Record-Keeping and Subscriber Information Requirements for Data Centres, VPS, Cloud, and VPN Service Providers
All Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network (VPN) service providers are mandated to maintain accurate and up-to-date records of their subscribers/customers. These records must be preserved for a minimum period of five (5) years or longer as required by applicable law, even after the cancellation or withdrawal of the subscriber’s registration.
Record-Keeping and Cybersecurity Obligations for Virtual Asset Service Providers
Virtual Asset Service Providers, Virtual Asset Exchange Providers, and Custodian Wallet Providers (as defined by the Ministry of Finance from time to time) are required to mandatorily maintain all information obtained through Know Your Customer (KYC) processes, as well as comprehensive records of all financial transactions, for a minimum period of five (5) years.
Point of Contact (PoC) Information to CERT-In
As per the official CERT-In Directions dated April 28, 2022, Annexure II specifies the format for providing Point of Contact (PoC) information by service providers, intermediaries, data centres, body corporates, and Government organisations to CERT-In.
CERT-In Incident Reporting Form
To comply with the CERT-In directive under Section 70B of the IT Act, 2000, organizations are required to report specific cyber security incidents within 6 hours of noticing such incidents or being informed about them. The reporting should be done using the prescribed format provided by CERT-In.
Appropriate Provision in the Contract Between Data Fiduciary and Data Processor for Taking Reasonable Security Safeguards
When a Data Fiduciary engages a Data Processor, the contractual agreement must clearly define security responsibilities and expectations to ensure lawful and secure processing of personal data.
Reasonable Measures for Continued Processing During Data Compromise
When a compromise such as data breach, system failure, cyberattack, or natural disaster occurs, companies (Data Fiduciaries or Processors) must take proactive and reactive steps to ensure business continuity and the availability of personal data.
Appropriate Measures to Control Access to Computer Resources
Controlling access to computer resources is critical to preventing unauthorized access to personal data.
Appropriate Data Security Measures Under Rule 6(a)
To comply with the obligation to implement reasonable security safeguards, companies should adopt a combination of technical and organizational measures. Below is a detailed list:
Suggested Template to publish Business Information of Data Protection Officer (DPO)
In accordance with the Digital Personal Data Protection Act, 2023, the following details are published for the Data Protection Officer (DPO) designated by [Company Name] to oversee data protection compliance and handle grievances related to personal data processing.
Suggested Mechanism to Redress Grievances of Data Principal
To effectively redress grievances of Data Principals under the Digital Personal Data Protection Act, 2023 (DPDP Act), a company should implement a clear, accessible, and time-bound grievance redressal mechanism. Below are practical, compliant, and user-friendly mechanisms: