In August 2023, the Indian Parliament passed the country’s first data protection act, the Digital Personal Data Protection (DPDP) Act, which establishes a framework for processing of personal data in India. The focus on data protection underscores India’s focus on building a strong data privacy regime – and is an integral part of building a transparent and long-term sustainable organisation of the future, according to EY.
Khaitan & Co senior partner Rajiv Khaitan believes that any startup will need to “create the trust and confidence of its customers… [that] whatever data we hand over to this entity is [to be] kept protected, safe, and used only for the purpose for which it is given”
Speaking to YourStory assistant editor Kanishk Singh at a fireside chat at TechSparks 2024, Khaitan spoke about the legislation around digital data and personal information, and data protection in India.
Khaitan said under the DPDP Act, a person who submitted their data online needed to have access to that data, check whether it was reliable and correct, and could ask the service to discontinue storing their data, in which case, the company would have to delete that data from all its records. “It would also have to ensure that all data storage locations, networks and servers were safe and secure. The DPDP Act was a supplement to existing data laws in India, such as the Information Technology Law,” Khaitan said.
When asked about exceptions for startups, Khaitan said the government could exempt a few by way of a notification, depending on their level of operation of collection of data. Even if exempt from this act, startups needed to ensure data privacy to create customer trust, he said.
However, the government was still collecting data for its records, for example, for giving grants or subsidies, or public security. This was exempt from the act, but did not mean that the government could misuse the data, he added.
“They will have internal rules to protect the data in the same way, except they don’t need to protect it under the [act]. They have to make their own rules for collection. Having said that, the data protection level has to be absolute, because the law has severe penalties for violating or making any data breach,” Khaitan said.
Startups needed to set up their personal information database in such a manner that they would ensure full compliance even when scaling up to a million customers and more.
Comparing penalties imposed by the European Union’s GDPR regulation and India’s DPDP Act, Khaitan said that India’s rules were better than the GDPR – it provided for a penalty of up to Rs 250 crore. But this does not mean that an Indian company can pay the fine and go scot-free. The data privacy board could determine provisions of the violation, number of times the violation had occurred, whether it was intentional or unintentional, and whether the company had systems which ensured due care of the data. This also related to personal care and healthcare data. The penalty could also quadruple in case a company made the same error multiple times, he added.
Khaitan was positive about the opportunity that the act had created in the data compliance space, and said there was ample space for red-tech or compliance-tech startups to come in and bridge the gap while helping young companies and startups to adhere to the law when it came in.
A new business opportunity lay in becoming a ‘consent manager’, he said, who would store customer data and based on instructions given by the data principal, would deal with each ecommerce company, startup or entity, with which they were sharing data and information, as their manager.
“[This] is going to be a huge business because they will be the intermediary between you as a customer and all users of your personal information,” he said.
The role of AI in data compliance is also big. Once the DPDP law was enforced, it will enable many new startups with new ideas, which could also use compliance as their unique selling proposition, Khaitan concluded.
Watch the video here: