What was the single biggest moment that put data privacy on India’s national agenda?
The turning point was the 2017 Supreme Court ruling in Justice Puttaswamy vs Union of India, where privacy was recognized as a fundamental right. While the Indian tech industry had been aligning itself with Europe’s data protection directive since as far back as 2005, the 2017 judgment gave the privacy community a constitutional foundation to build on, setting off years of deliberation that eventually led to the DPDP Act.
How has AI changed boardroom conversations about data privacy?
Privacy was already inching its way up the corporate ladder, but AI combined with the accountability framework of the DPDP Act accelerated the shift dramatically. Key obligations like appointing a Data Protection Officer, conducting Data Protection Impact Assessments (DPIAs), and undergoing independent audits have made privacy a board-level topic. Boards are now looking beyond compliance: privacy is increasingly seen as a trust-building measure, a signal to customers that the organisation takes their rights seriously.
Should privacy sit inside the security function, or does it need its own seat at the table?
Privacy is expected to follow a similar trajectory to how security evolved from sitting under the CIO to becoming an independent CISO function with board representation. In the short term, many organisations will house privacy under security. In the medium to long term, a dedicated privacy function with its own board committee is the direction. The key principle, borrowed from GDPR, is that there should be no conflict of interest; the DPO must be independent.
When will the Data Protection Board be operational?
The announcement could come at any time — the groundwork is already being laid, including the digital platform through which residents will raise grievances and enterprises will respond. The Board will function both as an enforcer (ensuring the law is not taken lightly) and as an enabler (issuing guidelines, templates, and forums). The objective is implementation and building trust, not just penalising non-compliance.
Consent management sounds complex — what does it actually mean for businesses and users?
Unlike GDPR, which offers several lawful bases for processing personal data, India’s DPDP Act is heavily consent-driven. There are four key challenges:
(1) The strict definition of valid consent, it must be free, specific, unambiguous, and unconditional
(2) The risk of consent fatigue, where users habitually click ‘yes’ without reading
(3) The obligation to honour consent withdrawal, which requires significant process re-engineering
(4) Architectural changes — businesses must plug a consent manager into their existing systems, not just add a checkbox. UPI’s rapid democratisation is a useful analogy for how consent management platforms could scale across India.
How should Indian organisations reconcile Gen AI and LLMs with data privacy obligations?
Much of the data used to train large models was voluntarily shared on public platforms social media, forums, and so on making it difficult to unwind. The EU’s Digital Omnibus initiative is an example of attempts to balance innovation with individual protection. Over-regulating AI too early risks missing the innovation bus, especially since the technology is evolving weekly. Guardrails and enterprise-level governance controls exist, but as an individual, being mindful of what you share publicly is the most practical first defence.
Where does India stand on data localisation, and how does it interact with the DPDP Act?
India takes a pragmatic, negative-listing approach rather than a blanket adequacy-assessment model like the EU. Context matters: India is one of the world’s largest data processors, so overly restrictive cross-border transfer rules would have serious economic consequences. That said, critical data financial, healthcare, critical national infrastructure — will likely require local storage, consistent with RBI’s existing mandate. Where another sector-specific law demands higher protection, the DPDP Act defers to it.
What is the most underrated privacy risk organisations are overlooking right now?
Three forms of fatigue threaten to undermine the entire ecosystem: consent fatigue (users auto-approving notices), notice fatigue, and breach notification fatigue. Because the DPDP Act does not currently categorise breaches by risk level, every incident — no matter how minor — must be reported to the Data Protection Board and to affected individuals, with penalties of up to Rs. 200 crore for failure. This could flood individuals with notifications, causing them to miss the ones that actually require action, such as changing credentials or deleting a file.
Why is data discovery and classification so critical before anything else?
You cannot protect what you do not know you have. A thorough data discovery exercise is a prerequisite — even before building your Record of Processing Activities (ROPA). This means scanning endpoints, commercial off-the-shelf platforms (SAP, Oracle), custom databases, and edge devices. Modern AI-powered tools can identify sensitive data like Aadhaar and PAN numbers through pattern recognition. Critically, this exercise must be repeated periodically: shadow projects and unregistered servers can quietly accumulate personal data without the DPO’s knowledge.
What does a great DPO actually look like and how should organisations build a privacy team?
The DPO role sits at the intersection of law, technology, business process, and stakeholder communication. It requires liaising with the Data Protection Board, handling customer grievances, advising the board of directors, and scrutinizing every data field collected. For aspiring privacy professionals: if you come from a tech background, invest in understanding the law and business processes; if you come from a legal background, build genuine technology literacy, understand what Gen AI does and what quantum computing implies. Privacy champions can be identified within business units and nurtured over time.
What does success look like for India’s DPDP journey by 2030?
True success means bringing unorganized, less-regulated sectors, local hospitality chains, small clinics, and regional processors into the fold, not just large, globally exposed organizations that are already well prepared. It also means narrowing the digital divide so that privacy rights are accessible to every resident, not just the digitally literate. Grassroots efforts like privacy cohorts bringing hospitals from remote regions together, followed by ongoing privacy clinics, are early indicators of what a successful DPDP implementation looks like at scale.
What should every person watching this Data Privacy session for DPDPA do starting next week?
Four action points:
(1) Read the law, both as an enterprise professional, understanding your obligations, and as a resident, knowing your rights.
(2) Assess where your organization currently stands in its implementation journey.
(3) Reach out for help to Seqrite if you are stuck or starting from scratch.
(4) Flag pain points if you encounter a genuine implementation challenge; bring it to DSCI so it can be escalated and solved at an industry level, not just for your organization.