Weighing the risks | Navigating the path to DPDPA compliance
By this time next year, India’s data protection law will be in effect.
The route so far has been a scenic one, with recent events amplifying existing concerns. February saw a wave of panic when a (yet-to-be-implemented) proposal to fast-track the implementation of some provisions, including a mandatory data retention requirement, was reported. Petitions challenging the constitutionality of the DPDPA framework, including State powers to call for information and the absence of a journalistic exemption, followed swiftly.
So, too, did businesses’ increasingly urgent questions about readiness, feasibility, and ultimately, risk: “What if I don’t comply at all, comply partially, incorrectly, or, belatedly?” Shaping compliance is rarely a question of black and white; it’s, more often, a question of navigating the grey. As we count down to 13 May 2027, here’s a closer look at some enforcement-related risk factors that could shape compliance strategies.
The Compliance Question
Compliance is often seen as a cost centre, making risk the deciding factor. Entities frequently allocate time, effort, and resources based on the likelihood of a risk arising and its scale.
The specific reluctance to invest in compliance in an Indian data protection context comes with added history. Entities have grappled for years with the innate ambiguities at the heart of the current data protection regime under the IT Act (fondly referred to as the ‘SPDI Rules’). They have navigated its interchangeable use of the terms ‘personal information’, ‘information’, and ‘sensitive personal data or information’; watched the scale of potential penalties for non-compliance increase exponentially, and waited for enforcement; witnessed drafts of the new data protection law contemplate percentage-based penalties, criminal liability, and a compensation scheme, to later discard them for a list of penalties for certain contraventions. Given this, the prospect of overhauling privacy practices, programs, policies, and most significantly, mindsets in the run up to the DPDPA, frequently prompts the question: “Why?”
Pointing to the prescribed penalties, which run up to INR 250 Crore (~USD 26 million) in some cases, may trigger raised eyebrows and some panic. It does not, however, set the wheels of compliance in motion in all cases; many entities, understandably, remain focused on first determining what the real risk is to them.
This is a tough question to definitively answer without a history of enforcement, or regulatory guidance on compliance expectations. Tracing the stages leading up to the imposition of penalty under the DPDPA can, however, help. From the start of an inquiry into an alleged contravention up until the Board’s decision to penalise non-compliance, each stage provides some helpful risk markers for data fiduciaries preparing for the DPDPA.
What could trigger an inquiry?
The DPDPA lists the various starting points for an inquiry: a complaint, a reference, or an intimation made to the Data Protection Board of India (Board), the enforcement authority under the new regime. If the Board decides there are sufficient grounds, it can commence an inquiry, inquire into an alleged contravention by a data fiduciary, determine if it is significant, issue directions, and impose penalties as it considers appropriate. Each of these entryways may shape the risk of an inquiry for a data fiduciary differently.
A data principal’s complaint. It may only take a single complaint from a data principal, alleging (1) a personal data breach, or (2) a contravention of a data fiduciary’s obligations, or the exercise of a data principal’s rights to kickstart an inquiry.
Outside of a breach context, this means that a complaint can include a wide range of acts or omissions on a data fiduciary’s part. Not correcting a patient’s inaccurate personal data, despite them requesting such a correction, for example, could trigger an inquiry into the health service provider’s omission. Similarly, making the opt-out process for marketing communications harder than consenting to receive them, could also lead to an inquiry. In these cases, a poorly managed grievance redressal mechanism could be the gateway, as a data principal must exhaust the grievance redressal route before approaching the Board.
This makes decisions about how to comply with substantive requirements – e.g., how can withdrawing consent be made as easy as providing it? – and establishing an effective grievance redressal mechanism, equally important.
Government or court reference. A reference from a State Government, the Central Government, or a court can also trigger an inquiry. The DPDPA does not clarify the conditions under which such a reference may arise, making the possibilities seemingly endless.
It is possible, for instance, that the State’s ability to call for information under the DPDPA may result in scrutiny of data fiduciary’s privacy practices, or those of a class of data fiduciaries, and lead to a reference. This could, for example, result in the Board examining the processing activities of a data fiduciary that relies on an exemption (e.g., processing for research purposes). It could also, potentially, take the shape of an inquiry into sector-specific privacy practices (or, several independent inquiries), based on information gathered from a class of data fiduciaries. The Office of the Australian Information Commissioner’s decision to conduct a targeted review of privacy practices across 6 sectors that collect personal data in person, provides a recent global precedent.
Given it is unclear what the subject of a reference may be, building strong, and defensible compliance strategies across processing activities is pivotal.
Intimation of a personal data breach. Intimating the Board of a personal data breach, in addition to triggering directions for remedial action, can notably also spark an inquiry. The DPDPA does not prescribe a materiality threshold for reporting personal data breaches. This makes every event that qualifies within the definition a reportable breach – with non-compliance facing a penalty of up to INR 200 Crore (~USD 20 million). Consequently, the anticipated frequency of such reporting presents just as many opportunities for the Board to initiate inquiries into a data fiduciary’s security practices, and impose penalties for contraventions.
Given this, building strong security safeguards to prevent or reduce the occurrence of reportable breaches is equally important.
Do all inquiries lead to a penalty?
All roads may not lead to a penalty. It is, however, difficult to definitively say which ones won’t. Contraventions that the Board considers significant are expected to attract a penalty, but the DPDPA does not clarify what will count as a significant contravention. Having said that, the non-exhaustive list of factors that the Board must consider in determining the quantum of a penalty – such as, the type and nature of personal data affected by the breach; its nature, gravity, and duration; the repetitive nature of the breach – may shed some light on this. Such factors may also determine the scale of a penalty for a partial contravention.
Unlike other global data protection regimes, such as the GDPR, the DPDPA does not cap penalties for composite contraventions. Accordingly, an inquiry that finds that multiple, distinct contraventions are significant, may result in substantial cumulative penalties.
The cost of pausing an inquiry
Data fiduciaries can stop the clock on an inquiry by submitting a voluntary undertaking to do, or refrain from doing, something. If the Board accepts the undertaking and the data fiduciary adheres to it, it will bar continued proceedings on that issue.
While a preferable alternative to the penalty route, a voluntary undertaking, likely, only pushes the compliance burden – and the attached cost – down the road. At that stage, a data fiduciary’s ability to decide how to comply with the law may be far more diminished and, as such, will need to be accepted by the Board for the undertaking to bar further proceedings.
Estimating risk with any regime change – particularly without regulatory guidance – is difficult.
Given that an inquiry can be triggered in numerous ways, preemptively identifying factors that could set you on the back foot in such proceedings is vital. Scoping out these factors early, can help chart robust, defensible compliance structures – from highlighting vulnerable privacy practices to building strong technical and operational measures to enable compliance.
In this case, as in most, prevention is likely better than cure.
