DPDP and the criticality of data: A turning point for India's gigital future

India is on the brink of implementing one of its most consequential digital regulations – the Digital Personal Data Protection Act, 2023 (DPDPA), and its accompanying rules. As the country inches closer to operationalizing this framework, there is a growing sense of urgency across the tech ecosystem. The era of soft compliance is over. Data has emerged not only as a currency for innovation but also as a growing liability, and the new regime reflects the government's sharpened focus on accountability, transparency, and regulatory control.
At its core, the DPDPA is a principles-based legislation. The draft rules currently under consultation provide a closer view of what real-world compliance will demand—particularly in areas such as consent, retention, data erasure, and breach notification. This is where the criticality of data governance truly comes into focus—not just as a question of digital infrastructure, but as a matter of strategic economic and legal consequence.
Data compliance vs practicality
The draft rules under should adopt a more risk-based and proportionate approach to age verification and parental consent. As it stands, the requirement for verifiable consent—regardless of a data principal's self-declared age—could impose disproportionate burdens on data fiduciaries, often compelling them to collect excessive data and implement rigid mechanisms that may violate principles of data minimisation. International standards like the EU-GDPR and COPPA offer a more balanced path by allowing entities to take 'reasonable efforts' to verify age and parental consent, depending on the nature of the service and risk involved. The DPDPR should follow suit by clarifying that stricter age assurance measures be applied only where high-risk processing of children's data is involved, while permitting flexibility for low-risk use cases. This not only prevents unnecessary operational hurdles for businesses but also aligns better with both child protection goals and practical feasibility.
What's more, the DPDP Act also does not currently allow for 'legitimate interest' as a legal basis to process data—something that other jurisdictions like the EU recognize. This could make basic business activities like internal audits, AI training, and even due diligence for M&A transactions unnecessarily difficult.
Breach reporting framework
One of the more stringent aspects of the draft rules is the breach notification framework. Data fiduciaries are required to notify both the Data Protection Board and the affected data principals of every data breach, irrespective of the perceived level of risk or harm. While a more extended window of 72 hours (or longer, subject to the Board's discretion) has been proposed for submitting a detailed report to the Board, the timeline for notifying affected data principals is notably tighter—requiring disclosure 'without delay.' In addition, a preliminary breach report must also be submitted to the Board without delay, containing essential initial details. Given the varying levels of detail and specificity expected in these 'without delay' notifications to the Board and data principals, there may be differing interpretations of the timeline and its practical implications.
This structure, though well-intentioned, raises concerns about the resulting desensitization of both users and regulators. In practice, most breaches require internal triage: identifying the breach, scoping its impact, initiating remediation. Reporting too early without adequate clarity could expose companies to unnecessary reputational and legal risks. Worse, it could distract from mitigating actual harm.
A more pragmatic approach would involve the introduction of a severity threshold, distinguishing minor from major breaches, and re-calibrating reporting timelines, to ensure meaningful compliance rather than mechanical disclosure.
MSMEs and the risk of overregulation
Another critical concern is the asymmetry of impact. While large corporations may struggle with scale, it is smaller businesses that will feel the heat of non-compliance most acutely. The framework as it stands does not adequately differentiate obligations by the size, scale, or risk profile of the fiduciary.
As seen in other sectors, overly burdensome compliance can stifle MSME growth. Risk-based regulation—where the extent of compliance is proportionate to the sensitivity and volume of data—needs to be institutionalised.
Governance beyond compliance
What the DPDP regime ultimately signals is the institutionalization of data governance in India. The legislation is not just about data protection. it is about shaping the way organizations think about trust, risk, and accountability. This is not merely a legal challenge—it is an organizational transformation. Policymakers must continue to listen—to industry, to civil society, and to consumers—so that implementation is guided by dialogue rather than dictate.
India has a unique opportunity to set the gold standard in digital governance—not just by protecting personal data, but by enabling the responsible unlocking of its economic value. But to achieve this, the DPDP Rules must evolve: from ambiguity to clarity, and from theory to real-world feasibility.
Five key areas to make the DPDP law more effective:
Adopt a risk-based approach to age verification and parental consent —aligned with global best practices and avoid one-size-fits-all mandates that may lead to over-collection of data and create compliance burdens.
Add 'legitimate interest' as a basis for data processing —especially for due diligence in M&A and Investment activities and internal operations.
Introduce a severity-based breach reporting system and reconcile reporting timelines to avoid false alarms and regulatory fatigue.
Clarify the language requirements for user notices—especially for backend or automated services.
Differentiate compliance for MSMEs to ensure ease of doing business isn't compromised.
Encourage industry-led self-regulation
under the oversight of the Data Protection Board.
Facebook Twitter Linkedin Email Disclaimer
Views expressed above are the author's own.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Business Standard

2 hours ago

• Business Standard

Decision on merger with Biocon Biologics soon, says Siddharth Mittal

We are talking about the GLP-1 opportunity and our strong franchise in insulins. There is a huge demand in the global diabetes-obesity segment, said Siddharth Mittal Sohini Das Mumbai Listen to This Article Biocon successfully raised ₹4,500 crore through a qualified institutional placement (QIP) last week that saw strong interest from both Indian and global investors. It is also considering a merger of Biocon Biologics with Biocon to tap into business and scientific synergies rather than listing Biocon Biologics. In a virtual interaction with Sohini Das, Siddharth Mittal, chief executive officer (CEO) and managing director (MD) of Biocon outlined his plans. Edited excerpts: Your QIP was successful. What do you plan to do with the proceeds? There was very strong investor demand. The Board had approved raising up to ₹4,500 crore in one,

First Post

2 hours ago

• First Post

Are divisions in the EU deepening over Israel?

Cracks within the EU widen as member-states disagree over how to approach the tensions in West Asia. While some EU nations are calling out Israel's conduct in Gaza Strip and Iran, others emphasise that the Jewish nation has the right to defend itself read more French Minister for Europe and Foreign Affairs Jean-Noel Barrot, British Foreign Secretary David Lammy, German Foreign Minister Johann Wadephul and European Union High Representative for Foreign Affairs and Security Policy, Kaja Kallas, talk over lunch at the offices of the honorary Consul of the Federal Republic of Germany in Geneva, Switzerland during a meeting of European foreign ministers on Friday. Reuters As the tensions in West Asia continue to escalate, a major division has emerged over how the European Union should respond to Israel's war in Gaza and its ongoing conflict with Iran. The decision became more apparent after the regional body released a report which suggested that Israel was breaching human rights obligations in the Gaza war. The document obtained by Reuters stated that Israel's conduct in Gaza and the West Bank was a 'moral and methodological failure.' The review report was sent to the EU officials ahead of a foreign minister's meeting on Monday. Soon after it was released, Israel slammed the report, noting that it had failed to consider Israel's challenges and was based on inaccurate information. STORY CONTINUES BELOW THIS AD 'The Foreign Ministry of the State of Israel rejects the document … and finds it to be a complete moral and methodological failure,' they said in a statement, adding that it should be dismissed entirely. The European Union have remained largely divided over Israel's conduct in West Asia. While countries like the Netherlands, Spain, Belgium and Sweden push for punitive action, others notably Germany, Hungary and Austria resist citing strategic ties, historical responsibilities and political caution. The division is becoming more severe over how the bloc is reacting to Israel's operation in Iran. On Gaza Earlier this year, the European Commission launched an investigation into whether Israel may have breached its human rights obligations under the association agreement after a majority of EU countries called for a review of Israeli conduct amid the humanitarian crisis. The findings of the report turned out to be one of the most contentious foreign policy decisions facing the EU. The body is also concerned after US President Donald Trump decided to drag the United States into the conflict by striking Iran's three nuclear facilities . On Monday, the findings of the report will be presented by Kaja Kallas, the EU's high representative for foreign affairs to the ministers from EU governments. The bloc will then decide what steps can be taken over the matter. According to Politico, potential actions range from 'doing nothing' to limiting trade with Israel and even suspending the entire agreement. However, that would require a unanimous agreement from the bloc's 27 countries, which is quite unlikely to happen. On Iran Not all EU nations believe that Israel's attack on Iran is legal under international law. Last week, the regional bloc issued a statement calling 'on all sides to abide by international law, show restraint and refrain from taking further steps which could lead to serious consequences such as potential radioactive release," Euro News reported. One of the major points of contention was whether in the statement the EU should state 'Israel has a right to defend itself' in the context of its attacks against Iran. Around 15 member states including Austria, Czechia, France, Germany, Hungary, Italy and the Netherlands wanted to add the line but it was not agreed unanimously. STORY CONTINUES BELOW THIS AD Meanwhile, other countries noted that it wasn't sufficiently mentioned that Israel has the right under international law to launch its offensive against Iran. It is pertinent to note that According to international law, and the UN Charter, a state may exercise its right to self-defence in case of an armed attack or imminent attack. Any necessary action should also be proportionate. Hence, it remains unclear whether Europe would ever be united on the question of Israel.

Fibre2Fashion

3 hours ago

• Fibre2Fashion

Textile recycling could cut CO₂ by 440,000 tonnes a year: Research

Reaching a modest 10 per cent textile-to-textile recycling rate by 2035 could cut CO2 emissions by 440,000 tonnes annually and reduce water scarcity impacts by over 3 per cent—or 8.8 billion m³ world equivalent, according to findings from the IVL Swedish Environmental Research Institute. Despite rising concerns over fast fashion's sustainability, global textile-to-textile recycling remains critically low—at only around 1 per cent. However, advanced recycling technologies could lift that rate to 26 per cent by 2030. The research, which examined five key recycling processes and used Monte Carlo modelling, showed a 92 per cent probability of reducing climate impacts and a nearly 100 per cent chance of bringing water scarcity improvements. The average reduction in climate impact of the new approach, compared to 'business as usual', was 0.5 per cent. With the EU aiming to make all textiles placed on the market durable, repairable, and recyclable by 2030 under its Sustainable and Circular Textiles Strategy, the study underscores the need for policy support to scale fibre-to-fibre recycling. This includes improvements in textile collection and sorting, quality of recycled fibres, and mechanisms such as taxes on virgin materials to shift industry norms. Researchers emphasise that while recycling must increase, the processes themselves also require enhanced efficiency to ensure that recycled fibres can effectively replace virgin counterparts. The findings add weight to calls for coordinated EU action under frameworks like the Energy Efficiency Directive and Circular Economy Action Plan. A 10 per cent textile-to-textile recycling rate by 2035 could cut COâ‚‚ emissions by 440,000 tonnes annually and ease water scarcity by over 3 per cent, said IVL. With current rates at just 1 per cent, advanced recycling could boost it to 26 per cent by 2030. The study has urged EU policy support to improve fibre recycling efficiency and infrastructure. Fibre2Fashion News Desk (HU)