How to implement the DPDP Act

When you visit many global websites, you will instantly be prompted to accept or reject cookies. That’s for you to tell the company whether you are ok with them collecting and using your data. If it’s a website you frequent, there are advantages in accepting the cookies, because you may then not have to key in information about yourself every time, it’ll offer you personalised recommendations and ads, pages may open faster. But then you may have to deal with frequent marketing messages, including maybe from the company’s partners.
If you reject the cookies, you forego the advantages, but you will be saved from a lot of spam and marketing calls and messages.

The European Union’s General Data Protection Regulation (GDPR) is the current gold standard in rules for collecting, processing, and storing personal data of individuals. India in 2023 passed a similar law – Digital Personal Data Protection Act (DPDPA) – and published detailed rules around it last year. Every entity handling personal data is mandated to implement it fully by May, 2027.

We had a discussion on what this entails for organisations, and we would urge you to listen to it on our Facebook or YouTube page – because it deeply impacts every organisation that collects personal data.
The discussion was in association with ManageEngine, the division of Zoho Corporation that offers a comprehensive IT management portfolio. Sreedharan K S, director of compliance at Zoho Corp, noted that India’s law, unlike the EU one, is only for digital data. He said the focus is on informed consent as the basis for processing of data. The govt, he said, has specified some situations where data can be processed without consent – like during disasters or public health emergencies.

Shreyashi Sengupta, partner for digital trust technology risk automation at KPMG, said the Act really empowers users. “I’m allowed to exercise my consent, I need to be told what my information is being used for, and I have the right to terminate my consent and ask that my data be erased,” she said. If there’s a data breach, the law demands that affected parties be informed immediately.
The Act also imposes strict, mandatory compliance requirements for the continued processing and storage of historical data. And organisations that have been around a long time will have lots of legacy data.

Mapping data

Enabling and dealing with all of this will require substantial effort, which explains why the govt has given some time to organisations to comply. Sreedharan noted that the effort will have to start with asset management – “you have to first discover where the data is, and then you have to map which data is personal, how important it is, whether it is required.” This part will be painful. Shreyashi noted that the IT landscape in enterprises today is vast, and data would be in multiple places. “You need to track the content not only on one application, but what the effects of it are on downstream and upstream applications,” she said.

Given how long the exercise would be, Shreyashi recommended that organisations focus first on customer facing applications, and user consent preference management. “Once that gets going, then look at things like breach notification. The data discovery process is a lifelong exercise, and that can keep happening in parallel,” she said. Companies can build their own consent management platforms, or connect to independent consent managers that are emerging to provide centralised dashboards for users to give, manage, and withdraw consent across multiple platforms.

Multi-language capabilities will be essential on websites to guarantee informed consent. “Bhashini APIs could be used for this as a start,” Sreedharan said, referring to the govt’s AI-powered multilingual platform.