India's approach to data privacy has evolved through a combination of legislative measures, regulatory guidelines, and landmark judgements.

Before the introduction of the DPDP Act in the year 2023, The IT Act, 2000, used to serve as India's primary legislation governing cyber activities.

Section 43A: Mandates that organizations handling sensitive personal data implement reasonable security practices. Failure to do so can result in liability for damages.

Section 72A: Penalizes the disclosure of personal information without consent, emphasizing the importance of data confidentiality.

DPDP Act - A historical perspective

The Information Technology Act, 2000

Right to Information (RTI) Act, 2005

The RTI Act allows citizens to access information from public authorities. However, it also includes provisions to protect personal data:

Section 8(1)(j): Exempts the disclosure of personal information that lacks public interest or could invade individual privacy, balancing transparency with privacy concerns.

DPDP Act - In a nutshell

The DPDP Act was enacted in August 2023 and is expected to be enforced once the DPDP Act Rules are notified.

The Act is similar to global data protection laws like the EU General Data Protection Regulation (GDPR), but DPDP Act is contextualized for India's digital economy.

The DPDP Act introduces terminology such as ‘Data Fiduciary’ (entity deciding the purposes of personal data), ‘Data Principal’ (individual whose data is processed), and ‘Consent Manager’ (intermediary managing consent).

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our DPDP Act consulting clients range from start-ups to large enterprises.

DPDP Act - Challenges

While most of the businesses have an understanding of what the act is all about, translating this understanding into operational readiness can be challenging. A few common issues include:

• lack of clarity on data flow mapping

• difficulty in consent management implementation,

• uncertainty about cross-border data transfers, and

• fragmented data security controls

Added to this complexity, technology stacks often evolve faster than governance policies making the technical controls related to data security an additional challenge.

Why Bellwether for

DPDP Act Readiness

Readiness Assessment & Gap Analysis

Bellwether performs a detailed review of your current data handling practices across business units, geographies and vendors. Using our DPDP Control Framework, we identify gaps and categorize them as of high, medium or low risk. The assessment covers consent practices, notice mechanisms, grievance redressal protocols, data retention policies, and data transfer procedures.

Policy and Governance Framework

Based on the gaps identified, Bellwether assists in drafting or revising policies such as Privacy Policy, Consent Notice, Data Retention Policy, and Grievance Redressal Procedures. Bellwether also helps in establishing governance mechanisms including Data Protection Officer (DPO), related roles and reporting structures.

Technology Integration

Bellwether works closely with IT teams to ensure systems are equipped to enforce technical and organizational measures. This includes implementing role-based access controls (RBAC), encryption of data, secure audit trails, and purpose limitation enforcement. We guide in cookie consent management and enable automation of Data Principal Rights workflows.

Vendor Due Diligence and Contracts Review

We assess your third-party vendors (also known as data processors) to ensure they have the same level of protection that is mandated by the law. We also review and redraft data processing clauses in commercial agreements to reflect accountability and lawful processing principles under the Act.

Training & Awareness

Leadership-focused and employee-focused training modules are delivered to ensure privacy by design principles are embedded across teams. We also conduct high-level overview sessions to help executive teams understand the core principles of the DPDP Act.

Breach Management

We help you in designing Data breach response protocols, with focus on the fulfilling the data breach notification requirement to the Data Protection Board and Data Principals. Our security response plan and procedures help organizations fulfil this obligation and reduce penalties even in case of a personal data breach.

Significant Data Fiduciary Support

For significant data fiduciaries, who are subject to additional requirements by the DPDP Act, Bellwether can help with documentation for Data Protection Board inspections, including but not limited to:

• Records of Processing Activities (ROPA),

• Consent logs

• Grievance logs

• DPIA (Data Protection Impact Assessments)

• Internal audit & reporting

Our Data Privacy regulatory consultants can drive your Enterprise Risk Management

Looking for DPDP Act Compliance Consultant?

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, infosec and, legal expertise. Our DPDP Act consulting clients range from start-ups to large enterprises.

Get in touch today to talk to a DPDP Act Compliance Consultant and explore the ways to manage your enterprise risk and uncover value.

DPDP Act penalties

Failure to take reasonable security safeguards

If there's a data breach due to poor security controls

Failure to inform the Data Protection Board and user about data breach

If you suffer a data leak and fail to notify the affected data principals or the Board

Processing children's data without required safeguards parental consent

If you collect data from children but fail to follow the Act

Failure to address Data Principal (user) rights

If a data principal asks to access/delete/correct their data and you don’t respond

Non-compliance of Significant Data Fiduciaries

If high-risk processors don’t appoint a DPO or perform audits as required

Understand your Privacy risk.

Evaluate your data security processes.

Stay compliant.

Avoid penalties !!!

DPDP Act, Compliance

The author heads the practice of Cybersecurity and Data Privacy Compliance at Bellwether. At Bellwether, he has been advocating the core principles of EU-GDPR like data minimization, purpose limitation, explicit consent and privacy by design and default. Apart from delivering end-to-end consulting engagements in the DPDP Act, 2023, EU-GDPR, HIPAA, PCI-DSS, FDA 21 CFR part 11, NIST CSF, he leads data privacy and infosec consulting practice at Bellwether with a team of experienced consultants in the field of global data privacy regulations.

LinkedIn: https://in.linkedin.com/in/balu0103