Technology & Data Privacy

The Digital Personal Data Protection Act 2023 requires organisations that process personal data of Indian citizens (Data Fiduciaries) to: (a) collect personal data only for specified, clear, and lawful purposes; (b) obtain free, specific, informed, and unambiguous consent before processing; (c) process only the data necessary for the stated purpose (data minimisation); (d) implement reasonable security safeguards; (e) respond to Data Principal rights requests (access, correction, erasure, grievance); (f) notify the Data Protection Board and affected individuals of data breaches; and (g) for cross-border data transfers, comply with any restrictions on transfers to blacklisted countries.

A CERT-In direction issued in April 2022 requires all service providers, intermediaries, data centres, body corporates, and government organisations to report certain cybersecurity incidents to CERT-In within 6 hours of detection. Reportable incidents include targeted scanning, compromise of critical systems, data breaches, ransomware attacks, attacks on cloud infrastructure, IoT device attacks, and DDoS attacks. The reporting is made through the CERT-In incident reporting portal. Failure to report within 6 hours is a violation of the IT Act and attracts penalties.