DPDP法案 - 概述：

DPDP法案的核心是印度第一个综合法律框架，该框架管理公司和政府如何收集，存储，使用和共享个人数据。

India's new data protection law, the Digital Personal Data Protection Act (DPDP Act), marks a turning point in the digital age. At its core, the DPDP Act is India's first comprehensive legal framework that governs how companies and governments can collect, store, use, and share personal data.

印度的新数据保护法，《数字个人数据保护法》（DPDP法案）标志着数字时代的转折点。 DPDP法案的核心是印度第一个综合法律框架，该框架管理公司和政府如何收集，存储，使用和共享个人数据。

In today's hyper-connected digital world — one that grows more complex with each passing day — this regulation was celebrated as a long-awaited milestone in safeguarding individual privacy. For individuals, it marks a significant shift, empowering them with greater control over their digital footprint. But for organisations that collect or process personal data, it introduces a new era of accountability.

在当今超连接的数字世界中，每天都变得更加复杂 - 该法规被庆祝为期待已久的里程碑，以保护个人隐私。对于个人而言，它标志着一个重大的转变，使他们能够更加控制其数字足迹。但是对于收集或处理个人数据的组织，它引入了问责制的新时代。

The law, which received presidential assent in August 2023, is set to come into force in October 2024, unless the government notifies otherwise. Any entity that collects or processes personal data in digital form would need to comply with the provisions of the DPDP Act. This includes companies of all sizes, government agencies, and non-profit organizations. There are no sector-specific exemptions. If you're handling personal data digitally—you're a Data Fiduciary, and this law applies.

该法律将于2023年8月获得总统同意，将于2024年10月生效，除非政府另有通知。任何以数字形式收集或处理个人数据的实体都需要遵守《 DPDP法》的规定。这包括各种规模的公司，政府机构和非营利组织。没有特定部门的豁免。如果您要以数字方式处理个人数据 - 您是数据受托人，并且该法律适用。

The DPDP Act is a process shift. Privacy must become part of company culture, product design, and stakeholder trust.

DPDP ACT是过程转移。隐私必须成为公司文化，产品设计和利益相关者信任的一部分。

The implications of non-compliance are severe, with penalties extending up to ₹250 crores!

不合规的含义是严重的，罚款延长了250亿卢比！

To help organizations navigate this critical stage, we've assembled a guide focusing on five immediate tasks data fiduciaries can begin working on.

为了帮助组织浏览这个关键阶段，我们汇编了一个指南，重点关注数据信托可以开始工作的五个即时任务。

1. Appoint a Data Protection Officer and Build Internal Teams

1。任命数据保护官并建立内部团队

While appointing a full-time Data Protection Officer may not be immediately necessary, it is critical to assign clear responsibility for privacy compliance within your organisation. This individual should be accountable for:

在任命全职数据保护官可能没有必要的同时，至关重要的是，要在组织内部分配明确的隐私合规责任。该人应负责：

• Monitoring legal updates and best practices in data protection

•监视法律更新和数据保护方面的最佳实践

• Guiding the organization in implementing and maintaining compliant data handling procedures

•指导组织实施和维护合规数据处理程序

• Modifying the enterprise's data protection policies

•修改企业的数据保护政策

• Interacting with the Adjudicating Officer for any breaches or disputes

•与任何违规或争议的裁决官员互动

Ideally, the assigned role should report directly to the top management, highlighting the high priority placed on data protection.

理想情况下，分配的角色应直接向高层管理人员报告，并强调对数据保护的高度优先级。

2. Create a Data Inventory and Map Data Flows

2。创建数据清单并映射数据流

Effective data protection begins with understanding what personal data is being collected and processed. Simply put, you can't protect what you don't know. This is why, as a first step, it is strongly suggested to undertake a structured data inventory and mapping exercise to identify:

有效的数据保护始于了解正在收集和处理哪些个人数据。简而言之，您无法保护自己不知道的东西。这就是为什么要强烈建议进行结构化的数据清单和映射练习以识别：

• The types of personal data being collected (e.g., names, email addresses, location data, biometric data)

•收集的个人数据类型（例如，名称，电子邮件地址，位置数据，生物识别数据）

• The sources of personal data collection (e.g., website forms, mobile apps, third-party integrations)

•个人数据收集的来源（例如，网站表单，移动应用程序，第三方集成）

This process, commonly referred to as Data Flow Mapping, forms the backbone of any privacy compliance framework. It enables the implementation of appropriate consent mechanisms, ensures data minimisation, assesses risks, and responds effectively to data principal rights under the DPDPA.

这个过程通常称为数据流映射，构成了任何隐私合规框架的骨干。它可以实施适当的同意机制，确保数据最小化，评估风险并有效地响应DPDPA下的数据原理权利。

3. Update Consent Practices and Modalities

3。更新同意惯例和方式

Under the DPDPA, consent must be

在DPDPA下，同意必须是

• free,

• 自由的，

• specific,

• 具体的，

•;informed,

•知情，

• unconditional, and

•无条件和

• revocable.

•可撤销。

This significantly raises the bar for how user consent is sought, recorded, and managed. Key requirements include:

这大大提高了如何寻求，记录和管理用户同意的方式。关键要求包括：

• Obtaining separate consent for different purposes: E.g., separate consent for marketing emails and processing contact details

•出于不同目的获得单独的同意：例如，营销电子邮件的单独同意和处理联系方式

• Detecting and preventing consent fatigue: E.g., providing a 'manage preferences' section in user accounts for modifying consent settings

•检测和预防同意疲劳：例如，在用户帐户中提供“管理首选项”部分以修改同意设置

• Ensuring the refusal of consent does not affect user experience: E.g., allowing access to website content even if consent for targeted advertising is refused

•确保拒绝同意不会影响用户体验：

Modernising your consent framework also builds user trust and transparency, in addition to being just a compliance requirement.

现代化您的同意框架还可以建立用户信任和透明度，而只是合规要求。

4. Familiarize Yourself With Data Subject Rights

4。熟悉数据主题权利

Under the DPDP Act, Data Principals are granted a set of enforceable rights, including the ability to:

根据《 DPDP法》，数据校长获得了一组可执行的权利，包括具有以下操作的能力：

• Access their personal data

•访问他们的个人数据

• Request rectification of inaccurate data

•请求纠正不准确的数据

• Request erasure of their personal data in specific cases

•请求在特定情况下删除其个人数据

• Object to the processing of their personal data

•反对处理他们的个人数据

These rights are fundamental to ensuring an individual's control over their digital footprint. Data fiduciaries need to integrate procedures and processes for handling such requests efficiently and effectively.

这些权利对于确保个人对数字足迹的控制至关重要。数据受托人需要整合过程和过程，以有效地处理此类请求。

5. Inform and Engage External Partners

5。告知并参与外部合作伙伴

Many organisations rely on external partners for technology, analytics, cloud storage, customer support, and more. If any personal data is being shared or processed by these partners, the law holds your organisation responsible for ensuring that data remains protected. Key contractual safeguards could include:

许多组织依靠外部合作伙伴来进行技术，分析，云存储，客户支持等。如果这些合作伙伴共享或处理任何个人数据，则法律使您的组织负责确保数据保持保护。关键合同保障措施可能包括：

• Express obligations on the partner to comply with the DPDP Act

•对合作伙伴的明确义务遵守《 DPDP法》

• Granting your organization the right to audit the partner's privacy practices

•授予您的组织审核合作伙伴的隐私惯例的权利

• Requiring the partner to notify you immediately of any data breaches or changes in the partnership that may affect personal data protection

•要求合作伙伴立即通知您任何可能影响个人数据保护的数据泄露或伙伴关系的变化

The DPDP Act is a new chapter in the digital age

DPDP法案是数字时代的新篇章