The practicalities of implementing India’s Digital Personal Data Protection Act

• understanding any relevant gaps (ie, conducting gap assessments) between the existing processes and the requirements of the law;
• redesigning data and log systems to comply with the prescribed record retention requirements;
• updating the relevant breach response mechanisms to ensure that timely notifications are provided to the DBP and data principal(s);
• the rebuilding of notices and consent flows as required under the new privacy regime;
• an evaluation of the integration with consent managers; and
• preparations to meet the compliance obligations that significant data fiduciaries (SDFs) are required to comply with if an organisation is designated as one.

While organisations with a multi-jurisdictional presence may already have robust privacy frameworks in place that are compliant with the European Union’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA) and other similar privacy regulations, the new DPDP regime introduces certain novel and unique constructs like consent managers and India-specific obligations that cannot be satisfied by merely extending a company’s global policies to India. Instead, organisations in India will have to tweak and put together new policies to satisfy the compliance requirements set out in the DPDP Act and the DPDP Rules.

Operationalising compliance

The key to ensuring foolproof implementation of the DPDP Act is establishing a self-sustaining compliance programme that not only aligns with the DPDP Act and the DPDP Rules, but also converges with the existing sectoral regulations and applicable global standards. This requires a clear affirmation of compliance from a firm’s top management, setting the tone at the top and embedding data protection as an organisational practice.

In practice, a leadership-driven approach plays an important role in enabling meaningful implementation of the requirements set out in the DPDP Act and the DPDP Rules. Where data protection is treated with importance at the senior management or board level, it is likely that internal stakeholders within an organisation, across departments, such as human resources (HR) and marketing, etc, are more likely to engage in attempts to ensure compliance by providing timely inputs and treating the data protection obligations as an integral part of business processes, as opposed to reducing it to being an ancillary activity.

This foundation in turn helps with the next step, which is to conduct a comprehensive gap assessment to identify any discrepancies between the firm’s current practices and the new statutory requirements. In the absence of alignment by senior management and a clear internal mandate, gap assessments may be viewed by business teams as low priority, which may ultimately lead to delays in information sharing and incomplete responses, which could slow down the gap assessment and also potentially result in inaccurate risk mapping, thereby undermining the effectiveness of the exercise. Organisations should ideally focus on developing a roadmap for remediation by prioritising high-risk areas on the basis of the findings from the gap assessment.

A critical aspect of the efforts to operationalise compliance under the DPDP Act is to establish a clear legal basis for processing personal data. This involves categorising data collection activities according to the specific type of consent obtained from the data principal or according to the legitimate uses permitted by the law. When the personal data relates to children or persons with disabilities, additional safeguards and compliance with specific provisions in the DPDP Act and the DPDP Rules become imperative, such as implementing processes to obtain verifiable consent from the data subject’s parents or lawful guardians, as prescribed, and carrying out a review of the firm’s products and processing activities to eliminate tracking, behavioural monitoring and targeted advertising aimed at children.

The next critical step is to determine the appropriate retention timelines based on the purpose of the processing. Personal data must be deleted upon the withdrawal of the data subject’s consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, subject to prescribed retention requirements for certain classes of entities, including any sector specific retention requirements as elaborated below. Notably, organisations are required to retain personal data, traffic data and processing logs for a minimum period of one year, which introduces a significant compliance consideration in light of the relevant data minimisation principles. Parallel to retention planning, organisations must also assess whether they have implemented reasonable security practices commensurate with the nature of the processing activities. This includes instituting measures such as access controls, identity management and robust data backup protocols to safeguard personal data from unauthorised access or data breaches.

Equally important is the creation of a framework that enables data principals to exercise their statutory rights, such as the right to access information about their personal data, correction, erasure, grievance redressal, nomination and the right to withdraw their consent. Organisations should design processes that facilitate grievance redressal within prescribed timelines, ensuring that transparency and accountability is maintained when handling data subject requests.

In addition, organisations must establish mechanisms for monitoring and reporting personal data breaches and integrating them with the directions issued by the Indian Computer Emergency Response team, according to which organisations are required to report cybersecurity incidents, including data breaches within six hours of discovering the cybersecurity breach in the prescribed format. This requires designating responsible personnel to carry out certain tasks, defining standard operating procedures for the company’s breach response and incorporating contractual obligations for data processors to ensure that they adopt similar measures. Ensuring that a company has oversight of the activities undertaken by data processors is a critical compliance element, necessitating formal contracts to be executed between data fiduciaries and data processors that capture the obligations mandated by the DPDP Act and DPDP Rules.

For entities that may be designated by the government as an SDF, the applicable compliance obligations are more stringent. These compliance obligations include appointing an India-based data protection officer and conducting periodic data protection impact assessments and audits.

The integration of the new privacy regime with sectoral laws

An essential provision set out in the DPDP Act is Section 38, which states that the provisions in the DPDP Act are in addition to and not a derogation of any other law and that the provisions in the DPDP Act will prevail in the event of any conflict. This provision reinforces the need for companies to have a centralised privacy compliance framework in place that will allow them to streamline compliance in regard to the applicable domain-specific privacy-related laws, because the retention requirements under sectoral laws tend to vary significantly. For example, financial and tax regulations mandate retention periods ranging from 180 days to as long as ten years, depending on the nature of the dataset at hand. Similarly, within the healthcare domain, certain laws prescribe retention timelines of from three to ten years, while other state-specific regulations may also impose additional retention obligations.

Therefore, a unified and central privacy compliance framework would potentially allow organisations to reconcile these divergent requirements, while ensuring the company’s adherence to the minimum retention obligations mandated under the DPDP Act.

Issues that may pose challenges to the implementation of the DPDP Act and the DPDP Rules

While the legal framework is now in place, certain provisions set out in the DPDP Act and the DPDP Rules may pose practical challenges that organisations will likely have to navigate. Some of the key issues include:

• The retention mandate — while the DPDP Act promotes data minimisation as a core principle, the DPDP Rules require personal data to be retained for a minimum of one year from the date of processing for the purposes specified therein. This may create tension between the data minimisation and mandatory data retention requirements, compelling organisations to reconcile these obligations within their compliance programmes.
• Algorithmic accountability — SDFs are required to conduct due diligence to verify that the technical measures, including algorithmic software, adopted for the hosting, display, uploading, modification, publication, transmission, storage, updating or sharing of personal data processed are not likely to pose a risk to the rights of the data subjects. However, these obligations arise in the absence of a dedicated artificial intelligence (AI) statute in India, leaving organisations to interpret and operationalise the relevant governance standards without clear legislative guidance at present.
• Data localisation — the DPDP Act empowers the government to impose restrictions on cross-border transfers of personal data, including imposing conditions for making such data available to foreign states or entities. This may raise potential conflicts with foreign laws that may mandate the disclosure or transfer of data to government agencies in third countries, such as the requirements under certain surveillance or national security regimes. Organisations operating globally may have to navigate these competing obligations carefully.
• Interpretation and regulatory clarity — certain aspects of the law remain ambiguous and will require further clarification. Questions persist around what constitutes a data breach, how traffic data should be defined and whether certain entities will benefit from exemptions under the DPDP Act. Additionally, retention mandates raise concerns about the extent of government access to personal data. Much of this clarity will likely emerge once the DPB becomes fully operational. It is anticipated that the DPB will provide interpretative guidance and enforcement consistency, which will be critical for effective compliance with the DPDP Act and the DPDP Rules.

Conclusion

It is important to note that India’s privacy landscape, while it is in its nascent stage, is entering into a transformative phase through the implementation of the DPDP Act and the subordination legislation thereunder, ie, the DPDP Rules. The introduction of the new privacy framework signals a decisive shift towards a rights-based approach to personal data protection, and it does introduce operational challenges that organisations must proactively address. As enforcement mechanisms mature and regulatory clarity evolves, businesses will need to adopt a forward-looking compliance strategy that likely goes beyond mere legal adherence to the rules.

Hence, to ensure compliance in the future, organisations should focus on building integrated governance structures that harmonise the obligations set out in the DPDP Act and the DPDP Rules with the relevant sectoral and global regulations. This will require organisations to invest in robust data management practices, constantly shape AI governance frameworks as it evolves and streamline breach response mechanisms to address the requirements set out in the law. Equally important is fostering a culture of accountability, which is anchored by leadership commitment and supported by continuous monitoring and audits. It is only through embedding privacy as a core organisational value that businesses will be able to mitigate regulatory risk and strengthen consumer trust in an increasingly data-driven economy.