Data Security Compliance with the India Digital Personal
Data Protection Act

Regulation Overview

India Digital Personal Data Protection Act protects digital personal data (that is, the data by which a person may be identified) by providing for the following:

• The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data)
• The rights and duties of Data Principals (that is, the person to whom the data relates)
• Financial penalties for breach of rights, duties and obligations
• Establishment of Data Protection Board of India

Scope of the DPDP Act

The DPDP Act is ‘principles-based legislation’ that relies on concepts that are broadly similar to those in the GDPR. It governs data fiduciaries (i.e. data controllers), data processors and data principals (i.e. data subjects).

Highlights of the DPDP Act

• It applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized.  It also applies to such processing outside India if it is for offering goods or services in India. The Bill allows the transfer of personal data outside India, except to countries restricted by the central government through notification.
• Personal data may be processed only for a lawful purpose upon consent of an individual.  Consent may not be required for specified legitimate uses such as the voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
• Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
• It grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
• Government agencies are exempted from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offenses.
• The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
• The Bill specifies penalties for various offenses such as up to: (i) Rs 200 crore for non-fulfillment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches.  Penalties will be imposed by the Board after conducting an inquiry.

Thales can help organizations to protect sensitive data and to comply with DPDP requirements with a Data-centric Security approach. Organizations can leverage Thales’ suite of identity and data security solutions to become compliant today and stay compliant in the future.

Data Security

CipherTrust Platform unifies data discovery, classification, and protection and provides unprecedented granular access controls, all with centralized key management. You can rely on Thales CipherTrust Data Security Platform to discover, protect and control your organization's sensitive data, wherever it resides.

Discover: Data Discovery & Classification

The first step in protecting sensitive data is finding the data wherever it is in the organization, classifying it as sensitive, and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data is not overlooked and your organization does not fall out of compliance. CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud.

Protect Data-at-Rest

Protect:

Once an organization knows where its sensitive data is, protective measures such as encryption or tokenization can be applied. For encryption and tokenization to successfully secure sensitive data, the cryptographic keys themselves must be secured, managed and controlled by the organization.

• CipherTrust Tokenization
• CipherTrust Data Protection Gateway (DPG)
• CipherTrust Transparent Encryption (CTE)
• CipherTrust Security Intelligence

Control:

Organizations need to control access to their data and centralize key management. Every data security regulation and mandate require organizations to be able to monitor, detect, control, and report on authorized and unauthorized access to data and encryption keys. The CipherTrust Data Security (CDSP) Platform allows administrators to create a strong separation of duties between privileged administrators and data owners as well as to enforce very granular, least-privileged-user access management policies. CDSP delivers robust enterprise key management via CipherTrust Cloud Key Manager across multiple cloud service providers (CSP) and hybrid cloud environments to centrally manage encryption keys and configure security policies so organizations can control and protect sensitive data in the cloud, on-premise and across hybrid environments.

Protect Data-in-Motion/ Transit

Thales High Speed Encryptors (HSE) provide network-independent, data-in motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to site, or from on-premises to the cloud and back.

Strong Authentication and Access Management

Thales OneWelcome identity & access management solutions provide both the security mechanisms and reporting capabilities organizations need to comply with DPDP requirements. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy-driven role-based access, our solutions help enterprises mitigate the risk of a data breach due to compromised or stolen credentials or through insider credential abuse.