In an era where data protection and privacy have become critical cornerstones of business operations, organizations in India are grappling with the implications of the Digital Personal Data Protection Act (DPDPA). In this exclusive interview, Gaurav Sahay, Practice Head – Technology & General Corporate at Fox Mandal & Associates LLP, sheds light on the importance of compliance with this groundbreaking legislation. He discusses the impact of the DPDPA across various industries, the evolving landscape of consumer trust, and the technological solutions businesses need to adopt to safeguard data. As companies navigate this regulatory environment, Sahay offers insights into the challenges ahead and how businesses can stay compliant and thrive in a data-driven economy.
TAM: Why is it essential for organizations operating in India to understand and comply with the Digital Personal Data Protection Act?
Gaurav Sahay: Something that began as a value addition, gradually transformed into compliance and finally transmuting as a deliberated legal mandate. The past two decades have witnessed the metamorphosis in law for companies and visible transition in attitude of individuals. Having a significant presence in the service industry, India had to be apace with international regulations concerning Privacy Laws and Digital Data. Pursuant to the pressing economic, business and industrial needs, companies operating out of India or Indian companies, have been mandated to comply with all regulatory and legal compliances, enumerated both in the Digital Personal Data Protection Act or any regulations by a competent authority. To an extent the same has now being linked directly to the reputation and trust imposed on the organisation, within the industry and by its clients. Coupled by the pains of sizeable fines, penalties, and even potential bans, threatening to impact business operations, organisations must ensure that they understand and meet the obligations defined under the specified law.
TAM: How do you foresee the implementation of the Digital Personal Data Protection Act affecting businesses across different sectors in India? Are there specific industries that will face more significant challenges or changes due to this legislation?
Gaurav Sahay: Irrespective whether one is inBanking, Financial Services, Insurance, Healthcare, Pharmaceuticals, E-commerce, Retail, Telecommunications, Media, Advertising, Logistics Transportation or Government and Public Sector, the necessity to comply to the regulations brought in by the Digital Personal Data Protection Act is mandatory. The challenges accompanying them is potentially also the same, whether it is ensuring clear, specific consent from users for data collection and processing, compliance with strict requirements for cross-border data transfers, high costs related to implementing robust data security protocols, facilitating user rights, strengthening encryption, security controls, and monitoring, the consequent cost accruing for its implementation, infrastructure upgrade and intensive resource mobilisation is a major industry concern.
Amidst all these galactic changes, the most affected sector caught between compliance and cost for the implementation are the MSMEs, particularly those involved in data-centric industries like fintech, ed-tech, and health-tech. Adapting to the legal mandate will definitely strain their profits, resources allocation and decision making. The MSMEs will need to allocate resources toward compliance, which could strain and profoundly impact their budgets.
TAM: In what ways do you think the Act will influence consumer trust and behaviour regarding data privacy? How important is it for companies to demonstrate compliance to maintain their customer base?
Gaurav Sahay: As stated above, something that began as a value addition, gradually transformed into compliance and finally transmuting as a deliberated legal mandate, to an extent the same has now being linked directly to the reputation and trust imposed on the organisation, within the industry and by its clients. The past two decades have witnessed the metamorphosis in law for companies and visible transition in attitude of individuals.
The implementation of the DPDPA is already significantly visible for organisations with respect to consumer trust index and behaviour. Companies that have been actively demonstrating compliance with the law and adopting privacy-conscious practices, has strengthen their relationships with customers in fostering trust, and enhancing loyalty. In a data-driven economy, trust is paramount, and businesses must prioritize data protection to maintain and grow their customer base in the long run. Non-compliant organizations risk losing not just legal battles but also customer confidence, leading to reputational damage and decreased market share.
TAM: As companies work to align with the new regulations, what technologies or solutions do you believe will be crucial for ensuring compliance? How can businesses leverage these technologies to enhance their data protection strategies?
Gaurav Sahay: To comply with the Digital Personal Data Protection Act (DPDP Act) and enhance their data protection strategies, businesses will need to adopt a combination of technological solutions and best practices that ensure data is handled securely, transparently, and in alignment with regulatory requirements.
Some of key technologies and solutions that can help organizations not only achieve compliance but also strengthen their overall data protection strategies can be, (i) solutions like AES (Advanced Encryption Standard), RSA for secure communications, and SSL/TLS certificates for secure web transactions; (ii) tools like Varonis, Spirion, and BigID for businesses to automate the process of data discovery, classification, and protection; (iii) platforms such as OneTrust, TrustArc, and Osano for consent management; (iv) solutions from providers like Symantec, McAfee, and Forcepoint to monitor endpoints, networks, and cloud services; (v) platforms like OneTrust, Nymity, and TrustArc to manage privacy governance, conducting risk assessments, and automating compliance tasks; (vi) for real-time threat detection, security incident management, and comprehensive breach response workflows, tools like Splunk, CrowdStrike, and IBM QRadar can be implemented.
Proactively adopting these technologies will enable companies to stay ahead of compliance requirements while demonstrating their commitment to law, ultimately leading to better consumer trust, operational efficiency, and long-term business success.
TAM: Looking ahead, how do you anticipate the Digital Personal Data Protection Act will evolve in response to emerging technologies, such as AI and machine learning? What should businesses be prepared for in terms of regulatory changes and data management practices in the coming years?
Gaurav Sahay: For the DPDPA to remain relatively apposite, it is of extreme importance that DPDPA evolves significantly, by means of notification of sections that are yet to be notified and by latest amendments, in response to emerging technologies such as AI and ML. It must not be missed that conventionally the jurisdictions who have been successfully imposed upon the rest of the world as pioneers of evolving legislations, have already started implementing separate laws/ regulations for AI and ML. As such it is consequential, that DPDPA would stand out as a supporting law, to the specific and forthcoming specific laws in India, concerning AI and ML.
As the regulatory landscape must adapt to these advancements, businesses also must prepare proactively for potential changes in compliance requirements, data management practices, and accountability mechanisms towards fairness and non-discrimination, stricter controls, limits on automated decision-making, data minimization, purpose limitation requirements, enhanced algorithmic accountability, privacy by design and data anonymization, cross-border data transfers, cybersecurity and AI-driven threat detection. By active foresight businesses will mitigate the risks and build trust in a rapidly changing technological landscape.