Point of Contact (PoC) Information to CERT-In
As per the official CERT-In Directions dated April 28, 2022, Annexure II specifies the format for providing Point of Contact (PoC) information by service providers, intermediaries, data centres, body corporates, and Government organisations to CERT-In.
CERT-In Incident Reporting Form
To comply with the CERT-In directive under Section 70B of the IT Act, 2000, organizations are required to report specific cyber security incidents within 6 hours of noticing such incidents or being informed about them. The reporting should be done using the prescribed format provided by CERT-In.
Appropriate Provision in the Contract Between Data Fiduciary and Data Processor for Taking Reasonable Security Safeguards
When a Data Fiduciary engages a Data Processor, the contractual agreement must clearly define security responsibilities and expectations to ensure lawful and secure processing of personal data.
Reasonable Measures for Continued Processing During Data Compromise
When a compromise such as data breach, system failure, cyberattack, or natural disaster occurs, companies (Data Fiduciaries or Processors) must take proactive and reactive steps to ensure business continuity and the availability of personal data.
Appropriate Measures to Control Access to Computer Resources
Controlling access to computer resources is critical to preventing unauthorized access to personal data.
Appropriate Data Security Measures Under Rule 6(a)
To comply with the obligation to implement reasonable security safeguards, companies should adopt a combination of technical and organizational measures. Below is a detailed list:
Suggested Template to publish Business Information of Data Protection Officer (DPO)
In accordance with the Digital Personal Data Protection Act, 2023, the following details are published for the Data Protection Officer (DPO) designated by [Company Name] to oversee data protection compliance and handle grievances related to personal data processing.
Suggested Mechanism to Redress Grievances of Data Principal
To effectively redress grievances of Data Principals under the Digital Personal Data Protection Act, 2023 (DPDP Act), a company should implement a clear, accessible, and time-bound grievance redressal mechanism. Below are practical, compliant, and user-friendly mechanisms:
Additional obligations of Significant Data Fiduciary
This provision outlines additional obligations imposed on a Significant Data Fiduciary (SDF)—a category of Data Fiduciary that handles large volumes of sensitive personal data or has a high impact on national or public interest.
Rule 10: Verifiable consent for processing of Personal Data of a Child
This clause outlines the obligations of a Data Fiduciary (an entity that determines the purpose and means of processing personal data) with respect to obtaining verifiable consent before processing the personal data of children or persons with disabilities who have a lawful guardian, under the applicable data protection framework in India.