1. Data at rest,
• PIA / DPIA & PbD data in motion
encryption
2. Data Loss Vendors Risk flagging
Prevention and
exfiltration of
Create test IT Systems
data controls
groups/targets for
servers, endpoints and 3. VAPT for
databases for initial Applications and Data flow
Processes
data discovery scans Infrastructure
and run the automated visualisations
scanning in batches of
test groups
Automated Data
Identify and remove
discovery false positives
Security Controls
• Structured data
1. TPRA and Remote access
discovery Security
• Unstructured data solution for vendors
discovery
2. VAPT, threat modelling & Controls
Extract reports for all assessment, source code Risk assessment
completed scans review, software
composition analysis
3. Risk assessment

Page 19 Page 19
Data principal rights management

Managing data principal rights requests

Consumer

Notify data Provide requested

Submi Re-submit details principal if
to authenticate information or
t request will take confirmation request
reques identity longer than 30 was completed
t days
No
KKR data privacy team

Locate or retrieve
personal data

Yes Distribute
Can the Assign Stage response Distribution of requested Track
request as
Confirm consumer’s workflow in ServiceNow information and and
necessary
receipt identity be based on for legal review, confirmation of request report
to internal
authenticated request type if necessary completion DPR
teams
progress
IS team

ServiceNow System owner / Legal

DBA
Log the request for Review request to
tracking and Prepare for action/ approve or deny
updates information
requested
Security Controls
1. Risk assessment and infrastructure assessment
2. VAPT
3. Threat assessment and modelling for all integrations

Page 20 Page 20
Data principal rights deletion request

Implementation of data principal rights deletion request

Workflow, tracking & reporting

Authenticate Determine Open and Assign Report Completion

Applicability Find data principal
Requestor Work Order tasks to Requestor
Deletion
Request Data policies
Sources
Contacts Fulfill Deletion
Business Rules Provide
Requests Confirmation/Eviden
ce
In this “delete” Data principal Request example,
ServiceNow is leveraged to manage the automated ► Verify existing policies, coverage and
workflow, track against regulatory response applicable rules set
Existing SIEM
timeline and report progress to the end-user and tool ► Check integration with other security
KKR data privacy team tools

Security Controls
1. Risk assessment and infrastructure assessment
2. VAPT
3. Threat assessment and modelling for all integrations

Page 21 Page 21
* As per applicable agreement with the
Privacy engineering for data masking

Privacy Engineering can be inculcated into KKR’s cloud environment and

application development process via data masking/encryption

Use case: Data Masking/encryption for cloud and

application development
Approach Data masking
• Establish a clear understanding on tools
the data that needs to be protected
• Use EY playbooks and rulesets to
discover the data in different
Data repositories
Masking
Methodology • Classify the data based on policies
set by KKR
• Treat the data using masking
techniques to protect it
• Develop robust processes for
deploying / provisioning test data

Input Output

Credit Card No. 4415 1230 0000 0123 Credit Card No. XXXX XXXX XXXX 9876
Data Masking
Identity Number 9865 7894 9876 Identity Number @^$%!##&#$!

Security Controls
1. VAPT for applications and components
2. Threat modelling for all integrations
3. Authentication function testing
Page2222
Page
Comparison of GDPR and DPDPA

Please find below a summary of the principles of GDPR and DPDPA which EY will adhere to

Data breach
management Consent

Privacy by
Data retention Design and Consent
Privacy by Manager
Default
Appointment
of Data Categories of
Notice Policies and
Protection Personal
procedures
Officer Data
Records of
Processing
Applicable
Privacy Processing
Activities
child data
(RoPA) domains
Conditions for
Training and Significant
collection and Data processor
awareness Data
processing
Fiduciary
Data Appointment
Subject/Princip Security of
of Sub-
al Rights processing
Processors
Data
Protection
Cross border Impact
transfer Assessment
(DPIA)

The core principle remains the same, but the requirement is slightly modified as compared to GDPRCommon domains for GDPR Additional DPDPA domains
Requirement not currently present in DPDPA and may be included once the Rules for and DPDPA
implementation of the Act are released.
Page
Page 2323
Differences between GDPR and DPDPA

Digital Personal Data Protection Act, 2023

Domain General Data Protection Regulation (GDPR)
(DPDPA)
1. Data Subject is the stakeholder whose personal data is being 1. Data Principal is the stakeholder whose personal data is being
processed processed
Key Stakeholders
2. Data Controller is the stakeholder responsible for lawful 2. Data Fiduciary is the stakeholder responsible for lawful
processing of personal data processing of personal data
Categorization of Special categories of personal data – race, ethnic, health, genetic, Applied to broader set of personal data without further
personal data religious or philosophical beliefs, etc classification of personal data into sensitive or critical data
Children age Below 16 years are considered as children Below 18 years are considered as children
Categorization of data GDPR does not distinguish between classes of data controllers DPDPA intends to classify certain data fiduciaries as ‘significant
controllers/fiduciaries (equivalent to data fiduciaries) data fiduciaries’ with additional compliance obligations

Consent Managers No concept of consent managers Data fiduciaries, who on behalf of data principals can collect and
manage the consent provided by them
Data Protection Impact Data Protection Impact Assessment (DPIA) is necessary to be DPIA is only necessary to be conducted by Significant Data
Assessment (DPIA) conducted by all data controllers Fiduciary (SDF )
GDPR mentions another key stakeholder - sub-processor which is
Sub-processor appointed by the data processor for support in processing of DPDPA does not mention sub-processor
personal information as per contract

ROPA GDPR mentions Records of Processing Activities (ROPA) as per DPDPA does not mention ROPA
article 30

Legitimate interest/use GDPR states that legitimate interest related lawful processing can DPDPA states that legitimate use related lawful processing is based
be personal, commercial or societal interest on a lack of objection for the processed personal data

Standard Contractual GDPR has defined standard contractual clauses for transfer of
Clauses personal data between different data controllers and data No standard contractual clauses
controllers and data processors
Cross border data As per adequacy decision, standard contractual clauses and No cross border data transfer restrictions
transfer restriction transfer impact assessments
Data subject request Data subject request timeline to be answered within 30 days Data subject request timeline not defined
timeline
Breach reporting 72 hours after identifying breach No timeline specified
timeline
Data Subject/Principal Data subject rights include right to data portability and right to DPDP does not specify the rights of data portability and right to
Page
Page 2424
Rights object to automated profiling object to automated profiling