In this “Privacy Hour” session by Seqrite, Dr. Lalit Mohan hosts Koushik Balasubramanian, a founding member of Sisory and a seasoned risk consultant. The conversation moves beyond the technicalities of the Digital Personal Data Protection Act (DPDPA) to address the cultural and ethical shifts required within organizations. The central theme is that privacy is not just a legal “checkbox” but a foundation of trust between a business and its customers.
The following FAQs summarize the strategic and philosophical insights from the discussion.
Frequently Asked Questions
What is the significance of the term “Data Principal” in the DPDPA compared to “Data Subject”?
While it may seem like a simple word change, the shift from “Subject” to “Principal” signals a major cultural change. It reinforces the idea that the individual is the primary stakeholder of their data. As a “Principal,” the data belongs to someone else, and the organization is merely a custodian with a duty to protect it.
How are organizations handling the decades of “Legacy Data” collected before the DPDPA?
Many organizations have accumulated massive amounts of data over 50–60 years without clear consent. Mature companies are now cleaning up this data, removing what is unnecessary, and re-engaging customers to obtain fresh, valid consent that aligns with the new law.
What role does a “Consent Manager” play in the DPDPA ecosystem?
The Consent Manager acts as an intermediary or aggregator between the user and the organization. While the role is still evolving, its goal is to provide transparency and build trust by allowing customers to manage their data permissions in one place.
How can organizations ensure that customers understand “Notice and Consent”?
Translation into the 22 official Indian languages is only the first step. True comprehension requires the notice to be written in layman’s language rather than complex legal jargon. The objective is for a general customer to understand exactly how their data will be used in just a minute of reading.
Can an organization simply “delete” data upon a user’s request?
Technically, it is not a “simple cakewalk”. While data can be removed from primary systems such as CRM or billing, organizations must balance this with other regulations (such as RBI or Telecom rules) that mandate data retention for specific periods. In such cases, data might be archived specifically for law enforcement rather than fully deleted.
Who is responsible if a third-party vendor mishandles customer data?
The organization that collected the data is the custodian and remains ultimately responsible. To manage this, companies must implement “Third-Party Risk Management,” including audits and certifications, to ensure that vendors process data in accordance with instructions.
Will AI replace human auditors in ensuring privacy compliance?
No. While AI can handle monotonous, high-volume tasks such as identifying data patterns, final decision-making remains a human responsibility. Humans bring the necessary ethics, empathy, and emotional intelligence that AI lacks to decide how data should be handled.
What is the goal of the DPDPA for a business leader?
Boards and leaders should move past the question “Are we compliant?” and instead ask, “Are we trustworthy?” The session emphasizes that privacy must be in the “DNA” of every employee, treating data protection as an ethical duty rather than just a way to avoid a ₹250 crore penalty.
This video provides a deep dive into the mindset shift required for Indian organizations to successfully navigate the DPDPA era.