Introduction
The Digital Personal Data Protection (DPDP) Act, enacted in 2023, is essential to India’s aim of providing its people an environment that protects privacy. The DPDP Act has established data protection and privacy standards for India and established regulatory clarity. This legislation sets obligations for data fiduciaries and significant data fiduciaries, provides safeguards for children’s data, vests rights in individuals, allows cross-border data transfers, and provides a contour for a data protection board, financial penalties, and a grievance management system.
While the DPDP Act’s framework of data protection and compliance is agnostic both, vertically (across maturity levels of businesses) and horizontally (across different sectors), the implementation approach will likely differ for various stakeholders. For example, in emerging economies like India, start-ups and small-scale enterprises are still in the process of understanding compliance with data protection norms, whereas larger organisations that have aligned to existing international norms face less pressure.
To be sure, the DPDP Act 2023 is not India’s first attempt to regulate personal data. Various sector-specific regulations exist, and directly or indirectly apply to managing personal data in India, which may result in differences in how compliance is operationalised for specific sectors. Therefore, from an industry perspective, it would be beneficial to provide more precise direction to businesses about key data protection and privacy concepts and how compliance requirements and architectures may change with the implementation of the DPDP Act. In this context, this compendium examines what is next in data protection by mapping operationalisation strategies for the new data protection regime.
The compendium explores the issues related to data protection and management in India with respect to six representative sectors and domains: financial, health, education, cloud services, biometrics, and emerging technologies. The section on financial services caters to fintech service providers that use digital technologies for fraud detection, algorithmic trading, credit lending, and robo-advisory. The healthcare chapter, meanwhile, discusses the use case of the DPDP Act in the digital health sector, including in activities such as healthcare analysis, precision medicine, and predictive diagnosis. The articles on education data, for their part, discuss the compliance constraints faced by edtech platforms that deliver educational services online, particularly the age-verification mandate.
The fourth section, on data processors, explores both the direct and indirect implications of the DPDP Act for data processors and the impact they could have on cloud service-based security and ensuring infrastructural reliability. The essays on biometric data follow, discussing the foundational nature of biometric data use in India, the principles of biometric data management, and how individuals can be better protected when submitting their biometric data. Lastly, the sixth section discusses the impact of the DPDP Act on emerging technologies, highlighting the importance of Artificial Intelligence (AI), as a large language model, its reliance on data and the need for anonymisation.
The essays in this compendium delve into the details of sectoral data-protection compliance. One step further, they also bring out the equally relevant vertical aspects by understanding how the maturity levels of businesses within that sector need to be considered while laying down the roadmap for data compliance.
While the functions and targets of data-driven companies are determined by their specific business models and requirements, they follow broadly similar steps when dealing with data to extract value. Keeping this in mind, this compendium suggests a unique data lifecycle-based framework to map the compliance roadmap for businesses. The framework divides the data lifecycle into six stages—i.e., data collection, data retention, data structuring, data transfer, data processing, and data expunction. Adopting this framework will allow data fiduciaries clarity on the provisions to be incorporated at various data lifecycle stages. This volume discusses the nuances of such provisions by mapping the processes involved, the timelines, compliance requirements, and impact at the vertical level. Moreover, it discusses how to operationalise these provisions using tech solutions.
The compendium is an exercise in gathering expert and academic opinions in the aforementioned sectors. The aim is to inform smaller, independent organisations centred in India of the ways they can adapt to the DPDP Act 2023 as well as the data privacy rules currently underway.
Kazim Rizvi is Founder and Director, The Dialogue.
Shravishtha Ajaykumar is Associate Fellow, Centre for Security, Strategy and Technology, Observer Research Foundation.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PDF Download
PREV
