Strategic considerations for global companies looking to comply with India’s new data protection law

The various drafts, discussions and deliberations culminated in the introduction of the Digital Personal Data Protection Act 2023 (the ‘Data Protection Act’) and the Digital Personal Data Protection Rules 2025, issued thereunder (the ‘Data Protection Rules’), which govern the collection, use, storage, disclosure and deletion of personal data. The applicability of the new framework is extra-territorial and extends to all processing of personal data within India and to processing undertaken outside India where such processing is connected to offering goods or services to individuals located in India. This, accordingly, brings global businesses under the ambit of the new data protection law, irrespective of whether they maintain a physical presence in India.

While the new data protection law draws some inspiration from the European Union’s Regulation (EU) 2016/679 (otherwise known as the General Data Protection Regulation or EU GDPR), there are key differences, including restricted legitimate uses under Indian law, differing ages in regard to an individual’s competence to provide consent, more limited rights for individuals and stricter data breach reporting requirements. However, key definitions and concepts, such as ‘personal data’,[2] ‘processing’,[3] ‘data fiduciaries’[4] (akin to data controllers under the EU GDPR) and ‘data processors’,[5] are almost entirely the same in the EU GDPR and India’s new data protection law. The new law also establishes the ‘Data Protection Board’, a new regulatory and enforcement authority that is responsible for exercising oversight over businesses in regard to their compliance with the new law.

The new law is a significant overhaul of the earlier privacy framework in India. As a first step, global businesses should conduct a data inventory and mapping exercise to understand the flow of personal data within the organisation, across group entities and to third parties, particularly where India-related operations interface with global systems. This exercise will help determine whether an entity acts as a data fiduciary, ie, an entity determining the purpose and means of processing, or as a data processor, ie, an entity processing personal data on behalf of a data fiduciary. This is a crucial distinction because the new law imposes all of the relevant obligations and corresponding penalties on data fiduciaries.

From a strategic and governance perspective, data mapping provides businesses with a clear understanding of their data collection and processing activities. This enables businesses to make informed decisions about the relevant operating models, third-party arrangements, intra-group data sharing arrangements and technical measures and safeguards, while ensuring their ongoing compliance with the applicable laws. For global businesses, implementing privacy-by-design principles as part of this process can not only strengthen compliance, but also serve as a market differentiator, signalling to customers and partners that privacy and data protection are integral to their operations.

Additionally, for multinational groups, this foundation helps align the India-specific obligations with existing global privacy frameworks (such as the EU GDPR) and helps to embed regulatory compliance into the company’s broader corporate governance and enterprise risk management processes.

While the new law will be implemented in phases, the compliance requirements for data fiduciaries come into force in May 2027, and several global businesses have already begun their compliance journey with a data mapping exercise, as described above and as detailed in the sections below. In practice, organisations that invest in this exercise early will be better positioned to respond to regulatory scrutiny, scale their operations and adapt to regulatory changes.

Consent and the user interface (UI)/user experience (UX) overhaul

Consent under the new framework should be free, specific, informed, unconditional and unambiguous, expressed with a clear affirmative action. This means that certain methods and practices that were previously adopted by businesses, such as pre-ticked checkboxes, assuming consent through silence/inaction, the use of clubbed privacy notices that included terms not related to privacy (platform policies, such as refund/exchange terms) may no longer be permitted under the new data protection law.

The consent requirements outlined above necessitate a UI/UX redesign. Consent notices for the collection of personal data after the coming into force of the data protection laws must: (1) be prominently displayed (possibly as a pop-up) before the collection of the personal data or providing access to the services; (2) clearly specify the categories of personal data that will be collected and the purposes of the processing; and (3) require users to take an affirmative step, such as selecting an unchecked box or clicking an acceptance button, in order to provide affirmative consent.

Businesses could consider implementing ‘scroll wrap’ for obtaining consent, ie, a mechanism whereby users must scroll through the entire text of the privacy policy prior to providing affirmative consent, as a best practice. This will help businesses demonstrate that valid consent was obtained (which is crucial because the law places an obligation on businesses to demonstrate this) and will help mitigate the risk of penalties being imposed.

For legacy data, ie, personal data that was collected pursuant to valid consent obtained under the previous law, businesses are only required to contact the relevant individuals and inform them of the personal data that is being processed and the purpose of such processing (consistent with the consent obtained prior to the implementation of the new data protection framework). However, if the legacy personal data is to be processed for any additional purpose or if additional personal data is proposed to be collected, businesses will be required to obtain fresh consent from the data subject for this purpose.

Consent managers

The new law introduces a novel concept of ‘consent managers’. A consent manager is an entity that is required to be registered with the Data Protection Board and is authorised to act as a point of contact to enable individuals to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform. Practically, it appears that businesses will have to engage with certain consent managers and individuals looking to avail of any goods or services will have to engage with the consent manager and will have to provide their consent to businesses through the consent manager’s platform.

For smaller and medium-scale businesses, integrating with consent managers may help to reduce the financial burden of maintaining a sophisticated consent management infrastructure, since consent managers will handle the granular consent collection, management and withdrawal process. Larger businesses may deploy their own infrastructure to manage consent or onboard a consent manager. Any specific implementation challenges in this regard will only become apparent once the new law has been implemented.

Retention, deletion and purpose limitation

The new law puts emphasis on purpose limitation and requires businesses to ensure that personal data is only retained for as long as necessary to fulfil the specified purpose. The new law also prescribes separate deletion requirements for specific businesses, such as e-commerce entities, online gaming firms and social media intermediaries. Businesses are also required to inform the relevant individuals at least 48 hours prior to the deletion of their personal data. Further, all businesses are required to retain all personal data, associated traffic data and other logs in respect of any processing undertaken by it, for a period of one year from the date of such processing, for use by the government or to determine whether a business qualifies as a ‘significant data fiduciary’ (which involves additional obligations and compliance requirements).

Pertinently, the retention requirements under the new law may conflict with certain sector-specific retention requirements (such as the retention requirements imposed by the regulations issued by the Reserve Bank of India (RBI) for financial businesses or the Insurance Regulatory Development Authority of India for insurance businesses) or retention requirements under other laws, such as tax regulations and anti-money laundering regulations, which may require personal data to be stored for a longer period of time.

To manage the conflicting retention requirements, businesses should tag each personal dataset during the initial data mapping exercise, along with the applicable legal basis for retaining such data. Where longer retention periods are required under sector-specific, tax or anti-money laundering laws, these requirements will supersede the purpose limitation requirement under the new data protection law.

Managing multiple reporting obligations

The new framework introduces strict, timebound requirements in regard to breach notifications that must be provided to the Data Protection Board, as well as to the affected individuals. These reporting requirements are in addition to other reporting requirements under Indian cybersecurity laws, including the reporting obligations in regard to the Computer Emergency Response Team of India (CERT-In) and the reporting obligations in regard to sectoral regulators, such as the RBI and the Securities Exchange Board of India (as applicable to sector-specific regulated entities), all of which may have varying timelines.

To ensure that businesses effectively manage multiple reporting obligations, businesses may need to implement effective internal monitoring mechanisms and deploy dedicated teams and personnel who are responsible for detecting, reporting and escalating incidents under the various applicable laws. This is important because certain incidents that may require reporting to the CERT-In may not necessarily need to be reported under the data protection law and such teams must be adequately trained to monitor and determine which reporting requirements will be applicable in each instance.

Another crucial consideration under the data protection law concerns the responsibility for reporting breaches. For each personal dataset, the entity that is the ‘data fiduciary’ will be responsible for reporting any breaches. Here, it is important to note that: (1) the law does not preclude two entities being considered ‘data fiduciaries’ for the same set of personal data and (2) the law does not prohibit joint reporting in circumstances where two entities are data fiduciaries with respect to the same personal dataset. Accordingly, as per an evaluation of the relationship between the business and its service providers (such as cloud service providers and marketing agencies, etc) and the nature of their role with respect to the personal data, either one or both, the business and the service provider, may be required to report the breach.

Cross-border data flows

The new framework adopts a blacklist-based approach to the transfer of personal data from India to outside India, ie, cross-border transfers of data are permitted to all countries or territories that have not been blacklisted by the Government of India. This is a departure from the EU GDPR, which stipulates that cross-border data transfers are permitted to territories that have adequate levels of data protection in place. However, businesses should be cognisant of any sector-specific localisation requirements that may be applicable with respect to particular personal datasets (illustratively, entities regulated by the RBI are required to store payment systems data in India), which is stricter and will supersede the new data protection law.

Businesses should ensure that individuals are made aware that their personal data is being transferred outside India, and must keep in mind that they will ultimately be responsible for any contravention of the new data protection law with respect to such personal data, even if the contravention directly arose from the actions/omissions of the foreign party receiving the personal data (including cloud service providers and web hosting service providers, etc). Businesses designated as ‘significant data fiduciaries’ may be subject to further localisation requirements that may be prescribed in future by the government.

The data of children and persons with disabilities

The new framework includes additional obligations for businesses in order to obtain the verifiable consent of parents/guardians of children or persons with disabilities, prior to processing their personal data. So, businesses must primarily make a policy-level decision as to whether the processing of such personal data is crucial to the business objectives. Individuals should be at least 18 years old or older to provide consent directly rather than through their parent/guardian. This is a departure from other privacy standards that prescribe that persons between 13 and 16 years old may provide consent directly for the processing of their personal data.

Businesses should note that the requirement to verify parental/guardian consent will not be triggered until a self-declaration is made that the individual cannot provide consent as per the new framework. Upon receiving such a self-declaration, businesses should: (1) obtain the verifiable consent of the parent/guardian of the child and carry out due diligence to check whether the individual identifying themself as the parent/guardian is an adult by relying on details already available to the business or provided by the parent/guardian or (2) obtain the verifiable consent of the lawful guardian of the person with a disability and verify whether such person has been rightfully appointed as their guardian under the relevant law.[6] Businesses need not concern themselves with verifying the relationship between the child and the purported parent.

The way forwards

While businesses still have 18 months to comply with most of the operational provisions in the new law, it is important that businesses follow a structured process. Businesses should begin by conducting a data mapping/inventory exercise, as detailed above. This should be followed by a gap analysis to determine whether adequate data governance measures are in place, including assessing the adequacy of the technical and security safeguards, whether the notice and consent mechanisms comply with the new law (including compliance related to the UI/UX of the website/application) and whether the data retention periods are being met.

Based on this assessment, businesses will be able to identify the gap between their existing processes and the compliance obligations set out in the new data protection law. Organisations will then be able to make incremental changes, such as updating their internal policies, customer-facing notices and third-party agreements; implementing a breach reporting mechanism; refining the data retention and deletion processes; and enhancing the technical and organisational security measures, to address the gaps identified. If businesses are already compliant with other international privacy frameworks (such as EU GDPR), this approach will allow them to make targeted changes in order to comply with India’s new data protection law.

The new framework is underpinned by a strong enforcement philosophy, evidenced by the penalties that go up to Rs. 2,500 Crore (approximately $30m). Businesses must, therefore, treat this 18-month window as an opportunity to put in place robust compliance systems and operationalise those systems in a structured manner to mitigate the risk of enforcement action being instigated under the Data Protection Act.