Connect With Us

DPDP Consultants, your trusted partner in ensuring Digital Personal Data Protection (DPDP Act 2023) compliance for businesses in India.

Contact Info

Our Office : DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Landline : 0120-6930999
Toll Free : 1800-5711333
Write To Us : info@dpdpconsultants.com
Our Timings : Mon-Sat: 10:00 – 19:00

(+91) 0120-6930999

Schedule a Call

Please provide a Name.

Please provide an Email.

Please provide a Contact Number.

I have read, understood, and agree to Privacium's Privacy Notice, and Terms and Conditions, and I consent to the processing of my personal data.

Blog

What Is A Privacy Notice?

By Admin

On Jun 25, 2024
By Admin

What Is A Privacy Notice?

Discover the essentials of a privacy notice. Learn about its key components, and how it differs from a privacy policy.

India’s Digital Personal Data Protection Act, 2023, brings major changes to how businesses handle personal data. Now, Indian businesses must prioritise privacy, safeguarding users’ rights through key principles like data minimisation, accuracy, transparency, and security.

You need to be clear and open with users about how their personal data is processed and keep them updated.

To achieve this, the DPDP Act mandates that any consent request comes with a privacy notice.

But what does that entail?

This blog will explain what a privacy notice is under the DPDP Act, how it differs from a privacy policy, and the rules that apply until the new privacy law is fully enforced.

What is a Privacy Notice?

A privacy notice is aimed at external parties like clients, customers, website visitors, authorities, and other interested entities. It explains what the company does with personal data, including the types of data handled, the legal reasons for processing it, and any personal data shared with third parties.

A privacy notice typically outlines the organisation’s personal data processing practices and tells what to expect regarding the collected personal data:

How it’s collected
How long it’s kept
The security measures in place to protect it
How users can exercise their privacy rights under the law

Unlike a privacy policy, which is for instructing employees of an organisation, a privacy notice informs users and customers about how their personal data is managed. Let’s dive into the details.

Privacy Policy Vs. Privacy Notice

You must have noticed the terms “Privacy Notice” and “Privacy Policy”, often being used interchangeably by organisations. This practice is even seen in some privacy laws.

Despite this common mix-up, the International Association of Privacy Professionals (IAPP) clearly distinguishes the two. According to the IAPP, a Privacy Policy is an internal document outlining personal data protection practices for employees, while a Privacy Notice is an external document informing individuals and other stakeholders about these practices.

Both Privacy Policies and Privacy Notices can include information about:

Individuals’ rights
Types of information collected
How and why the information is processed by an organisation

However, there are key differences:

Privacy Policy: This internal document outlines the roles and responsibilities of employees, the processes and procedures they must follow to handle personal data securely, and the consequences of not following these rules. In simple terms, it specifies how employees should fulfil the commitments made in the Privacy Notice.

Privacy Notice: This external document aims to be transparent about the organisation’s data processing activities for external stakeholders. It may include information on:

Types of personal data processed
Source of this data
Purposes and methods of processing this data
Sale or disclosure of personal data to third parties and their details
Contact information for individuals to exercise their rights
Data retention and deletion policies
Use of cookies and tracking technologies
Other information required by data protection laws

Privacy Notice under DPDPA

The DPDPA requires that a Data Fiduciary’s Privacy Notice includes the following information [Section 5 of the DPDP Act 2023]:

Types of personal data processed by the organisation
Purposes for processing the personal data
How Data Principals can file a complaint with the Data Protection Board of India
How Data Principals can:
Withdraw their consent
Use the grievance redressal mechanism for issues related to their rights or any actions/inactions by the Data Fiduciary related to processing their personal data under the DPDP Act
Contact details of the Data Protection Officer or any other authorised person who can help with questions, grievances, and rights

For legacy or historical personal data (personal data collected before the commencement of the DPDPA), organisations must provide the same information if they rely on consent to process the personal data. They can continue processing this data until the individuals withdraw their consent.

Furthermore, the act mandates that Data Fiduciaries provide the Privacy Notice in English and any regional language specified in the Eighth Schedule of the Constitution.

Though, the DPDP Act 2023 (Section 5) does not explicitly require Data Fiduciaries to include information on personal data retention, processing locations, legal compliance, changes to the privacy notice, and the use of consent managers, including these details is considered good industry practice for greater transparency.

What Happens Until the DPDPA is Enforced?

Until the DPDP Act is in effect, regulations under the IT Rules will apply regardless of the enforcement. This requires organisations to publish a privacy policy that includes: This requires organisations to publish a privacy policy that includes:

Clear and accessible statements about their practices and policies
The types of personal or sensitive personal data they collect
The purpose for collecting and using this information
Information about sharing personal data, including sensitive personal data, with third parties
Reasonable security practices and procedures, such as those aligned with ISO 27001 standards

When comparing the privacy notice requirements under the DPDP Act with those of the privacy policy under the IT Rules, you will notice that a privacy policy under the IT Rules may lack information on the Data Protection Board of India (DPBI), grievance redressal, and the rights of Data Principals.

For the time being, it would be beneficial to fulfil the requirements of both sets of regulations when drafting or updating privacy notices and policies to dodge non-compliance penalties.

DPDP Consultants Can Help You!

Organisations often use personal data across different departments for various purposes, making manual consent management impractical.

We understand that each business faces unique challenges. That’s why we’ve created an easy-to-use consent management tool that adapts to changing personal data privacy regulations and integrates smoothly with your existing processes.

Our Data Protection Consent Management (DPCM) tool is available as a SaaS model that automates the management of personal data consent requests. It provides a robust system for tracking and handling these requests within companies.

Since the DPDP Act applies to personal data collected before August 11, 2023, the DPCM tool helps organisations manage legacy personal data by sending bulk privacy notices and consent requests.

It includes feature-rich dashboards that allow you to check compliance in real-time at various levels, helping management monitor the entire process, identify bottlenecks, and take practical steps to stay compliant.

Book A Free Consultation

We, at DPDP consultants, also provide a range of services and automation tools, giving your compliance team and management full visibility into your organisation’s compliance status.

DPDPA Readiness Review: Helps organisations understand how the DPDPA impacts their operations.
Contract Review service: Ensures your existing contracts meet DPDP specifications and makes necessary updates.
DPDPA Compliance Assistance: Helps set up internal audit frameworks to ensure regulatory alignment.
Data Protection Impact Assessment (DPIA): Assists in conducting DPIAs to assess and mitigate data processing risks. Our DPIA tool automates the process, making it easy to conduct DPIAs, track risks, and keep stakeholders informed about mitigation progress.
Data Principal Grievance Redressal (DPGR): Allows data principals to raise concerns through a user-friendly platform, reducing response times and ensuring compliance.
Data Protection Awareness Program (DPAP): A training program that educates your staff on the new regulation through regular sessions and assessments, ensuring compliance with the DPDPA.