Key DPDPA Definitions<\/b><\/h5>\n
A<\/span> Data Fiduciary<\/span><\/i> is anyone who alone or in conjunction with others determines the purpose and means of processing of personal data. A <\/span>Data Principal<\/span><\/i> is the individual to whom the personal data relates, with a special focus on children or the disabled and their lawful guardians, but of course, this pretty much means everyone in a family.<\/span><\/p>\n A <\/span>Data Processor<\/span><\/i> is a person who processes personal data on behalf of a Data Fiduciary. <\/span>Processing <\/span><\/i>means fully or partly automated operations on digital personal data, including its collection, storage, use, disclosure, or restriction\/erasure. And, a <\/span>Data Protection Officer<\/span><\/i> is the person appointed by the \u201csignificant\u201d Data Fiduciary.\u00a0\u00a0<\/span><\/p>\n Non-compliance with the DPDPA can lead to substantial penalties, including fines up to 250 crore INR (roughly US $30M). Such measures highlight the critical need for data-centric protection practices that can maintain compliance and uphold public trust.<\/span><\/p>\n IRI has <\/span>recently partnered<\/span><\/a> with Indian data consultancy HawkTech Advance Solutions in Noida to apply expert vulnerability assessment services with <\/span>IRI Data Protector Suite software<\/span><\/a> like <\/span>IRI FieldShield<\/span><\/a> or <\/span>DarkShield<\/span><\/a> to classify, discover, and mask PII <\/span>before <\/span><\/i>a data breach happens. This same combination of expertise and technology also aims to satisfy DPDPA Subject Access Requests (SARs).<\/span><\/p>\n In general, if breached data was rendered unidentifiable by prior redaction, erasure, or pseudonymisation for example, it cannot be reused. Such prevention of data misuse should thus preclude any DPDPA penalties.<\/span><\/p>\n If it is too late, however, and a breach of unmasked data has occurred, the DPDPA requires notification of the affected Data Principals about what has been exposed. Data Fiduciaries must identify (by searching for all names or Aadhaar numbers for example) and notify those whose unmasked values were found (and thus exposed). They can do this through the IRI product search logs; see <\/span>this page<\/span><\/a> and details in the next section.<\/span><\/p>\n Following are the general requirements of the DPDPA and specific IRI solutions to them. Let\u2019s start with those pertaining to the Data Fidicuciary\u2019s responsibility to obtain consent to process a Data Principal\u2019s data, and to maintain an audit trail around it:<\/span><\/p>\n Chapter II,<\/i><\/b> Obligations of Data Fiduciary, <\/span><\/i><\/p>\n 5. (1)<\/i><\/b> Every request made to a Data Principal under section 6 for consent shall be <\/i>accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,\u2014<\/i><\/p>\n (i) the personal data and the purpose for which the same is proposed to be processed;<\/span><\/i><\/p>\n Chapter II, Section 10:\u00a0<\/b><\/p>\n (2) The Significant Data Fiduciary shall\u2014<\/span><\/i><\/p>\n (c) undertake the following other measures, namely:\u2014<\/span><\/i><\/p>\n (i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;<\/span><\/i><\/p>\n (ii) periodic audit<\/span><\/i><\/p>\n and<\/span><\/p>\n Chapter III, Section 11: <\/i><\/b>\u00a0<\/span><\/i> \u00a0<\/span><\/i><\/p>\n (1) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,\u2014<\/span><\/i><\/p>\n (a) a summary of personal data which is being processed by such Data Fiduciary<\/span><\/i><\/p>\n and the processing activities undertaken by that Data Fiduciary with respect to such personal data;<\/span><\/i><\/p>\n These clauses effectively require the Data Fiduciary to locate, extract, and provide the Data Principal with his\/her record(s) for review. IRI software users can pull those records from tables or files in a simple (e.g., FieldShield) <\/span>job script<\/span><\/a> using the SQL SELECT (query) syntax, or an \/INCLUDE filter on the Data Principal\u2019s name or other value in a unique identifier column.\u00a0<\/span><\/p>\n Similarly, an IRI DarkShield search through structured, semi-structured, or unstructured sources can optionally save the person\u2019s name or other unique attribute\/s (e.g., a phone number or email address) in human or machine-readable search logs.<\/span><\/p>\n Chapter II, 5. (2)(b)<\/i><\/b>, the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.<\/span><\/i><\/p>\n Once a Data Principal has withdrawn their consent, the Data Fiduciary must be able to find and delete (or otherwise “cease processing”) all data associated with that Data Principal. See the section on erasure below.\u00a0<\/span><\/p>\n Note that an \/OMIT WHERE clause in FieldShield jobs may be added to allow for the exigencies to this however, as foreseen in:<\/span><\/p>\n Chapter II, Section 7 (II)<\/i><\/b>:<\/span><\/p>\n (c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;<\/span><\/i><\/p>\n (d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being under the provisions regarding disclosure of such information in any other law for the time being in force;<\/span><\/i><\/p>\n (e) for compliance with any judgment decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;<\/span><\/i><\/p>\n (f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;<\/span><\/i><\/p>\n (g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;<\/span><\/i><\/p>\n (h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order.<\/span><\/i><\/p>\n The sections above mean that the Data Fiduciary needs \u2013 for risk assessment, management, and summarization purposes \u2013 to know where the Data Principal\u2018s PII is stored. Again, this is something that <\/span>IRI DarkShield<\/span><\/a> can discover in structured, semi-structured, and unstructured sources on-premise or in the cloud from searches that produce logs described in features #1, 3, and 7 <\/span>listed here<\/span><\/a>.\u00a0\u00a0<\/span><\/p>\n The need for discovery of both direct and indirect Data Principal identifies is also a condition precedent to meeting DPDPA security and SAR requirements, starting with <\/span>data protection<\/i><\/b> through PII data masking<\/span><\/a> functions, per:,\u00a0<\/span><\/p>\n Chapter II, Section 8:<\/i><\/b><\/p>\n (5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach.<\/span><\/i><\/p>\n The consistent application of obfuscation functions like redaction, removal, pseudonymization, scrambling, encryption, and blurring \u2013 all of which are provided and configurable in IRI FieldShield and DarkShield \u2013 provides those safeguards and production environments, as well as realism and referential integrity in test environments.\u00a0<\/span><\/p>\n In addition to data protection, Data Principals have the<\/span> right to rectificatio<\/i><\/b>n <\/b>so that the data being processed or stored by the Data Fiduciary is up to date and\/or corrected:<\/span><\/p>\n Chapter III, Section 12: <\/i><\/b>\u00a0<\/span><\/i><\/p>\n 12. (1) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force.<\/i><\/p>\n (2) A Data Fiduciary shall, upon receiving a request for correction, completion, or updating from a Data Principal,<\/span><\/i><\/p>\n (a) correct the inaccurate or misleading personal data;<\/span><\/i><\/p>\n (b) complete the incomplete personal data; and<\/span><\/i><\/p>\n (c) update the personal data.<\/span><\/i><\/p>\n This right to rectification means the Data Fiduciary must find and fix the Data Principal\u2019s data, which could exist in different silos. In structured sources, changing values can be done with a lookup transformation or conditional field statement in a FieldShield job.<\/span><\/p>\n If the data is in structured, semi-structured and\/or unstructured sources, it\u2019s possible to set up a DarkShield pseudonymization rule to auto-substitute a particular person\u2019s PII in multiple data sources. This can be done via specifically named <\/span>data classes<\/span><\/a> that refer to a new value placed in the relevant replacement set file.<\/span><\/p>\n Finally, Data Principal have the<\/span> right to erasure<\/i><\/b>, per the GDPR right to be forgotten:\u00a0<\/span><\/p>\n Chapter III, Section 12,\u00a0<\/i><\/b><\/p>\n The “<\/span>Right to be Forgotten<\/span><\/a>” article (re: GDPR) explains how to do this in each IRI data masking product.<\/span><\/p>\n Implementing these solutions requires strategic planning and proactive management of data protection measures:<\/span><\/p>\n The Digital Personal Data Protection Act 2023 sets forth rigorous standards that redefine data privacy and security. By leveraging HawkTech\u2019s expert services in India with best-in-class IRI data classification, discovery, and masking software, you can comply with the law\u2019s many requirements, and strengthen the security posture of your data processing and development infrastructure.\u00a0<\/span><\/p>\n Click <\/span>here<\/span><\/a> to contact HawkTech in India, and <\/span>here<\/span><\/a> to contact IRI. Please tell us about your environment, timeline, and availability for an online meeting and demonstration. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":" Introduction The enactment of the Digital Personal Data Protection Act (DPDPA) 2023 on August 11, 2023, marks a significant evolution in India\u2019s data protection landscape. This new legislation introduces stringent requirements for the management and protection of personal data and tries to balance individual rights and organizational responsibilities. Key DPDPA Definitions A Data Fiduciary is<\/p>\nThe Importance of Compliance<\/b><\/h5>\n
![\"\"](\"\/blog\/wp-content\/uploads\/2024\/04\/personal-data-protection-300x200.png\")
<\/b><\/p>\nData Discovery and Masking for Compliance<\/b><\/h5>\n
Key DPDPA Provisions and IRI Technology Applications<\/b><\/h5>\n
Robust Data Discovery Is Needed for Audit, Consent, Data Protection and More\u00a0\u00a0<\/b><\/h5>\n
![\"\"](\"\/blog\/wp-content\/uploads\/2024\/04\/Darkshield-aggregate-results-report-300x208.png\")
<\/h4>\n![\"\"](\"\/blog\/wp-content\/uploads\/2024\/04\/New-field-rule-wizard-221x300.png\")
<\/p>\n\n
Implementation Scenarios and Best Practices<\/b><\/h5>\n
\n
![\"\"](\"\/blog\/wp-content\/uploads\/2024\/04\/HawkTech-IRI-DPDPA-Revised-300x226.png\")
<\/p>\nConclusion and Call to Action<\/b><\/h5>\n