FAQs - DP

Yes. While the Act does not explicitly use the term “data masking,” it mandates “reasonable security safeguards” to prevent personal data breaches. Data masking, anonymization, and encryption are recommended techniques to protect sensitive personal data from unauthorized access.

Data Discovery helps organisations identify where personal data resides across the enterprise. This is essential for fulfilling DPDPA mandates, such as purpose limitation, data minimisation, consent-based processing, and timely deletion. Without discovery, organisations cannot manage or protect personal data effectively.

Consent Management ensures that personal data is processed only after obtaining clear, informed, and verifiable consent from the data principal. Organisations must offer easy withdrawal options and maintain records proving lawful consent for audits or investigations.

Data Protection under the Act includes implementing administrative, technical, and organizational safeguards to prevent unauthorized access, misuse, loss, or breaches of personal data. This includes encryption, access controls, monitoring, audits, and breach-response mechanisms.

Effective Data Governance ensures structured oversight over personal data—covering classification, storage, access control, retention, and deletion. The DPDPA requires organisations to establish governance structures, particularly “Significant Data Fiduciaries,” who must appoint a Data Protection Officer and conduct periodic audits.

If cookies collect personal data or track user behavior, websites must obtain clear, informed consent before activating them. This aligns with the Act’s requirements for explicit consent and transparency in data collection.

For processing personal data of children (below 18 years), the Act mandates verifiable parental consent, wherein consent must be provided by a parent/guardian for a child (under 18 years) and physically disabled persons. The identity and age of the parent/guardian need to be verified. Organisations must ensure that child-friendly notices are used, avoid tracking or targeted advertising for minors, and implement strict controls for children’s data.

Data fiduciaries must notify the Data Protection Board without delay upon awareness of a breach, followed by a detailed report within 72 hours (or an approved extension). Affected data principals must also be informed promptly, including details of the breach, potential impacts, and mitigation steps.