Skip to main content
HomeBlogEverything to know about the upcoming Digital Personal Data Protection Bill in India – Part 1

Everything to know about the upcoming Digital Personal Data Protection Bill in India – Part 1

In today’s highly interconnected world with an ever-evolving cybersecurity landscape, governments around the world are framing robust data protection legislations to safeguard the personal data of their citizens.

As one of the largest digital economies in the world, India too is slated to soon implement the Digital Personal Data Protection Bill, 2022 to protect its citizens’ personally identifiable information (PII) while fostering a strong trust in its vibrant digital ecosystem. The upcoming Digital Personal Data Protection Bill (“the Bill”) in India is poised to revamp the way organizations collect, store, share, and process the personal data of Indian citizens.

As data security practitioners, it is essential for us to grasp the underlying citizen-centric approach of the Bill, as it aims to empower Indian citizens with greater control over their personal information. By gaining a comprehensive understanding of the Bill, data security professionals can develop robust data protection strategies that not only comply with the evolving regulatory landscape but also meet changing consumer expectations.

In this two-part series, let’s deep dive into the various aspects of the Bill and explore how organizations can seamlessly protect the personal data of their Indian customers.

Key highlights of the bill

1) Personal data

One of the notable highlights of the Bill is its definition of personal data, which includes any data that can be identified with an individual or entity.

This encompasses traditional identifiers like name and contact details, as well as other identifiers like financial and health data, biometric and genetic information, and political affiliations.

2) Data principal, data fiduciary, and data processor

To establish unambiguous accountabilities, the Bill introduces the concepts of ‘Data Principals’, ‘Data Fiduciaries’, and ‘Data Processors’.

A Data Principal is anybody whose personal data is being used or processed. If the individual is a minor, the parents or legal guardians are considered as the respective Data Principals.

On the other hand, a Data Fiduciary is any individual or entity that determines the objective and mechanisms to process a Data Principal’s personal data. Similarly, a Data Processor is any individual or entity that processes the personal data on behalf of a Data Fiduciary.

3) Data protection officer and independent data auditor

The Bill emphasizes that Data Fiduciaries should appoint a dedicated Data Protection Officer based in India to ensure compliance with data protection mandates. This officer serves as the point of contact for grievance redressal mechanisms outlined in the Bill.

Additionally, Data Fiduciaries are required to appoint an Independent Data Auditor to assess their compliance with the mandates of the Bill.

4) Data Protection Board of India

The Bill mandates the Central Government of India to form an independent governing body known as the ‘Data Protection Board of India’ to oversee all regulatory compliances of the Bill.

The Board will possess extensive powers similar to a Civil Court, including the authority to investigate, impose penalties, and adjudicate disputes related to the protection of personal data as outlined in the Bill.

5) Consent and purpose limitation

To prevent misuses, the Bill mandates that Data Fiduciaries should obtain explicit consent from Data Principals before collecting, processing, or storing their personal data.

Furthermore, the Bill mandates that any personal data can only be processed or used for the specific purposes for which the consent was obtained from the Data Principal.

6) Right to access, correct, and erase personal data

The Bill gives Data Principals the right to access their personal data available with the Data Fiduciaries, request corrections to inaccurate or incomplete personal data, and demand Permanent erasure of their personal data under certain conditions.

7) Penalties for non-compliance

The Bill empowers the Data Protection Board of India to impose significant financial penalties on Data Fiduciaries and Data Processors for non-compliance with data protection mandates.

For example, failure to implement adequate security safeguards to prevent personal data breaches can result in penalties up to INR 250 crore. Additionally, failure to notify the Data Protection Board of India about a personal data breach can lead to penalties of up to INR 200 crore.

Summing up

While bills like the upcoming Digital Personal Data Protection Bill in India are crucial for curbing data breaches, organizations should not implement cybersecurity measures solely to meet regulatory mandates. It is essential to integrate privacy principles into all aspects of their operations, from products and services to day-to-day business practices. Data protection should be ingrained in the corporate culture rather than treated as an afterthought.

In the next part of this two-part series, let’s look at the key technologies that organizations can leverage to effectively protect their sensitive data. Stay tuned…

Want to learn more?

Contact a Solutions Architect today.

Give us a call


For over 40 years, Futurex has been a trusted provider of hardened, enterprise-class data security solutions. More than 15,000 organizations worldwide have used Futurex’s innovative hardware security modules, key management servers, and cloud HSM solutions to address mission-critical data encryption and key management needs.

Securing the world's most sensitive data.
Request Demo ▸