Speaking with TechGraph, Vikram Jeet Singh, Partner at BTG Advaya, discussed how the Digital Personal Data Protection Act, 2023 (DPDPA 2023), is compelling Indian companies to rethink how they collect, store, and process personal data, and how the firm is helping businesses embed privacy and consent management into their operational frameworks without compromising efficiency or growth.
He further spoke about how BTG Advaya is supporting clients through this transition by identifying compliance gaps and developing cost-effective frameworks that ensure preparedness and business continuity, while strengthening transparency and accountability across India’s evolving digital ecosystem.
Read the interview in detail:
TechGraph: The Digital Personal Data Protection Act, 2023, is being called a landmark law, but for companies that have operated for years without a clear privacy framework, it feels like an entirely new terrain. When you look at how businesses are structured today, what sort of overhauls will they actually need to stay compliant without losing efficiency, and what kind of advice are clients at BTG Advaya most often seeking on this front?
Vikram Jeet Singh: The DPDPA will mean a structural shift in every operational layer of an Indian business; every company will collect and store some personal data, be it of their employees, users, or vendors. Companies now have a task to integrate good data practices into their operations and treat this as part of their core activity. The days of ‘unlimited data’ should be over; now we have to get used to collecting only ‘minimal’ data, as is required for providing our services. The most prominent area of reform is likely to be redesigning the ‘consent management’ systems in place at your organisation. In addition to paper-based consents such as contracts and registers, digital platforms can be put in place to future-proof the company.
In addition, Companies will revamp their IT systems to correctly track and trace the collection, usage, and sharing of data. Most Indian businesses do not have data retention and deletion policies in place, even today. Incorporating opt-in consent options becomes important, as does implementing tools capable of managing consent throughout the data lifecycle. In addition, businesses will need to put in place grievance redressal mechanisms and policies governing one-off incidents such as data breaches, law enforcement queries, etc.
Our clients typically seek advice on the correct and most efficient way to go about these tasks. The first step in this process is finding out the ‘gaps’ in compliance, which is best done by a gap analysis exercise. We then advise them on best practices relating to data flows, privacy notices and contracts, structuring consent mechanisms, and contractual data protection clauses, etc.
TechGraph: The Act promises individuals more control over their personal information, which sounds empowering on paper. But in a country where many people still don’t fully understand how their data is being used, how much of this empowerment will genuinely translate into practice, and how much of the burden falls on businesses to interpret the law responsibly, in the way you see at BTG Advaya?
Vikram Jeet Singh: Admittedly, India does not have a culture of data privacy as of this date. Personal data is collected by all businesses, and in very large amounts; in most cases, this is done without any underlying framework to protect such data. As you can imagine, this will change once the DPDPA is operationalized.
In my view, the first and foremost task of the new Data Protection Board should be educating users about the rights they have in their own data sets. A ‘top-down’ enforcement of the new data law, based on fines and penalties alone, will not work in a country as large and diverse as India. The push for protecting data will need to come from the users themselves, for which they will need to be educated in how the new law impacts their rights and obligations.
The DPDPA places the onus on businesses to safeguard their users’ rights effectively and proactively. These organisations must design user-friendly systems, for instance, by way of easily comprehensible and accessible privacy notices that inform users of their rights. As a matter of principle, it should be as easy for a user to exercise their rights as it is for them to provide consent for the use of their data. Again, it is hoped that the Data Protection Board will assist businesses by providing FAQs, draft codes of conduct, etc., when it comes to nuances of compliance.
TechGraph: Industries like healthtech, fintech, and e-commerce are built on sensitive personal data, and their growth has depended on being able to analyse and monetise it. With the DPDP Act, 2023 setting tighter boundaries, how do you see these sectors redesigning their business models, and how are clients in these industries approaching BTG Advaya to navigate this transition?
Vikram Jeet Singh: Importantly, the DPDPA does not differentiate between categories of personal data; all sets of personal data are accorded the same level of protection. In practice, however, certain businesses and industries will be scrutinised more closely – this includes health-tech and also industries such as banking, insurance, investments, fintech, social media, and e-commerce. In addition to the common requirements, these entities will need additional steps that may include appointing a Data Protection Officer (DPO), undertaking Impact Assessments, audits, etc.
A number of clients have started taking specialised initial steps in order to align with the sensitivity parameters of their industry. There is no ‘one size fits all’ approach, and businesses will have to assess their individual risks and determine what mitigation and rectification steps are suitable.
TechGraph: One of the most debated features of the Act is the wide discretion it gives the government, both in exempting agencies and in deciding restrictions on cross-border data flows. Do you think this level of uncertainty makes it harder for businesses to plan long-term strategies, and what are you hearing from BTG Advaya’s clients who operate across multiple jurisdictions?
Vikram Jeet Singh: The power granted to the Government to exempt agencies is not surprising; this was always indicated, including in previous drafts of the privacy law. These exemptions may also be limited to administrative or supervisory agencies, such as law enforcement bodies. It remains to be seen if PSUs such as Indian Railways will enjoy any exemptions that give them an edge over private competitors. In practice, however, in my view, such exemptions to Government agencies will likely not directly impact private Indian businesses.
The cross-border data flow point is more worrying. Any restrictions on the free transfer of data can be problematic for businesses that increasingly rely on global infrastructure for their operations. For overseas entities that have operations or back offices in India, it is a matter of charting out a long-term strategy before investing further.
Given that the regulatory situation may change, it may be advisable to build a flexible architecture in terms of data storage and possibly establish data centres locally in India to mitigate future restrictions. Businesses can also adopt contractual terms and clauses to account for and mitigate against such ‘change in law’ situations.
TechGraph: Much of the conversation has been about penalties, because they are steep and headline-grabbing. But deterrence only works if enforcement is strong and consistent. Do you believe regulators in India have the capacity to enforce the DPDP Act, 2023, at scale, and how are you preparing your clients at BTG Advaya for the possibility of uneven enforcement in the early stages?
Vikram Jeet Singh: My hope is that the initial enforcement of the DPDPA is incremental, gradual, and selective. The enforcement responsibilities will primarily lie with the newly constituted Data Protection Board. I hope the initial focus of the Board is on user education and assisting the industry with compliance. In addition to leading user education initiatives and compliance, the Board will also have to (potentially) handle numerous complaints from users about their privacy rights.
Practically speaking, at least in the beginning, enforcement is likely to prioritize significant breaches and major digital business players, and not low-impact transgressions. Even so, to be on the safer side, we have seen businesses already setting up internal compliance systems for implementing the basics. This includes undertaking a gap analysis, record-keeping, standardising privacy documents, policies on breach notifications, etc. In addition, clients are prepping incident-risk response mechanisms and cybersecurity safeguards in the event of any scrutiny.
TechGraph: Startups and smaller businesses have raised concerns that compliance could weigh more heavily on them than on larger companies that already have systems in place. Do you think the DPDP Act, 2023, risks creating a divide where compliance becomes a barrier for new players, or do you also see opportunities for BTG Advaya to help them with more practical frameworks to comply without crippling costs?
Vikram Jeet Singh: Of course, it is possible that the Central Government in the future exempts entities such as startups or ‘small companies’ from complying with certain onerous obligations. This remains to be seen.
Compliance with the DPDPA does not differ based on the size of an entity; there is no ‘sliding scale’ when it comes to liability and enforcement. Smaller companies may bear a heavier burden in terms of compliance costs due to increased personnel and budget expenses, for one. From a practical standpoint, it should be possible for smaller companies to find cost-effective solutions to compliance by actually reducing the volume of personal data to be protected and audited..
As a first step, businesses should target ‘cleaning up’ their data flows – collecting only minimal data, reducing access points, purging historical data, etc. Other strategies could include incorporating basic cyberliteracy measures (e.g., personnel training) and appointing local ‘champions’ in each department. Finally, we may also see group companies pooling resources for compliance, like standard templates of privacy notices, a common Data Protection Officer, and a grievance mechanism across entities, etc.
TechGraph: India is trying to project itself as a credible global digital economy, and the DPDP Act, 2023, is often placed alongside frameworks like the GDPR. In your view, does the Act give Indian businesses a stronger footing in the international arena, and is BTG Advaya seeing global clients ask different kinds of questions now about India’s data ecosystem?
Vikram Jeet Singh: The GDPR is a much more developed law as of this date, unquestionably. The DPDPA is far less stringent, and there remains to issue of the lack of ‘adequacy ‘status to India by the EU. That said, it is hoped in the future that organizations can leverage compliance with the DPDPA as a way to alignment with the GDPR as well.
Much of this will depend on the implementation and enforcement of the DPDPA, and the tack that the Central Government and the Data Protection Board take when it comes to operationalizing the new law. The DPDPA will definitely provide India a strong entry point in the international data protection framework, in any event.
