vista infosec white

Digital Personal Data Protection (DPDP)

Customize ISMS to Effectively Secure Data

Digital Personal Data Protection (DPDP)

Are you looking to comply with the new Digital Personal Data Protection (DPDP) Act implemented by the Indian government in the Lok Sabha?

If so, VISTA InfoSec is here to help you become DPDP compliant.

What is the DPDP Act?

On August 11, 2023, the President of India gave his assent to the Digital Personal Data Protection Act, 2023 (DPDP Act), which outlines the lawful usage requirements for data collected by Data Fiduciaries and the rights and obligations of Digital Nagrik citizens.

The DPDP Act, 2023 is principle-based and less prescriptive than the EU’s GDPR. It’s more business-friendly and effectively protects user rights.

It focuses on digital personal data and replaces Section 43A of the IT Act and the SPDI Rules once enacted.

The DPDP Act promotes legality, fairness, and transparency in online personal data management.

● It assigns responsibilities to data custodians.

● It specifies data processing regulations.

● It grants individuals key rights.

● It establishes organizational obligations.

Why is it important to be DPDP compliant?

The DPDP Act proposes a compliance framework that includes the establishment of a Data Protection Board of India to ensure adherence.

The board will identify and penalize non-compliance, perform other duties assigned by the Central Government, and set up a Data Protection Authority for enforcement. Penalties up to Rs 250 crore for data misuse safeguard Indian citizens’ privacy (Clause 33 & Schedule, DPDP Act).

Responsibilities of Significant Data Fiduciaries (SDFs) (Clause 10 of DPDP Act)

SDFs have several responsibilities under the Digital Personal Data Protection Act, including:

1. Appointing a Data Protection Officer (DPO): SDFs must appoint a DPO based in India, who will be responsible to the board of directors of the SDF.

2. Appointing an Independent Data Auditor: SDFs must appoint an independent data auditor to evaluate their compliance with the Act.

3. Undertaking Data Protection Impact Assessments (DPIA) and Periodic Audits: SDFs must undertake DPIAs and periodic audits, as prescribed under the rules.

4. Report Data Breaches: SDFs are required to report any data breaches to the authorities and to the affected users.

How can VISTA InfoSec help your organization comply with regulations and standards?

Let us help your organization achieve its Data Protection Compliance goals! Avoid the risk of penalties for data misuse by allowing us to assist you in safeguarding your customers’ privacy and protecting their personal data.

We are a global Information Security Consulting firm with offices in the US, UK, Singapore, and India, and have nearly two decades of experience in securing IT infrastructure and helping clients meet compliance obligations.

Our consulting services are designed to help you navigate the complexities of new legislation and ensure full compliance.

Schedule a complimentary consultation with our team of experts to learn more about the DPDP Bill and how we can help.

Enquire

    Our Approach to Digital Personal Data Protection (DPDP)

    Initial study

    Conduct an initial study of business to understand your card processes, the environment and accordingly consolidate the scope.

    Scope Definition

    Understand your business operations, controls, and systems to define the scope (People, Process, and Technology) as applicable.

    Gap Analysis

    Assess your organization vis-à-vis the ISO27001 standard to identify areas that need to be addressed.

    Data Leakage Assessment

    Conduct a thorough data leakage assessment of your application and assist in remediation.

    Awareness Sessions

    Conducts awareness sessions for your IT Team and personnel involved in the card data processing, on a quick background to Digital Personal Data Protection (DPDP).

    Data & Assets Classification

    Identify your information assets across the organization and classify them as per criticality to create an asset inventory.

    Risk Assessment

    Conducts risk assessment to identify assets exposed to risk and assess how it could impact your organization.

    Risk Treatment

    Provide you detailed remediation strategies including the recommendation of compensating controls as applicable that can help your organization strengthen its security posture.

    Documentation Support

    Create policies and procedures as per Digital Personal Data Protection (DPDP) requirements which are then validated by your team.

    Policy role out support

    Provide full support to your team in implementing necessary policies for your organization.

    User Training

    Conduct a User Training program for all personnel covered in scope on their specific responsibilities.

    Pre-Assessment

    After a reasonable gestation period, our separate team of experts conducts a Pre-assessment (internal audit) of your setup to check whether the suggested measures are implemented and in place.

    Audit & Attestation

    Once all controls are confirmed to be in place, we help you get attested with our own duly segregated audit team or any external auditors of your choice.

    Why work with VISTA InfoSec?

    • Vendor Neutral- We believe in being your true consulting / audit partners by not indulging in sales of hardware/software that results in bias suggestions.
    • Strictly No Outsourcing- We value your trust in us so we do not outsource your critical assignments to a third party.
    • Trusted Auditors – Our organization comprises of an Audit team with experience of at least 12-15 years with relevant certifications such as CISA / CISSP, etc.
    • Years of Experience- Benefit from our decade-long years of Industry experience and knowledge.
    • End-to-end support- Our team will hand-hold you at every stage/process to implement security controls and systems to protect the environment.
    • US Based – Our attestation is provided by our office in the US to ensure maximum accountability and market acceptability of our reports.
    • Robust security & risk management solution- Provide a comprehensive solution designed to your business requirements.
    • Reports detailing the analysis finding- Provide you documents detailing complete analysis and relevant recommendations for remediation.
    • Training videos and materials- Provide valuable training videos and materials for equipping your personnel.

    Frequently Asked Questions on Digital Personal Data Protection (DPDP)

    The Digital Personal Data Protection (DPDP) Act, 2023 regulates the processing of personal data within the territory of India. Under the Act, ‘Personal Data’ is defined as any data about an individual who can be identified by or about such data. The DPDP Act applies only to personal data in digital form and its applicability extends beyond the territory of India. This means that the Act can apply to the processing of personal data irrespective of the location of the processing, provided that the processing is related to any activity offering goods or services to data principals within India.According to Section 8 (5) of the DPDP Bill 2023, responsibility for compliance with the Act lies with the Data Fiduciary, even in cases where activities are undertaken by a DataProcessor or another Data Fiduciary on behalf of the Data Fiduciary. This means that any individual or entity that processes personal data within India must comply with the DPDP Act, regardless of whether they are physically present or incorporated in India, or whether the personal data belongs to a data principal located in India or abroad.

    The cost of an audit may vary depending on various factors such as the size and complexity of the organization being audited, the scope of the audit, and the location of the organization.

    The duration of an audit may vary depending on various factors such as the size and complexity of the organization being audited, the scope of the audit, and the location of the organization.

    After a DPDP Audit is complete, you will receive a report detailing the findings of the audit. The report will typically include an assessment of your organization’s compliance with the Digital Personal Data Protection (DPDP) Act, 2023, as well as recommendations for improving your compliance. The report may also include an evaluation of your organization’s data protection policies and procedures, as well as an assessment of the risks associated with the processing of personal data within your organization.

    A DPDP Audit Certification is an independent assessment of an organization’s compliance with the Digital Personal Data Protection (DPDP) Act, 2023. The purpose of a DPDP Audit is to ensure that the organization is complying with the requirements of the Act and to identify any areas where improvements can be made. The audit can help organizations to identify and address any potential risks associated with the processing of personal data, and to ensure that they are taking appropriate measures to protect the privacy of individuals.

    Read More

    Discover our latest resources

    Blog
    Webinars
    Expert Video

    A Pure Play Vendor Agnostic Global Cyber Security Consultant.

    Facebook Twitter Linkedin Youtube

    Services

    About Us

    CONTACT US

    VISTA InfoSec LLC,347 Fifth Ave,
    Suite 1402-526, New York, NY 10016

    © Copyright 2021. VISTA InfoSec. All Rights Reserved. | Disclosure Policy | Privacy Policy | Sitemap

    Contact Us

    • USA: +1-415-513-5261
    • Singapore: +65-3129-0397
    • Mumbai: +91 99872 44769 / +91 73045 57744
    • UK: +442081333131

    Enquire Now