DPDP Act (2023) gives individuals the right to decide how their personal data is collected and used. For many businesses, this means reworking longstanding data practices, notes Ravi Duvvuru.

Illustration: Dominic Xavier/Rediff

With the notification of rules under the Digital Personal Data Protection (DPDP) Act (2023) expected soon, India is preparing for a landmark shift in how personal data is handled.

While the Act promises to empower users and strengthen data governance, it also raises a range of implementation challenges.

For businesses, regulators, and consumers, navigating this transition will require thoughtful planning and coordination.

At the heart of the Act lies the principle of consent. The Act gives individuals — or data principals — the right to decide how their personal data is collected and used.

For many businesses, this means reworking longstanding data practices.

Consent must now be explicit, informed, and revocable — a shift from earlier models based on implied consent or bundled terms.

For fintech, ecommerce, and digital platforms, where data is central, this could be disruptive. Organisations must invest in user-friendly consent mechanisms, communicate clearly, and embed privacy into the product experience.

Many entities — credit bureaus, telecom companies, utilities — process personal data under sectoral mandates that sometimes conflict with DPDP provisions.

For instance, if the Reserve Bank of India (RBI) mandates retention of financial data, can an individual still demand erasure under DPDP?

Such overlaps highlight the need for harmonised guidance across regulators such as RBI, the Securities and Exchange Board of India, and the Unique Identification Authority of India.

Without this, businesses may face legal uncertainty. The regulatory framework must evolve to provide clarity and consistency in resolving conflicting obligations with clear timelines and coordinated enforcement across sectors to reduce compliance burdens.

The Act demands embedding privacy into technology systems. Platforms must now support data traceability, granular user controls, and revocable consent — capabilities that many legacy systems lack.

The Act allows the central government to restrict the transfer of personal data to certain countries.

While pragmatic, this complicates compliance for companies that use global Cloud infrastructure.

Organisations must prepare for data localisation or ensure their Cloud providers can adapt quickly to restrictions.

Anonymised data is excluded from the DPDP’s scope. However, modern analytics and artificial intelligence tools often use pseudonymised or anonymised data to create profiles.

While technically outside the Act, such practices can still generate inferences about individuals.

To prevent loopholes, the government may need to issue clarifications or bring legislation that addresses the use of anonymised data.

The Act mandates data breach notifications, but the specifics remain unclear.

Should companies notify for suspected breaches according to Indian Computer Emergency Response Team (Cert-In), or only after confirmation?

How can they balance transparency with the avoidance of unnecessary panic?

Clear guidance is needed on what qualifies as a breach, how quickly to report, and when to inform data principals.

This will help organisations respond with confidence and consistency.

The Data Protection Board will intervene in unresolved disputes. With the Act imposing significant penalties, individuals may be more inclined to escalate complaints or approach the courts.

This could lead to increased litigation, especially over systemic data practices.

India might consider sector-specific redress forums or fast-track digital tribunals to prevent courts from becoming overwhelmed.

India can learn from Singapore’s Personal Data Protection Act, which has achieved a balanced approach.

Features like phased implementation, sector-specific rules, and emphasis on organisational accountability have enabled smoother compliance and innovation.

The DPDP Act is critical for protecting digital rights. However, success will lie in its implementation.

With regulatory clarity, user-centric design, and coordinated efforts across sectors, India has the opportunity to become a global benchmark for data privacy and trust.

Ravi Duvvuru is founder and designated director, Duvvuru & Reddy LLP; and member, advisory group to the second Regulatory Review Authority.

Feature Presentation: Aslam Hunani/Rediff