Understanding the DPDP Act 2023: Is Your IT Services Provider ISMS Compliant?
- Akira Haruka
Introduction
Protection of data is very vital in the digital age, as personal data is collected, processed and stored for various purposes by different entities, be it Governments or corporations. It’s rightly said, data is the new oil. All of us have experienced a puzzle when we search for a product online, or have a discussion with a friend about a product and suddenly, all the advertisements we see while surfing the web or using an application are related to that product. This is an example where our data is processed and used for marketing purposes. The need for Data protection and regulations on how data can be collected, used, and shared was a need of the hour. Data protection Acts are laws with an objective to safeguard the security and privacy of individuals and their data. The General Data Protection and Regulation (GDPR) in the EU, The Personal Data Protection Act (PDPA) in Singapore are all examples of Data protection laws. The latest addition to the category is the Digital Personal Data Protection Act (DPDP Act 2023), which was enacted on August 11, 2023, by the Indian Parliament. These acts have significant implications for individuals, businesses, and society as a whole. Therefore, it is important to understand the need for data protection acts and how they affect us. Let’s dig deeper.
The Key Provisions of DPDP Act 2023
Transparency and Consent: The Act mandates that organizations must secure clear and explicit consent from individuals prior to the collection and processing of their personal data. The principle of transparency is fundamental, guaranteeing that individuals are provided with unambiguous information regarding the data being collected and its intended use.
Purpose Limitation and Data Minimization: The Act compels data controllers to only gather the data that is absolutely necessary for the intended purpose. The data should not be stored beyond the required duration, and its usage should be confined to the purposes specified.
Data Transferability: The Act empowers individuals with the right to demand their data from one service provider and move it to another. This clause fosters competition and ensures that users maintain authority over their personal data.
Right to Erasure: The Act grants individuals the right to demand the deletion of their personal data, given certain conditions are met. This “right to erasure” enables individuals to request the removal of their data from databases.
Data Protection Impact Assessments (DPIAs): The Act necessitates data controllers to carry out ADPIs to evaluate and alleviate risks linked with data processing activities, particularly when such processing poses significant risks to the rights and freedoms of data subjects.
Security Measures for Data Protection: The Act mandates organizations to establish stringent security protocols to safeguard personal data against unauthorized access and breaches. In the occurrence of a data breach, they are obligated to notify both the data subjects and the regulatory authorities.
Governance and Accountability: The Act promotes organizations to establish data protection policies and designate Data Protection Officers (DPOs) to ensure adherence to its regulations. Organizations are obligated to follow stringent guidelines when transferring personal data beyond the jurisdiction to countries that are not considered providing a sufficient level of data protection.
What is ISMS, and why is it relevant?
The ISO/IEC 27001:2013 is an internationally acknowledged benchmark for Information Security Management Systems (ISMS). It provides a formal specification for an ISMS, designed to place information security under clear management oversight. The ISO/IEC 27001 standard assists organizations in managing risks associated with the security of data they own or manage, ensuring that the system adheres to all the best practices and principles encapsulated in the International Standard. Its significance lies in its ability to make organizations aware of risks and proactively identify and address vulnerabilities. An ISMS, when implemented in accordance with this standard, serves as a tool for risk management, cyber-resilience, and operational excellence.
We, at Innovature are happy to share the successful completion of our 2023 annual ISMS, ISO/IEC 27001:2013 surveillance audit, with zero noncompliance! This audit, conducted by the esteemed Bureau Veritas, is a testament to our proactive approach to security and the dedication of our incredible team. At Innovature, we’ve always placed the highest priority on information security, and this achievement validates our unwavering commitment to safeguarding your data and ensuring the confidentiality, integrity, and availability of information.
Looking for the best and safe IT Services Provider out there? Innovature is happy to help.
