Scribd
Upload
65 views

Ppt DPDP

Uploaded by

ishika Verma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
65 views

Ppt DPDP

Uploaded by

ishika Verma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

TRST

S C O R E

DPDP Act Introduction


Enacted by Parliament but rules is slated to be released ih 6 months
DPDP Act (Fines Up to Rs.250 Crores Per Incident)
• The Digital Personal Data Protection (DPDP) Act is India's new law
focused on safeguarding personal data in the digital space.
• The Act emphasizes user consent, transparency, and
accountability in data processing, aiming to give individuals more
control over their personal information and to strengthen privacy
rights.
• Non-compliance with the DPDP Act can result in fines up to Rs.250 -:
crores per incident.
• Act has been passed by Parliament but its official notification and
implementation details are still pending.
·t1 TRST
,__ SCORE

What is PII Data?


Personally Identifiable Information (PII) Data
Any data that can identify an individual, either directly or indirectly.

• Basic Information: Nam·es, contact details (address, email, phone),


financial information ('bank details, salary)', and employment
history.
• Sensitive Data: Biometric data, racial/ethnic origin, sexual
orientation, etc., which require stricter protection.
I~ TRST
'
S C O R E

Understanding Consent as
per the DPDP Act
Types of Consent
Implied Consent: Where you don't need a signed consent form
• Employees and Candidates come under the ambit of implied. consent.
• Gig workers, consultants, Surveyors, Valuers etc come under the ambit of
implied consent based on the contract
• You cannot ,use the same data for marketing or any other purpose which
then requires explicit consent
• If you pass the info to a external BGV company; then you need explicit
consent
• If you PULL candidate resume from Naukri or Monster, you need explicit
consent and will not be covered under implicit consent
Explicit Consent: Where you need a signed consent form
• Any other third party, other than the above category, companies need to get
explicit consent example your customers.
Disclaimer: The act rules and deta ils are yet to be published.
Key Elements of Consent
1. Clear and Plain Language
2. Identity and Contact Information of Data Col,ector
3. Purpose of Data Collection: You must avoid vague statements like "for any future use.''
Instead, explain how data is used e.g. a loan, insurance claim, risk assessment, etc.
4. Types of Data .Collected e .g., name, contact details, financial details, identification
information, etc.). If sensitive personal data (e .g., health, financial status, etc.) is
Involved, this should be highlighted separately.
5. Processing and Use of Data:: This includes sharing with third parties (if applicable),
storage, retention periods; and any automated decision-making processes.
6. Third-Party Sharing
7. Retention Period: .M ention the duration for which the personal data will be retained
8. Right to Withdraw Consent: Employees cannot withdraw as it is implicit but can ask to
remove from BGV companies ..
9. Right to Access and Correction
10. Consequences of Withholding Consent
$1)---21 t
FAQs on Consent
1. Are digital signatures valid for consent?
• Yes digital signatures are valid for taking ~onsent.
2. What does implied consent cover for BGV?
• Data related to payroll, compliance (e.g., tax, insurance, and benefits processing),
qualifications, work history, educational background, and often conducting a
-background verification
3. What does Implied consent NOT cover and you MUST get Explicit consent?
• 3rd party background verification
• Health records, if applicable.
• Criminal records
• Financial records (e.g., er.edit history or income).
4. If I get a resume from
If a BGV company asks you ex-employment verification, should the ex-employer check
consent from ex-employee
• Although it is assu.med that the BGV company has got consent, ideally you should
check if they have consent.
Ii
, .
TRST
S C O R E

• •
Data Storage lmpl1cat1ons
Storage and Processing Implications
• PII Data must be stored and processed in India only .
l"'
• PII Data must be encrypted and stored
• Who needs access and why they need access has to be clearly
defined.
• Removing access when NOT needed has to be built-into the
process
• Ideally have a PII Vault and tokenise PII Data
• Give clear visibility to users about 3 rd party - who has ac.cess, wh,
they have access, how to remove access.
• Ensure your vendo·rs also follow the same guidelines
Definition of Third Party
Simple : Who owns the data? If you organization is NOT the owner of data and
cannot delete the .d ata then that entity or person is called Third Party.

• HRMS SAAS Platform - Not third party


• BGV Vendor - Third party
• Insurance company-Third party
• Companies doing payroll on your behalf and can access your employee data -
Third party
• Companies giving benefits program example Advantage Club, Benepik, Sudexo L}
etc - Third Party
• TRST Score - Bureau, Platform and Ex-Employee Vault - Not Third Party
• TRST Score - Manual Employment Ver ification and Education Checks - 3 rd Party.
S C O R E

Principle of Data ·
Minimization
en
Data Minimization Guide
The DPDP .A ct mandates the principle of data minimisation, LYJhich
means that you should ONLY request and collect information that is
necessary and nothing more. Here is an example from BGV
standpoint:
• Valid Information: You can ask about the candidate's job title, dates of
employment, performance, and work-re.lated behavior that are directly
relevant to the position they are applying for.

• Restricted Information: Asking about personal issues, personal characteristics,


1

or subjective opinions may be considered excessive and irrelevant for the


background check unless explicitly required for the job role.
) TRST
S C O R E

Handling Data Breach


A data breach under the DPDP Act refers to any unauthorized access to, disclosure, acquisition,
or loss of personal data, which compromises the security, confidentiality, or integrrty of the dat.a.
Data Breach Handling To-Dos
• Report data breaches promptly: Organiz9tions need to report data breaches
wit hin a reasonable time (ideally within 72 hours) to both the Data Protection
Board and, if necessary, to affected individuals .
• Notify affected individuals: If the breach is likely to harm the affected
individuals, the data fiduciary must inform them of the breach and the steps
taken to mitigate the impact. ~
• Take remedial action: Organizations must impl ement appropriate measures to
1

protect personal data and prevent future breaches.


• Accountability and penalties: Failure to comply with these obligations may
result in penalties and other enforcement actions from the Data Protection
Board.
S C O R E

'

• •
· Privacy Notice
Employee Privacy Notice
The privacy notice should inform employees about:
• The types of personal data bei'ng collected.
• The purposes for which the data will be used.
• How long the data will be retained.
• The rights of employees (e.g., to access, correct, or delete
data).
• How the data will be protected.
• The details of any third parties with whom the data will be
shared.
it
':.:
TRST
.
S C O R E

Training Employees on
Handling PII Data
Points To Cover During Employee Training
1. Understanding PII and Personal Data
2. Principles of Data Protection under DPDP Act
3. Consent Management
4. Data Subject Rights
5. Data Breach Management
6. Data Security Practices
7. Third-Party Data Sharing
8. Retention and Disposal of Data
9. Monitoring and Auditing
10. Reporting Violations and Whistleblower Protection
11. Regular Refresher Training

You might also like