Linkedin
Facebook
Email
moreA comprehensive checklist based on DPDPA is as below for ease of reference:
1. Determine Applicability
Section: N/A
Control Objective: Me Act’s scope is limited to digital personal data, i.e., personal data collected in digital form or collected offline and later digitized.
Control Description:
Does the organization process digital personal data within India?
Does the organization process digital personal data outside India, where the processing is related to offering goods or services to Data Principals (data subjects) within India?
2. Policy & Procedures
Section: 4
Control Objective: Data Usage & Protection Policy - Policy containing the rules for collection, usage and protection of data pertaining to Data Principal. Storage, Encryption and Access to the Data
Control Description:
Does the organization process digital personal data within India?
Does the organization process digital personal data outside India, where the processing is related to offering goods or services to Data Principals (data subjects) within India?
Does the policy cover details regarding the data protection principles, data subject’s rights, personal data sharing or transfer, consent management, compliance with regulations, complaints & appeals, impact assessment, data breach notifications etc.
Control Objective: Data Processing & Retention Policy - Policy containing the rules for authorization of processing the data for the specified purposes and retention period for the data
Control Description:
Is there Data Processing & Retention Policy defined?
Who approved the Data processing & retention policy and what is the timeline of review?
Does the policy cover details regarding the provisions of DPDP Act, authorization for processing the data, retention period of data used for different types of services?
3. Employee Training
Section: N/A
Control Objective: Organization must generate employee awareness for key DPDP requirements and conduct regular training sessions (With periodic evaluations) to ensure that employees remain aware of their responsibilities with regards to the protection of Personal data and detection of personal data breaches.
Control Description:
Whether mandatory training is given to all new joiners (client-facing and others) as part of induction on:
λ Organization’s Data usage & Protection policy.
λ Organization’s Data processing & Retention policy.
λ Personal data handling and detection of personal data breaches (prior to granting access to the relevant application or information).
λ Other important compliance requirements?
Control Objective: A DPDP awareness program should be a dynamic process that is updated regularly & repeated when a staff-related data breach incident occurs.
Control Description: Whether periodic refresher training on data privacy policy is given to all employees?
Whether periodic refresher training on data privacy policy is given to all employees?
Is the DPDP training program updated with the latest rules and regulations and whether the training manual covers all the relevant information?
4. Data inventory and data map
Control Objective: Data Fiduciary shall process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose:
a) for which the Data Principal has given her consent; or
b) for certain legitimate uses
Control Description:
Has the organization mapped the following:
λ personal data collected, and how it is collected?
λ how it will be used?
λ where is it stored?
λ how long will it be stored?
λ who is the data owner?
λ who will all have access to this data?Has the company determined whether the personal data collected is used for legitimate uses or otherwise?
5. Consent Management
Section: Consent Management
Control Objective: Consent needs to be taken from the Data Principal in accordance with the provisions of the Act, for the purposes for which the data will be used by the Data Fiduciary.
Control Description:
Whether consent taken from each Data Principal is maintained by the Data Fiduciary till the time of erasure / withdrawal / completion of service?
Does the request made to the Data Principal for consent contain any clause / note that leads to infringement of the provisions of DPDP Act i.e., does it ensure that the consent is free, specific, informed, unconditional, unambiguous, and signifies the agreement to processing personal data for specific purpose and be limited for such specific purpose?
Is the request for consent given in clear and plain language having option to access the content in English or other 22 languages specified in 8th Schedule of Constitution
Control Objective: Every request made for taking the consent from Data Principal shall be accompanied with a Notice for consent
Control Description:
Whether the right to withdraw the consent is provided to the Data Principal?
Whether the ease for withdrawing the consent is the same as the ease for providing the consent?
What is turnaround time defined between the date of withdrawal of consent and date of ceasing the data for further use?
Whether the organization has approached “Consent Manager” accountable to Data Principal and such Consent Manager is registered with the Data Protection Board or not?
Whether notice is given for every request made for the consent taken from each Data Principal?
If consent is given prior to the application of this Act, whether notice is given to the Data Principal as soon as the Act becomes applicable (within reasonable time)?
Whether notice given along with the consent contains following particulars?
λ the personal data that will be collected and the purpose for which the same will be processed. λ the manner in which the Data Principal may exercise their right.
λ the manner in which the Data Principal may make a complaint to the Board.
6. Legitimate uses
Section: 7
Control Objective: Data Fiduciary shall process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose:
a) for which the Data Principal has given her consent; or
b) for certain legitimate uses.
Control Description
If the Data Fiduciary is processing the client data without taking the consent from Data Principal, check whether the purpose of such data processing falls under any of the following:
λ Specified purposes for which data is voluntarily provided by the Data Principal,
λ Government service, Government or Law or for the compliance of any judgement or decree or order under any law, λ Medical emergency / Health Services during epidemic or any other threats to public health,
λ Safety during disaster or any breakdown,
λ For the purpose of employment (Corporate espionage, Safeguarding IP)Check whether there is segregation between the data being processed with consent and data being processed for legitimate uses and ensure that data to be processed for legitimate uses does not get processed for the purposes for which consent is required from other Data Principals.
Are there controls in place to ensure that data obtained for legitimate uses are also protected against data breaches?
7. General Obligations of Data Fiduciary
Section: 8
Control Objective: A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor
Control Description:
Has the Data Fiduciary entered into a valid contract if personal data is shared with Data Processors for processing?
Does the agreement contain a clause on responsibility of obtaining consent from the Data Principals, data breach, limitation of liability and usage of personal data only for the purpose specified in the agreement?
Does the Data Fiduciary obtain SOC 2 reports from Data Processors to ensure proper IT controls are in place?
8. Technological and Organisational measures
Control Objective: A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act.
Control Description:
Has the organization taken all the technical and organisational measures for the implementation of the provisions of this act:
a. Establishing data privacy and cybersecurity policies,
b. Encrypting data,
c. Access controls,
d. Establish incident management process,
e. Establishing data backup and recovery processes,
f. Security endpoint devices,
g. Conduction regular employee training,
h. Conduction periodic security audits,
i. Conduction regular vulnerability assessment and penetration testing.
9. Data Breach
Control Objective: A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
Control Description:
Are there any controls designed to identify the data breaches as and when it happens / whether the technology implemented is able to trigger any notification for data breaches?
Is there a defined procedure for reporting a potential data breach?
Are steps to handle data breaches documented?
Is there any data breach register maintained by the organization?
Who reviews the data breach register and what is the frequency of review?
Does the data breach register contain the status of the breach?
Does the Data Fiduciary document any personal data breaches, its effects and the remedial action taken?
Is there a mechanism to communicate the data breaches to the Data Principal?
Control Objective: In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed
Control Description:
Is the TAT defined to communicate data breach to the Data Principal?
For every instance of data breach verify if:
Mere is evidence of reporting the same to the Data Principal and the Data Protection Board.
My communication was made within the specified time.
Appropriate measures were taken to mitigate the adverse effects of breach?
Whether Data Breach notification template/form is maintained?
How the data breach is notified to the supervisory authority and the data subject?
10. Data Erasure
Control Objective: A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force:
erase personal data, upon withdrawal of consent or the specified purpose is no longer being served, whichever is earlier; and
cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor.
Control Description:
What is the process to erase personal data once the specified purpose is served?
What is the process to erase personal data after the consent is withdrawn by the data subject?
λ Are there any instances of consent withdrawal?
λ Is the established process followed to erase such personal data?What controls are put in place to ensure that the outsourced data processor has erased the data on time?
11. Data Protection Officer
Section: 8
Control Objective: A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of their personal data.
Control Description:
Whether the Data Fiduciary has appointed a Data Protection Officer if applicable?
Whether the contact information of a Data Protection Officer / person who is able to answer on behalf of the Data Fiduciary published in such a manner as may be prescribed?
Whether the Data Protection Officer / such other person appointed has sufficient technical knowledge to address the questions of the Data Principal?
Whether the Data Protection Officer / such other person is addressing the queries of Data Principals within reasonable time?
12. Processing of Personal Data of Children
Section: 9
Control Objective: Data Fiduciary shall undertake specific measures while processing the personal data of children / person with disability as per the provisions of the Act.
Control Description:
Is any personal data of a child / a person with disability processed as part of business activities?
Whether verifiable consent from parent / guardian of the child / person with disability is taken for processing of data for the specified purposes in a manner to be prescribed.
Ensure that Data Fiduciary has not undertaken any of the following:
λ processing of data that is likely to cause detrimental effects on the well-being of children.
λ tracking or behavioural monitoring of children or targeted advertising directed at children.
13. Additional Obligations of Significant Data Fiduciary
Section: 10
Control Objective: Govt May notify Significant Data Fiduciary based on:
a) Volume and sensitivity of personal data
b) risk to the rights of Data Principal
c) potential impact on data sovereignty and Integrity of India
d) risk to electoral democracy
e) Security of the state and
f) Public order
Significant Data Fiduciary has additional obligations as per the provisions of the Act
Control Description:
Verify whether Significant Data Fiduciary (SDF) has appointed a Data Protection Officer representing SDF.
Is such a Data Protection Officer based in India?
Whether the Data Protection Officer of SDF is reporting to the Board of Directors or similar body of Data Fiduciary?
Whether the Data Protection Officer is acting as a point of contact for the grievance redressal mechanism?
Whether SDF has appointed an independent data auditor for carrying out the data audit of SDF? Or has the organization voluntarily appointed an auditor to ensure that on-going activities are in compliance with “organizational and technical measures” adopted to protect personal data?
Whether SDF has undertaken?
λ Periodic Data protection impact assessment which constitutes Description of rights of Data Principal, Purpose of processing data, assessment and management of risks to rights
λ Periodic Audit by the independent auditor
14 Rights of Data Principal
Section: 11, 12, 13, 14
Control Objective: Data Principal shall have the right to access information about personal data
The Act is yet to prescribe the manner in which such a request can be made.
Control Description:
Whether Data Principals, upon making a request, are provided with the information of:
λ summary of personal data and processing activities undertaken.
λ identities of all other Data Fiduciaries/Processors with whom such data is shared along with description of data shared?
λ any other prescribed information?
Control Objective: Data Principal shall have the right to correction and erasure of personal data
Control Description:
Whether Data Principal is provided with the right to request for:
λ correction,
λ completion,
λ updation,
λ erasure of personal data?Whether the Data Fiduciary has:
λ corrected
λ completed,
λ updated,
λ erased the personal data on request of Data Principal?Is the turnaround time defined for addressing the request from Data Principal for correction, completion, updation or erasure of personal data?
Control Objective: Data Principal shall have the right to grievance redressal
Control Description:
Whether Data Fiduciary has set up a grievance redressal mechanism where Data Protection Officer / Consent Manager is addressing the grievances of Data Principal?
Whether grievance redressal is readily available to the Data Principal or not?
Whether the grievances are addressed within specified time by the Data Protection Officer / Consent Manager? New time for addressing grievances is yet to be prescribed under law.
Is there any turnaround time fixed for addressing the grievances?
Control Objective: Data Principal shall the right to nominate
Control Description:
Whether Data Principal is provided with the right to nominate any other individual in case of death or incapacity (unsound mind or infirmity of body). A new manner of nomination is yet to be prescribed under the Act.
15 Duties of Data Principal
Section: 15
Control Objective: Data Principal while providing the data for processing shall comply with the provisions of the Act
Control Description:
Are there any controls to verify:
λ the authenticity of personal data shared by Data Principal to ensure Data Principal is not impersonating another person. For e.g., verification of phone number through OTP etc.,
λ Data Principal has not suppressed any material information while providing their personal data.
λ Data Principal has not registered any false or frivolous grievance or complaint with a Data Fiduciary or the Board.
λ Data Principal has routed the grievance through a grievance mechanism channel established by the organization before raising a complaint with the board.
λ Data Principal furnished accurate data while exercising the right to correction or erasure.
16 Processing of Personal Data Outside India
Section: 16
Control Objective: Me Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified
Control Description:
Whether any data is being transferred to the countries restricted by the Central Government?
What controls are put in place to ensure that data transferred to other countries is being used for the specified purposes only and for goods or services rendered in India?
17. Regulatory changes
Control Objective: Changes in regulations
Control Description:
Does the company have a mechanism to track changes in the DPDP Act and its rules on an on-going basis?