Data Privacy: Unpacking India’s Data Protection Act

Prabhakar Ramakrishnan

When GDPR was first announced, my WhatsApp and LinkedIn groups burst into life with questions and deliberation. While we have always been vigilant with our data, the requirement for compliance with GDPR was significantly greater. This meant a fundamental shift in the approach we had been taking to store and process data.

It has been 5 years since GDPR and the outcome is a systematic, sound, and robust approach to data privacy and protection at TNQTech that I’m truly proud of.

Safeguarding Data and Ensuring Compliance

To begin, we conducted a comprehensive assessment of our data processing activities with a third-party specialist. This exercise helped us tremendously in updating our privacy policies and consent mechanisms, and upgrading our security with encryption, access controls, assessments, and incident report protocols.

TNQTech had the BS10012 certification, and now with it having been phased out, we are working towards the ISO27701 certification for implementing a Privacy Information Management System.

The DPDP Act

India announced its DPDP (Digital Personal Data Protection) Bill in August 2023 compelling companies to protect digital privacy and promote a secure data ecosystem in India. Every conference and webinar I’ve attended in the last couple of months has discussed, dissected, and scrutinised this Act from every possible angle. There is a lot to unpack with every provision and facet of all the laws that companies are now required to comply with.

Discussions at the CISO Platform 2024 conference

We continuously upgrade our systems and processes to adapt to the changing landscape. Fortunately, there is considerable overlap between GDPR, the UK’s Data Protection Act, DPDP, CCPA, and others. Notably, while the GDPR outlines extensive processing grounds and principles, and provides data subjects with specific rights to challenge government data processing in certain situations, the DPDP Act emphasises processing for ‘legitimate purposes’ and grants the government a more pronounced authority over data use.

Given the widespread familiarity with GDPR and its similarities with DPDPA, I thought it would be useful to present the key differences in this infographic. 

Here’s a helpful official checklist from GDPR, and one from DPDPA for an in-depth analysis of the Act. 

In the publishing industry within which we work and particularly for publishers, processing data carefully is of utmost importance. At TNQTech, the content that we handle is subject to confidentiality and IP protection regulations that are set by publishers, while processing of all personal information is subject to GDPR, the UK’s Data Protection Act, or other regulations as applicable. With the new DPDPA, our emphasis is on safeguarding TNQTech’s customer data, proprietary information, and employee and supplier data. 

I’m always up for a conversation about what we are doing with our data, and what you should do with yours.