Express Computer
Home  »  News  »  Examining penalties under the DPDP act 2023

Examining penalties under the DPDP act 2023

0 695

By Antony Alex, Founder & CEO, Rainmaker

Under the Digital Personal Data Protection Act 2023, substantial fines are prescribed to discourage violations of its regulations. In recent times, there have been a few instances in India that resulted in compensation or penalties due to cyber breaches. However, with the enforcement of the DPDP Act, this will likely change. It is therefore crucial for organisations to stay aware, educate their teams and remain compliant.

The penalties for failing to comply with the Act range from ₹10,000 to ₹250 crores. Notably, there is no mention of criminal sanctions in the Act, including the possibility of imprisonment.

Misconduct Penalised under the Act
As per the Schedule in the DPDP Act, here are the maximum penalties for different types of breaches:

-Personal Data Breach Up to ₹250 Crores
-Failure to Notify Data Breach Up to ₹200 Crores
-Breach in Observance of Additional Obligations in
-Relation to Children Up to ₹200 Crores
-Breach of Additional Obligations of Significant Data
-Fiduciary Up to ₹150 Crores
-Breach of Duties under Section 15 Up to ₹10 thousand

Breach of Voluntary Undertakings

-Penalties corresponding to the relevant breach
-Other Breaches Up to ₹50 Crores

Role of DPBI in Penalties
Chapter V of the DPDP Act mentions the establishment of the Data Protection Board of India (DPBI), an entity that will be responsible for imposing penalties. The primary role of this Board will be to ensure
adherence to the Act, safeguard the rights of Data Principals, address grievances and instances of Act violations, and hold the authority to levy fines on violators.

When information regarding a breach or non-compliance is reported, the DPBI will be authorised to conduct a comprehensive evaluation to determine whether substantial grounds warranting an investigation exist.
Additionally, the DPBI will have the ability to summon and interrogate witnesses, scrutinise data and documents, and take requisite measures to conduct a thorough investigation.

In cases of significant breaches, the DPBI will possess the jurisdiction to impose fines, the severity and classification of which are outlined in the Act’s Schedule, based on the nature of the transgression. The Act empowers the DPBI to levy penalties against entities such as a Data Fiduciary, which means a person who processes personal data (Data Fiduciary). A Data Fiduciary must obtain consent from the Data Principal, i.e., the individual to whom the personal data relates (Data Principal). To obtain consent, the Data Fiduciaries must first provide a notice specifying the particular personal data to be collected and the specific purpose for which it will be used (Notice).

A Data Principal may also appoint a consent manager, i.e., a person registered under the Act to act as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent and interoperable platform (Consent Manager). A Consent Manager shall be accountable to the Data Principal and a Data Principal shall have a right of redressal of grievances by the Consent Manager.

Factors affecting the penalty

Before imposing penalties, the DPBI will be required to conduct an initial assessment of the merits, carry out inquiry proceedings regarding the reported breach and adhere to the principles of natural justice.

Under Section 33(2), the factors affecting the penalties are as follows:
 (a) the nature, gravity and duration of the non-compliance;
 (b) the type and nature of the personal data affected by the non-compliance;
 (c) repetitive nature of the non-compliance;
 (d) whether the person, as a result of the non-compliance, has realised a gain or avoided any loss;
 (e) whether the person took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action;
 (f) whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non- compliance with the provisions of this Act, and
 (g) the likely impact of the imposition of the financial penalty on the person.

Parting thoughts
The recently enacted DPDP Act 2023 is widely recognized as a significant legal framework capable of reshaping the entire landscape of Data Protection in India. Adhering to the stipulations of the new Act presents numerous challenges for businesses. Enterprises will need to adjust to the new regulations, a step that will ultimately establish a basis for cultivating trust among consumers and upholding the security of our online personal data.

Get real time updates directly on you device, subscribe now.

Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image