eBook

Implementing DPDPA:

A step-by-step guide

for your organization

Table of contents

Introduction to DPDPA 03

Chapter 1

The importance of DPDPA in your organization 04

Chapter 2

Steps for implementing DPDPA in your organization 06

Step 1: Determining applicability 07

Step 2: Performing a gap assessment 08

Step 3: Appointing the DPO 08

Step 4: Inventorying and mapping data 09

Step 5: Implementing measures for securing data 10

Step 6: Deletion of data 12

Step 7: Managing consent 13

Step 8: Steps for grievance redressel 15

Step 9: Security safeguards 16

Step 10: SDFs and their obligations 16

Wrapping up 18

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 02

Introduction to DPDPA

With the increase in dependency on the Internet for business and personal

purposes, cybercriminals are also having their field day. One of the

incidents that rocked the cybersecurity community of India was the

persistent attack on All India Institute of Medical Science (AIIMS) Delhi. Five

hospital servers were hacked by threat actors due to improper

segmentation, and 1.3 TB of data was encrypted. A ransom was demanded

for the release of data.

These types of attacks begged for the formalization of data

protection and the introduction of laws for the prevention of data

breaches. The Government of India wants to ensure that the

Internet in India is open, safe, trusted, & accountable for all its

users. That is what led to the formation of the Digital Personal Data

Protection Act 2023.

DPDP Act, 2023, approved on August 11, 2023, is applicable to all

organizations that collect data electronically or physically and then convert

it into electronic form. In this whitepaper, we will discuss the steps you can

take to implement DPDPA in your organization.

Implementing the DPDP Act may seem daunting, but it is a necessary step

towards building a robust data protection framework. This whitepaper

provides a comprehensive guide to navigating the complexities of the DPDP

Act, offering practical steps and insights to help your organization achieve

compliance. By embracing these guidelines, you not only protect your

organization from potential breaches and penalties but also build trust with

your customers and stakeholders, demonstrating a commitment to their

privacy and security.

As data becomes the backbone of modern business operations, ensuring

its protection is more critical than ever. This whitepaper will equip you with

the knowledge and tools needed to effectively implement the DPDP Act,

safeguarding your organization and the data of those you serve.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 03

Chapter 1

The importance of
DPDPA in your
organization

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 04

Why do you need an Act like DPDPA? Well, organizations all over the world,

including India, are facing the following challenges in protecting the

personal data of their stakeholders:

Security threats

India, like many other countries, faces various security threats,

such as cyberattacks, data breaches, & hacking attempts. These

threats can impact the confidentiality & integrity of client data.

Regulatory compliance

India has introduced data protection laws like the Digital Personal

Data Protection Bill, which organizations must comply with.

Ensuring compliance with these regulations can be challenging

and requires organizations to adapt their data-handling practices.

Data classification

The Digital Personal Data Protection Bill categorizes data into

various types, such as Personal Data, Sensitive Personal Data,

and Critical Personal Data. Accurately classifying & safeguarding

each type of data poses a significant challenge for organizations.

Insider threats

Employees and insiders can pose a threat to data security by

intentionally or unintentionally mishandling client data.

Organizations need robust strategies to mitigate these risks.

Data privacy culture

Building a culture of data privacy and ensuring that employees

are aware of and follow data protection policies is crucial. This

requires training & awareness programs within the organization.

f
Data the t prevention

With the growing concerns about data theft, organizations must

invest in robust cybersecurity measures to prevent unauthorized

access and data theft, both internally and e ternally x .

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 05

Chapter 2

Steps for
implementing DPDPA
in your organization

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 06

If you are an organization based in India, you should follow these steps to

determine the applicability of DPDPA in your organization and ultimately

implement it.

Step 1: Determine the applicability

First, assess whether your organization falls under the purview of the

DPDPA. Understand if you handle personal data and whether you meet the

criteria for compliance.

For the purpose of this Act, personal data means any data about an

individual who is identifiable by or in relation to such data. So, for example,

an Aadhar card number is a type of personal data as a person can be

identified by their Aadhar card number.

The criteria for compliance with DPDPA are as follows

The provisions of DPDPA shall be applicable to the processing of digital

personal data within the territory of India where personal data is

collected

In digital form, o

In non-digital form and digitalized subsequently

It also applies to the processing of digital personal data outside the

territory of India if goods/services are provided to the data principals

within the territory of India.

However, DPDPA is not applicable if

Personal data is processed by an individual for personal or

domestic purposes

Personal data is made to be made publicly available by

The data principal to whom such personal data relate

Any other person who is under an obligation under any law

for the time being in force in India to make such personal

data publicly available.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 07

Step 2: Gap assessment

Conducting a gap assessment for the DPDPA involves a comprehensive

evaluation of an organization's current data protection practices to identify

areas where it may fall short of DPDPA compliance. This process begins

with a thorough understanding of the DPDPA's provisions and expectations.

Subsequently, a data privacy gap assessment is conducted, delving into

the organization's policies, processes, and data protection framework to

pinpoint specific areas lacking alignment with the DPDPA.

This assessment also involves evaluating the organization's risk of

penalties due to non-compliance and prioritizing high-risk areas. Ensuring

transparency in data processing is critical, & identifying opportunities for

improvement is essential.

Lastly, gap assessment is an ongoing process requiring a systematic

approach to continuous monitoring and improvement to remain compliant

with the evolving DPDPA requirements and address emerging challenges

effectively.

ef fic ien tly.

er at ion al ga ps
ca n as sis t in ide nt ify ing op
t
Tools like Sc ru

Step 3: Appoint a DPO

Checklist for appointment of a DPO

An individual within your organization or hire an external professional

with expertise in data protection & privacy matters to serve as the DPO.

The appointed DPO should possess the necessary qualifications and

experience to effectively fulfill their role, including a deep understanding of

data protection laws and practices.

Organizations must provide the DPO's contact details to the Data

Protection Authority (DPA). This ensures that the regulatory body can reach

out to the DPO when necessary to address data protection matters. In

addition to sharing with the DPA, organizations should make the DPO's

contact information publicly accessible.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 08

This can be achieved by publishing it on the organization's website or
including it in privacy notices. The goal is to make it easy for data subjects

to reach out to the DPO for privacy concerns, data access requests, or

inquiries about their personal data.

Step 4: Data inventory and mapping

Building a data inventory and mapping is a fundamental process for

organizations to manage and protect personal data effectively.

Identifying & documenting data

Identifying & documenting

Building a data inventory and data

mapping is a fundamental process

for organizations to manage and

Data collection, storage,
protect personal data effectively.
processing, and transmission

Data collection, storage,

processing, & transmission

Understanding data flow

Data inventory and mapping track

the entire data lifecycle,

Identifying vulnerabilities
documenting collection points,

storage (on-premises or in the

cloud), processes, internal and

Transparency and

external transmission.
accountability

Understanding data flow

Mapping data flow provides a holistic view of data movement, crucial for

optimizing data management and ensuring compliance with regulations.

Identifying vulnerabilities

Data mapping identifies vulnerabilities in data handling, pinpointing areas at

risk of unauthorized access, breaches, or mishandling, enabling proactive

mitigation.

Transparency and accountability

Creating a data inventory and mapping enhances transparency and

accountability, showcasing a clear understanding and protective measures

to regulators, customers, and stakeholders.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 09

Step 5: Data security measures

Data security measures involve implementing technical and organizational

measures to ensure data security and protection. These measures are

crucial for safeguarding sensitive information and maintaining data

integrity.

Access controls Data classification &

labeling

Encryption Regular security Incident response

assessments plan

Encryption

Encryption is a crucial process that involves converting data into a coded

format to prevent unauthorized access. This security measure ensures that

even if data is intercepted or accessed without proper authorization, it

remains unreadable and useless. Encryption is applied to data both when it

is at rest, meaning stored in databases or on devices, and when it is in

transit, such as when transmitted between systems. This dual application

of encryption helps prevent data breaches and safeguards sensitive

information, including personal and financial data.

Two common methods of encryption are symmetric encryption, where the

same key is used for both encryption and decryption and asymmetric

encryption, which employs different keys for these two processes. These

encryption techniques are fundamental in securing data and protecting it

from potential threats and vulnerabilities.

Access controls

Access controls serve as essential mechanisms within an organization,

limiting access to specific data or systems. They are put in place to

guarantee that only authorized individuals can interact with data, whether

it's for viewing, modification, or deletion purposes. Role-based access

control (RBAC) is a significant component of access controls, granting

permissions based on an individual's role within the organization.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 10

This approach ensures that employees are provided access only to the data

relevant to their job responsibilities. Furthermore, access controls

encompass user authentication methods such as usernames and

passwords, as well as multi-factor authentication (MFA) to enhance

security measures and protect against unauthorized access.

Regular security assessments

Regular security assessments are a fundamental aspect of maintaining

robust data security within an organization. These assessments entail a

thorough evaluation of an organization's data security measures and

practices, with the primary objective of identifying vulnerabilities and

weaknesses that may exist.

Security assessments manifest in diverse forms, which encompass

penetration testing, vulnerability scanning, and security audits. Penetration

testing, for instance, replicates real-world attacks to uncover vulnerabilities

that malicious actors could potentially exploit. In contrast, vulnerability

scanning focuses on identifying potential weaknesses within systems and

software. Simultaneously, security audits entail a comprehensive review of

security policies and procedures.

The outcomes of these assessments are instrumental in guiding

organizations to take proactive corrective actions aimed at fortifying their

data security posture. By addressing the vulnerabilities and weaknesses

highlighted in these assessments, organizations can significantly enhance

their overall data security resilience.

Data classification and labeling

An integral aspect of data security is the classification of data according to

its sensitivity and value. This categorization enables organizations to tailor

their security measures to suit the varying needs of different types of data.

To facilitate effective data classification, data labeling is employed. This

practice ensures that individuals responsible for handling data are aware of

its classification and adhere to the prescribed security protocols. Typically,

data is categorized into several common classifications, including public,

internal, confidential, and sensitive. Each classification level comes with

distinct access & protection requirements, ensuring that data security

measures are aligned with the information being safeguarded.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 11

 Incident response plan

The presence of a well-structured incident response plan is a critical

component of any organization's cybersecurity strategy. Such a plan is

indispensable for addressing security breaches or data incidents promptly

and effectively.

This incident response plan serves as a comprehensive roadmap,

delineating the precise steps to be taken in the event of a security incident.

These steps encompass reporting the incident, implementing measures for

containment, initiating the recovery process, and managing communication

with relevant stakeholders.

Furthermore, the effectiveness of the incident response plan is ensured

through regular testing and updates. These ongoing practices are vital for

keeping the organization well-prepared and equipped to handle security

incidents efficiently, adapting to the evolving threat landscape, and

minimizing potential damage.

Step 6: Data deletion

It is an imperative step in the DPDP Act 2023, serving as a critical

component of compliance with data protection regulations & safeguarding

individuals' privacy rights. This process involves the removal of personal

data when it is no longer needed for its original purpose or when consent is

withdrawn. Ensuring the permanent deletion of such data is essential.

The primary purpose of data deletion is to uphold data protection

regulations and protect individuals' privacy. It enables organizations to

manage data responsibly throughout its lifecycle, preventing unauthorized

access or misuse. To facilitate effective data deletion, organizations should:

Data retention policies Secure data erasure methods

Practice data minimi z ation: Train E mployees

Ri g ht to re q uest the deletion o f

I mplement a system o f continuous

their personal data monitoring

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 12

 Establish clear data retention policies: these policies should delineate

how long various types of data should be retained & when data should

be scheduled for deletion. Such policies should consider legal

requirements, industry standards, and the needs of the organization

Use Secure data erasure methods: Data deletion must be conducted

securely to prevent data recovery by unauthorized individuals or

entities. This may involve overwriting data with random characters,

degaussing magnetic media, or physically destroying storage devices

Grant the right to request the deletion of their personal data: often

referred to as the "right to be forgotten”, organizations must have well-

defined processes in place to promptly respond to such deletion

requests

Practice data minimization: this involves collecting and retaining only

the data necessary for the intended purpose

Train Employees: members within the organization should receive

training on data deletion policies and procedures to ensure consistent

and compliant data-handling practices throughout the workforce

Implement a system of continuous monitoring: organizations should

ensure ongoing effectiveness and compliance with evolving data

protection regulations. Regular assessments and adjustments are

necessary to adapt to changing legal requirements and best practices in

the field of data protection.

Step 7: Consent management

Consent management under DPDPA aims to empower individuals to have

control over their personal data while providing organizations with a

structured and compliant approach to data processing. It ensures that

consent is obtained and managed in a transparent, accountable, and legally

compliant manner, aligning with the principles of data protection & privacy.

Consent as a core principle

DPDPA emphasizes the importance of obtaining informed and

explicit consent from individuals before collecting, processing, or

sharing their personal data. Consent is a fundamental principle of

data protection under DPDPA.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 13

 Consent managers

DPDPA allows for the appointment of "consent managers." These

are third-party, independent organizations or individuals

authorized to manage, review, and facilitate the withdrawal of

consent on behalf of data subjects. Consent managers act as

intermediaries between data principals and data fiduciaries

(organizations collecting and processing personal data).

Role of consent managers

Consent managers enable data principals to give, manage,

review, and withdraw consent easily and efficiently. They provide

a single point of contact for data subjects to exercise their

consent-related rights.

Registration and requirements

Consent managers must be registered with the Data Protection

Board of India (DPB), and they must meet specific requirements

prescribed by the DPB. These requirements may include ensuring

the security and privacy of consent-related data and adhering to

data protection standards.

Consent records

Consent managers maintain records of consent transactions,

including when consent was given, modified, or withdrawn.

These records serve as evidence of compliance with consent-

related obligations.

Withdrawal of consent

DPDPA grants data principals the right to withdraw their consent

at any time. When consent is withdrawn, data fiduciaries must

cease processing the data for which consent was withdrawn

unless there is a legal obligation to retain it.

Transparency and accountability

Consent managers promote transparency in data processing by

ensuring that individuals are fully informed about how their data

will be used. They help organizations demonstrate accountability

in data processing by maintaining accurate consent records.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 14

Step 8: Grievance redressal

Grievance redressal mechanisms under the DPDPA are designed to ensure

data principals can exercise their rights & seek remedies if their personal

data is mishandled or their privacy is violated. It aims to provide a robust

framework for addressing concerns related to data protection in India.

Right to grievance Appointment of Notification to data Multi-layered

redressal grievance officer principals redressal mechanism

Consent
Resolution of Transparency and

managers grievances confidentiality

Right to grievance redressal: The DPDPA grants data principals the right

to seek redressal for grievances related to the processing of their

personal data

Appointment of grievance officer: Data fiduciaries are required to

appoint a grievance officer as per the DPDPA. The grievance officer acts

as a point of contact for data principals to address their concerns and

complaints

Notification to data principals: Data fiduciaries must notify data

principals about the grievance redressal mechanism and the contact

details of the grievance officer

Multi-layered redressal mechanism: The DPDP Act provides a multi-

layered grievance redressal mechanism for data principals, ensuring that

their complaints can be addressed effectively

Consent managers: They are third-party organizations authorized to

manage and review consent, also play a role in grievance redressal by

handling consent-related grievances

Resolution of grievances: Grievances raised by data principals are

reviewed and addressed by the grievance officer and the data fiduciary,

as per the provisions of the DPDPA

Transparency and confidentiality: The process should maintain

transparency while respecting the confidentiality of the data principals'

information and grievances.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 15

Step 9: Security safeguards

Security safeguards under the DPDPA are paramount for upholding the

trust and privacy of individuals' personal data, and compliance with these

safeguards is imperative for organizations that handle personal data. It is

crucial to do so not only to avoid legal consequences but also to protect

the rights of data principals.

The DPDPA mandates the implementation of reasonable security

safeguards by data fiduciaries to prevent personal data breaches. These

safeguards play a critical role in ensuring the confidentiality and integrity of

personal data, thus safeguarding individuals' privacy.

What are these security safeguards

Data fiduciaries are also obligated to adopt data protection measures

and safeguards. These measures may encompass encryption, access

controls, and other security protocols designed to shield personal data

from unauthorized access or disclosure

Data fiduciaries must take proactive steps to prevent data breaches and

ensure the security of personal data. This includes the implementation

of robust cybersecurity practices and the regular conduct of security

assessments to identify and mitigate vulnerabilities

The DPDPA places accountability on data fiduciaries for maintaining

reasonable security safeguards. Failure to meet these obligations may

lead to liability, particularly in cases where a data breach occurs due to

inadequate security measures

Moreover, data fiduciaries are mandated to effectively protect personal

data under their control. This entails taking comprehensive measures to

prevent unauthorized access, data leaks, or any compromise of personal

data, thereby upholding the privacy and security of individuals' sensitive

information.

Step 10: For organizations identified as significant data

fiduciaries (SDFs)

The classification of a Significant Data Fiduciary hinges upon a

comprehensive assessment encompassing several critical factors.

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 16

These factors include an evaluation of the volume and sensitivity of

personal data processed by the entity, the potential risks posed to electoral

democracy, and the impact on the rights of Data Principals.

Additionally, the assessment takes into account considerations such as the

security of the State, the potential impact on the sovereignty and integrity

of India, and implications for public order. By examining these key criteria,

the determination of a Significant Data Fiduciary is made, reflecting the

entity's significance and responsibilities in the realm of data protection.

The three main obligations of a Significant Data Fiduciary are

Appoint a Data Protection Officer (DPO) based in India and is directly

answerable to the Board of Directors or a similar governing body.

Appoint an Independent Data Auditor to evaluate complianc

Conduct Data Protection Impact Assessment (DPIA) & periodic audits

Deletion of
Determining

applicability
1 6 data

Per forming a Managing

gap assessment 2 7 consent

Appointing
DPDPA Grievance

the DPO
3 Overvie w 8 redressel

Inventorying & Security

mapping data
4 9 safeguards

SDFs & their

Securing data
5 10 obligations

Steps for implementing DPDPA in your organization

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 17

Summing up

The Digital Personal Data Protection Act of 2023 (DPDPA) is a significant

legal framework in India aimed at safeguarding privacy rights and regulating

data protection in the digital age. It introduces key provisions and principles

to protect personal data and enhance data privacy.

Understanding the DPDPA's requirements, is essential, including data

protection principles and data controller obligations. Appointing a Data

Protection Officer (DPO), conducting data mapping, and implementing

technical measures are crucial steps. Establishing Data Sharing Agreements

(DSAs) and providing security and privacy training are also vital.

The DPDPA emphasizes granular choices, requiring organizations to give

individuals control over their data. Regular audits, data minimization, and an

incident response plan are essential for compliance.

In conclusion, the DPDPA represents a comprehensive and forward-looking

legal framework for data protection in India. Organizations must proactively

adhere to its requirements to protect privacy rights and ensure compliance

with this important legislation.

Scrut supports the implementation of India's DPDPA through its GPT Policy

Builder, enabling the creation of DPDPA-compliant data protection policies.

It offers guidance on evolving regulations, conducts data audits, and

provides training to promote a culture of data protection and privacy within

organizations.

Usher in a new era of

Request a demo

frictionless GRC programs

Implementing DPDPA: A step-by-step guide for your organization | scrut.io 18