• Purpose limitation | Data fiduciaries need to specify the purpose of processing and describe the personal data involved in such processing. Personal data can only be processed to the extent that is necessary to achieve the stated purpose. This effectively means that personal data can only be used for the purposes for which it was collected. Consequently, organizations that use personal data for a variety of reasons, need to proactively, systematically and comprehensively identify the purposes for processing in advance before seeking consent.

• Obtaining explicit consent | “Consent” is the cornerstone for privacy protection and individual autonomy. The DPDP requires explicit consent from data principals before processing their personal data. India is a remarkably diverse nation, and consequently, operationalizing effective consent requires more than legal and regulatory controls. This can be challenging to implement, especially for organizations that collect personal data from a large number of individuals. In this context, the role of the consent manager in digitally enabling consent possibly through an interoperable technology framework needs to be defined with clarity and adequate training.

• Data minimization | The principle of data minimization requires personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This can be challenging for organizations that collect large amounts of personal data. Organizations should define the purpose of the data as explicitly as possible and implement methodologies of data collection minimization by designing and implementing processes that require the least personal data or that only require anonymized data. This will help to determine what data is relevant and adequate for the intended use and avoid collecting excessive or irrelevant data. The data retention policies and practices should specify how long data will be stored, and when and how it will be deleted or erased. This will also help to reduce the storage costs and security risks associated with keeping data longer than necessary.

• Data security | Organizations can be fined up to ₹250 crores (~US$ 30 million) for non-compliance with the DPDP. Consequently, security measures need to be engineered in a manner that the same are commensurate with the nature, size, complexity and volume of data and the personal data at risk to unauthorized access, use, or disclosure. These include implementing technical and organizational security measures, such as encryption, anonymization, access control and awareness for employees through training sessions.

• Right to access and erasure | Data principals have the right to access their personal data and to have the same completed, modified and erased. This can be challenging for organizations that need to retain personal data for legal or compliance reasons and in this context segregation of the personal data for potential legal and compliance purposes is important.

• Cross-border transfer of personal data | Cross-border data transfers can increase the risk of cyber-attacks and data breaches, especially if the data is being transferred through third-party providers or cloud services. Countries across the globe have varying regulations on data protection, making it challenging to ensure compliance when transferring data across borders. The DPDP imposes restrictions on the cross-border transfer of personal data. This can be challenging for organizations that have offices or customers in multiple countries. Organizations should understand the data they process and identify the types of data transferred across borders. It will help to identify the risks associated with cross-border data transfers and implement appropriate security measures.

The DPDP will impact the Indian economy and society at large in a significant manner. Organizations will need to invest in data security measures, which in turn will require consulting firms to gear up in terms of innovation & collaboration with IT solution providers in order to provide a comprehensive range of solutions to their clients. The rest of the world will look at India with increased consumer confidence in our digital economy.

The DPDP will provide individuals with greater control over their personal data, which with enhanced privacy awareness, will provide a greater sense of security among individuals. It is also expected that the DPDP with its consequent data security requirements will reduce data breaches in India.

We trust that you found this thought leadership useful and would welcome your feedback. You may also click on (MGC Global Data Bank) to view our last thought leadership on DPDP.

Best regards

Markets Team

MGC Global Risk Advisory LLP

About MGC Global Risk Advisory 

Recognized as one of the "10 most promising risk advisory services firms" in 2017, as the "Company of the Year" in 2018 &, 2019' (both in the category of risk advisory services), one of the "Top Exceptional Companies to Work For" in 2020, amongst the "Top 25 Customer Centric Companies" in 2020, "The Consultant of the year" in 2021 (in the category of risk advisory services) and "Top Exceptional Leaders in Risk Advisory Services" in 2023; MGC Global is an independent member firm of the ~US$ 5 billion, Atlanta headquartered - Allinial Global.

MGC Global provides services in the areas of internal audits, enterprise-wide risk management, control assessments (SOC, IFCR & SOX), process re-engineering, governance frameworks, IT risk advisory, GDPR, VAPT, ISO readiness, cyber security, vCISO, CxO transformation, forensic, ESG & CSR services.

Our firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately US$ 5 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in over 105 countries, who have over 28,000 professional staff and over 6,000 partners operating from nearly 700 offices across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.