Navigating Challenges and Embracing Transformation under India's DPDP Act

The Data Protection and Privacy (DPDP) Act, passed in the monsoon session in the Indian Parliament, represents a landmark legislation aimed at safeguarding individuals' personal data and privacy rights in the digital age. Envisioned as a comprehensive framework, the DPDP Act addresses concerns surrounding data collection, processing, storage, and transfer by both government and private entities. With the proliferation of digital technologies and the increasing interconnectedness of our lives, the Act seeks to establish clear guidelines and mechanisms to ensure transparency, accountability, and consent in the handling of personal data. 

By empowering individuals with greater control over their information and imposing stringent obligations on data handlers, the DPDP Act endeavors to foster trust and confidence in India's digital ecosystem while balancing the imperatives of innovation and economic growth. However, while the act is largely being appreciated by organisations across the country, there are a few inherent challenges associated with it.

Challenges Associated with DPDP Act Implementation

Implementing the India Data Protection and Privacy (DPDP) Act faces several challenges that need to be addressed for its effective enforcement. One major issue is the complexity of regulating the vast and diverse digital landscape, including the sheer volume of data generated and processed daily. “The exponential growth in digital-first approach to customer experience has resulted in potential loopholes in ‘ data security’. Multiple ways of logging into your favorite travel website through a Mobile App or a website using OpenAuth (OAuth) standards opens up opportunities for hackers to exploit vulnerable systems. This makes it extremely important for large enterprises to invest heavily in adaptive maintenance that requires monitoring, troubleshooting and a quick turnaround in releasing security patches. With more frequent releases comes the challenge of automated test suites in CI/CD pipeline that provide a optimum test coverage. As you can see it will take a well-coordinated set of mature software practices that will come together to enable a effective implementation of this valuable act,” says Bharat Kumar, Director of Software Engineering, Sabre.

Along similar lines, Balaji Rao, Area Vice President, India & SAARC, Commvault while acknowledging that the Digital Personal Data Protection Act of 2023 was a linchpin in personal data regulation stated that the Act encourages a privacy-conscious digital ecosystem, challenging companies to review their current working methods and invest in new processes to adhere to the evolving regulations. “Small and medium-sized businesses and startups may find it challenging to comply with the new regulations. While corporates have established protocols, they are bound to experience increased operational costs due to local data storage regulations, even though the new data protection law allows for more straightforward cross-border data transfer and processing. 

Additionally, technology is developing much faster than the regulatory landscape. New-age technologies like Gen AI pose the challenge of dealing with plagiarism, data bias, deep fakes, etc. Given the extensive range of technology and the maturity of the regulatory landscape, it will be complex for enterprises to track through the data regulations and ensure that business processes remain resilient. Limited awareness among individuals about their data rights could be another challenge to implementing data hygiene practices,” he said. 

In addition to this, “While the DPDP Act represents a commendable leap forward, challenges remain. Exemptions granted to certain government agencies raise concerns about unchecked surveillance and a lack of accountability. Striking the right balance between national security and individual rights remains a complex tightrope walk. Additionally, unclear terms like "legitimate interests" leave room for confusion and inconsistent application, potentially undermining the Act's effectiveness,” said Nitesh Khare, Certified Data Protection Officer, Director-Zou Global Services.

The Transformative Impact of DPDP Act

While there may be challenges with the implementation, the DPDP Act undoubtedly will bring about a transformation in the way organisations handle data. The India Data Protection and Privacy (DPDP) Act has the potential to catalyze transformative changes in several key areas. Firstly, it can significantly enhance individuals' trust and confidence in digital platforms and services by providing clear guidelines on how their personal data is collected, processed, and protected. This trust is fundamental for the continued growth of digital commerce, communication, and innovation. “The DPDP Act exerts a transformative influence on organizations, prompting them to reevaluate the nature and scope of data collected, enhancing data storage and security measures based on user permission preferences. The infusion of privacy safeguards allows organizations to embrace a leaner and more focused approach towards data handling,” says Balaji Rao.

Moreover, the DPDP Act can foster a culture of accountability among businesses and organizations handling personal data, thereby reducing the risk of data breaches and misuse. By prioritizing the protection of individuals' privacy rights, the Act can also spur innovation in privacy-enhancing technologies and practices, driving a more responsible and ethical approach to data management. “DPDP act is great step in bringing some discipline to one of the most unregulated area of Personal Data. While it appears as a ‘restrictive’ practice, but it brings in huge opportunity in areas of Travel technology. Everyday, travel generates petabytes of data across multiple channels – front-end aggregators, third party vendors and of course large enterprises providing core services. The data lakes are over-flowing with information but due to lack of guardrails, there was a need to bring clarity of passenger rights and also on how organizations can enhance revenue opportunities by providing personalized recommendations. With the passage of this act, passengers will be more comfortable sharing enough information. Combine this with GenAI and we have a completely open canvas for Product companies to come with personalized way of providing niche services to discerning customers. 

The implementation of the act requires us to work on managing ‘secure’ transmission, processing and storage of data. At the same time, another section of the act requires data fiduciaries to be able to have an audit trail that may require us to delete all data based on passengers requests. The happy path would be easier but the challenge could be in making sure there are right key-value pairs that can help connect the data elements,” stated Bharat Kumar.

Overall, the DPDP Act has the potential to usher in a new era of data governance that balances innovation with the protection of individuals' fundamental rights, ultimately shaping a more transparent, trustworthy, and inclusive digital ecosystem in India and beyond.