Key Compliances under Information Technology (IT) Act, 2000

The Information Technology Act, 2000 was enacted by the Government of India to grant legal recognition to electronic records, digital signatures, and online transactions in order to facilitate e-commerce and digital governance. It emerged from the need to align with global practices such as the UNCITRAL Model Law on Electronic Commerce and to support India’s growing digital economy.

Key Compliances under Digital Personal Data Protection Act, 2023

The DPDP Act was introduced following the Supreme Court’s 2017 ruling that recognized the right to privacy as a fundamental right. This decision highlighted the need for robust data protection laws in India.

Rule 6 — Reasonable Security Safeguards under the DPDP Rules

Security of personal data is one of the most critical obligations under the Digital Personal Data Protection (DPDP) Act, 2023.

Registration and Obligations of Consent Managers under the Digital Personal Data Protection Framework

The Digital Personal Data Protection (DPDP) regime in India establishes a structured mechanism for enabling Data Principals to exercise meaningful control over their personal data.

Rule 3 — Notice by Data Fiduciary under the DPDP Act, 2023

Under the Digital Personal Data Protection (DPDP) Act, 2023, the foundational principle governing the processing of personal data is informed and specific consent.

Obligations of Data Fiduciary upon Becoming Aware of a Personal Data Breach

The Digital Personal Data Protection (DPDP) Act and its accompanying Rules prescribe stringent obligations on Data Fiduciaries once they become aware of a personal data breach.

Key Provisions of General Data Protection Regulation (GDPR)

General Data Protection Regulation (EU) 2016/679 (GDPR) is a comprehensive regulation adopted by the European Union to govern the collection, processing, and protection of personal data of individuals within the EU and European Economic Area (EEA).

Record-Keeping and Subscriber Information Requirements for Data Centres, VPS, Cloud, and VPN Service Providers

All Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network (VPN) service providers are mandated to maintain accurate and up-to-date records of their subscribers/customers. These records must be preserved for a minimum period of five (5) years or longer as required by applicable law, even after the cancellation or withdrawal of the subscriber’s registration.

Record-Keeping and Cybersecurity Obligations for Virtual Asset Service Providers

Virtual Asset Service Providers, Virtual Asset Exchange Providers, and Custodian Wallet Providers (as defined by the Ministry of Finance from time to time) are required to mandatorily maintain all information obtained through Know Your Customer (KYC) processes, as well as comprehensive records of all financial transactions, for a minimum period of five (5) years.

Point of Contact (PoC) Information to CERT-In

As per the official CERT-In Directions dated April 28, 2022, Annexure II specifies the format for providing Point of Contact (PoC) information by service providers, intermediaries, data centres, body corporates, and Government organisations to CERT-In.