📧 admissions@cyberlawacademy.com
Back to Course
CCPModule 5Lesson 5.4

🌍 Global Data Protection & Sector Regulations

Navigating the complex regulatory landscape across jurisdictions and sectors

⏱️ 120 minutes📖 Lesson 4 of 4

1. GDPR vs DPDPA Comparison

AspectGDPR (EU)DPDPA 2023 (India)
ScopeAll personal data (digital + physical)Digital personal data only
Lawful Bases6 lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests)Consent + Legitimate Uses (6 categories)
ConsentFreely given, specific, informed, unambiguousFree, specific, informed, unconditional, unambiguous
Data Subject Rights8 rights including portability, restriction4 rights (access, correction/erasure, grievance, nomination)
DPO RequiredIn specific circumstancesOnly for Significant Data Fiduciaries
Cross-Border TransferAdequacy, SCCs, BCRsCountries notified by Central Government
Max Penalty€20M or 4% global turnover₹250 Crores (aggregate ₹500 Cr)
RegulatorNational DPAsData Protection Board of India

2. RBI Data Localization Requirements

⚖️ RBI Circular on Storage of Payment System Data (April 2018)

Requirement: All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India.

  • End-to-end transaction details
  • Information collected, carried, processed as part of payment instructions
  • Customer data, payment-sensitive data, transaction data

Note: Data can be processed abroad but must be stored domestically. Foreign leg of transaction may be stored abroad with domestic copy.

3. SEBI Cyber Security Framework

⚖️ SEBI Cyber Security & Cyber Resilience Framework

Applicable to: Stock Exchanges, Depositories, Clearing Corporations, Stock Brokers, Depository Participants, Mutual Funds, AMCs

  • Governance: Board-approved cyber security policy, CISO appointment
  • Controls: Access controls, encryption, vulnerability assessment, penetration testing
  • Incident Reporting: Report cyber incidents to SEBI within 6 hours
  • Audit: Annual cyber security audit by CERT-In empaneled auditors

4. Healthcare Data Regulations

4.1 Ayushman Bharat Digital Mission (ABDM)

  • Health Data Management Policy: Governs electronic health records
  • Consent Framework: Granular consent for health data sharing
  • Data Localization: Health data must be stored in India
  • Security Standards: Specific security requirements for health information providers

4.2 DPDPA + Healthcare

Health data is considered sensitive. Under DPDPA:

  • Processing requires explicit consent (or legitimate use for medical emergency)
  • Higher security safeguard expectations
  • Breach notification critical due to sensitivity

5. International Data Transfer Mechanisms

DPDPA Approach

Central Government notifies countries where transfer is permitted or restricted. "Blacklist" approach rather than GDPR's "whitelist."

Sector-Specific

RBI requires domestic storage. SEBI may have specific requirements. Check sectoral regulations.

Contractual Safeguards

Even for permitted countries, ensure data processing agreements with security commitments.

📝 Key Takeaways

1

DPDPA covers only digital data; GDPR covers all personal data

2

RBI requires payment data to be stored only in India

3

SEBI requires 6-hour incident reporting and annual audits

4

Healthcare data has additional protections under ABDM and DPDPA

5

Cross-border transfer under DPDPA depends on government notification

🎉 Module 5 Complete!

You've completed Cyber Law & DPDPA Compliance. Take the assessment to unlock Module 6.