In today’s digital economy, personal data is a valuable asset. The increasing use of Artificial Intelligence (AI) and Machine Learning (ML) in financial services has further elevated the importance of protecting sensitive customer information. To ensure data privacy, countries have established legal frameworks that govern how personal data should be collected, processed, and stored. Among the most notable are the General Data Protection Regulation (GDPR) of the European Union and the Digital Personal Data Protection (DPDP) Act, 2023 in India.
General Data Protection Regulation (GDPR)
GDPR is a robust data protection law enacted by the European Union in May 2018. It applies not only to companies based in the EU but also to those outside the EU if they process the personal data of EU residents.
Key Principles of GDPR:
-
Lawfulness, Fairness, and Transparency:
Data must be collected and processed lawfully and fairly, and individuals must be informed about how their data is being used.
-
Purpose Limitation:
Data should be collected for specific, legitimate purposes and not further processed in ways incompatible with those purposes.
-
Data Minimization:
Only the data that is necessary for the intended purpose should be collected.
-
Accuracy:
Data should be accurate and kept up to date.
-
Storage Limitation:
Personal data should be kept only for as long as necessary.
-
Integrity and Confidentiality:
Data must be processed in a manner that ensures security and prevents unauthorized access or breaches.
-
Accountability:
Organizations must demonstrate compliance with GDPR through documentation, risk assessments, and audits.
Rights of Data Subjects under GDPR:
-
Right to Access: Individuals can access their personal data.
-
Right to Rectification: Individuals can correct inaccurate data.
-
Right to Erasure (Right to be Forgotten): Individuals can request data deletion.
-
Right to Restrict Processing: Individuals can limit how their data is used.
-
Right to Data Portability: Individuals can transfer data from one service provider to another.
-
Right to Object: Individuals can object to data processing, especially for marketing.
-
Rights in Relation to Automated Decision Making: Individuals can refuse decisions made solely by automated systems.
GDPR Penalties:
Organizations found in violation of GDPR can face fines of up to €20 million or 4% of their global annual turnover, whichever is higher. These strict penalties ensure that companies prioritize data protection.
Digital Personal Data Protection (DPDP) Act, 2023 – India
India’s Digital Personal Data Protection (DPDP) Act, passed in August 2023, is the country’s first comprehensive data protection legislation. It reflects global standards like the GDPR but is tailored to India’s regulatory, technological, and societal context.
Scope and Applicability:
The DPDP Act applies to:
-
Data processed within India.
-
Data processed outside India if it involves offering goods or services to individuals in India.
It governs the processing of digital personal data, whether collected online or digitized later.
Key Concepts and Definitions:
-
Data Principal: The individual to whom the personal data relates.
-
Data Fiduciary: The entity that determines the purpose and means of data processing.
-
Consent Manager: An independent entity that enables individuals to manage their data consent.
Principles of the DPDP Act:
-
Lawful Processing Based on Consent:
Consent must be free, informed, specific, and unambiguous, given through a clear affirmative action.
-
Purpose Limitation:
Data should be processed only for the purpose for which consent is obtained.
-
Data Minimization:
Only necessary data should be collected.
-
Data Accuracy and Security:
Data fiduciary must ensure the accuracy and security of the data processed.
-
Right to Grievance Redressal:
Data principals can raise complaints through grievance mechanisms established by data fiduciaries.
-
Children’s Data:
Parental consent is required to process data of individuals under 18 years of age.
Rights of Data Principals:
-
Right to Access Information: About how their data is being used.
-
Right to Correction and Erasure: To correct or delete personal data.
-
Right to Grievance Redressal: To seek redress if their rights are violated.
-
Right to Nominate: Allows individuals to appoint someone to manage their data rights in the event of death or incapacity.
Obligations of Data Fiduciaries:
-
Obtain valid consent before processing.
-
Notify data principals about breaches.
-
Maintain reasonable security safeguards.
-
Cease data processing when no longer needed or upon withdrawal of consent.
Penalties and Enforcement:
Data Protection Board of India will oversee enforcement. Penalties for non-compliance can go up to ₹250 crore (~USD 30 million), depending on the severity and nature of the violation. For instance, failure to prevent a data breach could result in significant financial penalties.
Key differences between GDPR and DPDP Act
| Feature | GDPR | DPDP Act, 2023 |
|---|---|---|
| Territory |
EU + extraterritorial |
India + extraterritorial |
|
Basis for Processing |
Multiple (consent, contract, etc.) |
Primarily consent |
|
Age of Consent |
16 (can be lowered to 13 by states) |
18 (strict) |
| Penalties | Up to €20 million or 4% turnover | Up to ₹250 crore |
| Supervisory Authority | Independent DPAs in each EU country |
Data Protection Board of India |
|
Data Subject Rights |
Extensive |
Moderate (no portability or objection) |
| Consent Withdrawal | Permitted |
Permitted |