Understanding the DPDP Act: How It Impacts Digital Identity Verification & KYC Compliance

The protection of personal data has emerged as a top concern for individuals, companies, and governments. The recently passed Digital Personal Data Protection (DPDP) Act in India is a major turning point in the collection, storage, and processing of personal data. This seminal act seeks to enhance the authority of individuals concerning their online identities as well as bring organizations to book over data protection and security.

In this blog, we’ll break down the key provisions of the DPDP Act, explore its implications for digital KYC and identity verification, and provide actionable insights to help organizations stay compliant.

What is the DPDP Act?

Digital Personal Data Protection Act, 2023 is a data protection act enacted in India to protect people’s personal data. The Act regulates how organizations acquire, store, process, and make use of digital personal data. The Act comes into effect on both Indian and foreign companies that process digital personal data within India. The Act states that the term ‘personal data’ shall mean any piece of information by which an individual can be identified, for instance, name, address, telephone number, or biometric data. The Act guarantees people’s rights over their data, i.e., the right to access, correct, erase, and limit processing. It insists on explicit consent from individuals before collecting their data.

Key Objectives of the DPDP Act

• Guarantee the protection and privacy of individuals’ digital personal data.
• Grant individuals control over how personal data is processed, used, and shared.
• Require personal data to be processable only upon clear and informed consent.
• Obligate data fiduciaries (organizations that capture/use data) to safeguard data.
• Enact clear requirements on secure data treatment and breach mitigation.
• Accord people’s rights like access to data, correction, and erasure.
• Create a Data Protection Board to regulate and enforce the Act.

Scope and Applicability

• Data fiduciaries are organizations (such as firms or organizations) that decide the purpose and processing method for personal data. Data fiduciaries are obliged to ensure that data is processed lawfully, fairly, and in an open manner, and are required to safeguard individuals’ (data principals’) rights.
• Data processors are third parties that process personal data on behalf of the data fiduciary. They neither determine how nor why the data is handled but are at the mercy of the fiduciary’s requirements and must implement proper security controls.

Key Provisions of the DPDP Act

Consent Mechanisms

• Personal data can only be processed after obtaining clear and informed consent from the individual (data principal).
• Consent should be specific, free, and only for the purpose for which it is being requested.
• Individuals are entitled to withdraw consent at any point in time.
• Data fiduciaries need to offer an easy and simple means of managing or withdrawing consent.

Transparency in Data Management

• Data fiduciaries need to notify individuals about what happens to their data, where it will be stored, and to whom it will be shared.
• Privacy notices should be clear, concise, and incomprehensible language.
• People need to be made aware of their rights, why data is being collected, and how long data is being retained
• Any sharing of personal data with third parties must be disclosed to the data principal.

Rights of Data Principals

• Consent Management: Data Principals can grant, withdraw, and manage consent for the collection and processing of their personal data whenever they wish.
• Right to Access and Erasure: The right of individuals to access the information held by data fiduciaries and to delete their information when it is no longer needed or upon withdrawal of consent.
• Right to Data Portability: Data Principals have the right to request that their personal data be provided to them in a structured, commonly used, and machine-readable format and transferred to a different service provider, where technically possible.
• Data Correction Rights: People have the right to correct, complete, update, or rectify personal data that is incorrect or misleading.
• Grievance Redressal: Data Principals can lodge complaints and seek immediate redressal through an appropriate grievance redressal procedure offered by the data fiduciary.

Special Provisions for Children’s Data

• The DPDP Act defines a child as any person below the age of 18 years.
• Data Fiduciaries are required to obtain verifiable parental consent before processing any personal data of a child.
• Processing of data by children has to be carried out in a way that protects the child’s well-being and safety.
• Data Fiduciaries are forbidden from tracking, monitoring, or targeting ads for children.

Compliance Requirements

• Reporting Standards: Cases of identity fraud or theft should be reported to appropriate authorities including the FTC, local police, and regulatory bodies within timelines and formats as mandated by law or industry guidelines.
• Record-Keeping Requirements: Companies must keep precise and secure records of all reports, investigations, correspondence, and corrective measures regarding identity theft or fraud for a legally defined time period, usually between 3 to 7 years, depending on the industry and jurisdiction.

Digital Identity Verification Under the DPDP Act

• KYC users now must have clear and informed consent before capturing or authenticating personal data.
• Organizations are required to follow data minimization, capturing minimal required information to verify identities.
• Limits on users’ information have been established, necessitating users to store information only for as long as required for verification.
• Biometric identification systems now need to include more robust consent and data protection measures.
• Video KYC is being widely implemented, with encryption and data privacy being the core necessities.
• Digital signatures and token-based authentication techniques are being enhanced to provide secure access and verification.

Best Practices for KYC Compliance and Data Protection

• Gather only the bare minimum personal information needed for KYC to meet data minimization standards.
• Notify customers in plain language about the purpose, usage, and storage of their information prior to collecting it.
• Get valid, clear, and specific consent from individuals before processing their personal data.
• Establish robust data encryption and storage security measures to safeguard KYC data.
• Verify that KYC information is accessed by only authorized users with role-based strict access controls.
• Periodically review and revise your data handling and KYC policies to ensure compatibility with the DPDP Act.
• Only share KYC information with third parties after the user’s consent and use processors that are DPDP-compliant.

Conclusion

The Digital Personal Data Protection Act marks a defining moment in the journey of India towards data protection, laying the groundwork for the responsible practice of digital activity and user-driven privacy rights. As companies accommodate this new regulatory landscape, keeping up with the requirements of identity verification and KYC becomes increasingly important than ever before.

Our Identity Verification API is created to enable companies to effortlessly achieve DPDP compliance while providing a quick, secure, and convenient verification process. With aspects such as real-time document verification, face matching, and consent-driven data processing, our API makes each KYC process both compliant and effective.

FAQs