Privacy was the prerogative for global icons like Michael Jackson and Princess Diana, or for the newer generation, Justin Bieber and Selena Gomez. But those days are firmly behind us. In the age dominated by Instagram, Facebook, Twitter (aka X), Snapchat, and Tik Tok, almost everyone is a mini celebrity. As a result, data privacy is no longer a local issue, but an issue that affects individuals and even more businesses.

The start-up ecosystem in India has been on a boom over the last few years as more businesses are becoming data driven due to increased digital adoption. Personal data has become the focus of most start-up processes, from onboarding of users through mobile applications, the processing of payments, personnel management, or the analysis of behaviour patterns of customers. Privacy risks, misuse of data and regulation have also been associated with this growth. Responding to such risks, legislations on data protection have been enacted all over the world.

The Indian Context

India’s response to this development is Digital Personal Data Protection Act, 2023 (DPDP Act), or DP Act. This is an overall law of data protection that India uses in relation to all businesses regardless of their magnitude. The applicability of the data protection act would extend to any Indian firm, including start-ups, and any foreign firm offering services or goods to individuals in India. It is interesting to note that the Digital Data Protection Act 2023 is applicable to online acquired data and to offline data that is subsequently transformed into digital form. When dealing with founders, we have seen a usual misconception that data security legislation does not exist in nations such as India for small businesses. This is categorically false.

What is Personal Data?

Related Read: Data Privacy: What Every Business Needs to Know to Stay Compliant in India

Any information that can directly or indirectly identify a person is classified as personal data under the Personal Data Protection Act. It contains names, email addresses, phone numbers, IP addresses, location information, employee details and KYC information. An awareness of this definition assists the start-ups to understand that data privacy compliance which is the raison d’etre of the Digital Personal Data Protection Act, 2023 is not specific to a single system or policy, it is present in many dimensions of business activities.

Key Roles Under DPDP

Digital personal Data Protection Act 2023 gives roles to provide accountability in the processing of personal data.

Data Principal

A data principal is a person whose personal data is being handled. The data principal comprises of customers, users, employees, contractors and occasionally vendors.

Data Fiduciary

The data fiduciary is the party that determines the reasons and method of processing the personal data. In practice, the fiduciary of data is often the start-up itself, even when third-party solutions, such as the cloud provider, payroll services, or CRM or tools are used. The start-up is presented with the key responsibility of compliance, security, and user rights as a data fiduciary.

Significant Data Fiduciary

The significant data fiduciary designation is based on the amount of data handled, sensitivity of data, or risk to individuals. Material data fiduciaries have more compliance requirements such as appointing Data Protection Officers (DPOs) and data audit. Although most start-ups are not going to belong to this category in the first instance, high-growth ventures need to track their positions.

Data Protection Officer (DPO)

Related Read: India’s DPDP Act: Impact on Business Operations

A Data Protection Officer is a compliance mandated role for Significant Data Fiduciaries as per the DPDP Act. He/she oversees the compliance with data protection requirements, advises the organization on the legal processing of personal data, and assesses the internal policies and security measures. Data Principals refer to the DPO with complaints and rights-related requests, and their contact in regulatory affairs.

DPDP Compliance Requirements Prerequisite

The Data Protection Act 2023 is designed to be simple and easy to understand. The following are the key notions that businesses should comprehend to ensure compliance:

Legal Purpose and Consent

Start-ups are not to gather the personal information on any basis other than for clear intentions that are laid out in law. The consent of the user should be free, informed, specific and unambiguous. Most importantly, users should be able to revoke the consent with ease.

Notice Obligation

According to the rules of data privacy, start-ups have to notify users of the collected data, the purpose of the collection, the storage term, and the rights of users.

Minimization of Data

In the data privacy law, it is stated that one must not be careless when collecting data and must not keep them indefinitely.

Reasonable Security Safeguards

Note the emphasis on the term ‘reasonable’. The Indian privacy law is not overly prescriptive in nature. Reasonable security depends upon the start-up, and this has flexibility in its implementation.

Breaches and Requests

Start-ups should be ready to deal with the data breach, respond to the requests of data principals, and delete the personal information in case of the fulfilment of its purpose, according to the data protection regulations.

Where to Begin?

The new Data Privacy law can be a daunting prospect. And in case you are not sure where to begin, we advise you to start with lightweight data audits on what your start-up is collecting and where it is being stored. The flow of data within inner systems and third-party tools aids in discovering the responsibilities and the exposure to risks. The second step is to identify the high-risk processing activities such as payment, health data, and KYC. This helps you to focus your data privacy measures at the appropriate areas. Keeping simple internal records, even in a spreadsheet format, will show good faith compliance and get start-ups ready to interact with regulations in the future.

Preparing for the Future

The compliance requirements of data privacy will change along with start-ups. A rise in the number of users entering new regulated domains, or even international operations may generate new requirements under the current DPDP regulations 2025 or may lead to the classification as a significant data fiduciary. When companies establish resilience by ensuring the review of data practices on a regular basis, making security improvements gradually, and following international privacy standards that are necessary, they can avoid costly overhaul. Privacy frameworks should be built at the beginning so that compliance can be part of the business DNA and not the disruptive factor.

Conclusion

Related Read: SEBI CSCRF: Strengthening Organizational Security through Access Controls and Audit Logs

Compliance with DPDP should not be seen as a hindrance to innovation. Instead, it is a chance that start-ups have to develop trust, credibility, and resilience over the long term. People have been more aware of the data handling, and privacy-oriented companies are in a better stance to win and retain the trust. When regulations in India regarding data privacy are perceived as enablers of business, the start-ups will be able to grow in a responsible manner without going against the changing laws on data protection.

Why Choose InCorp Global?

Companies that need guidance through the Digital Personal Data Protection Bill 2023 will need more than generic advice on legal matters as they need an ally that knows how to comply. InCorp assists organizations to prepare proportionate, cost-effective compliance programs that fit their age, industry, and risk profile as opposed to providing one-size-fits-all solutions. The fact that it integrates DPDP compliance with the prevailing corporate, tax, and governance structures makes privacy a corporate asset rather than a regulatory liability. To know more about our services, contact us at info@incorpadvisory.in or call (+91) 77380 66622 to discuss your data privacy compliance requirements.

Authored by:

George Sunny | Cybersecurity

FAQs