DPDP Act rules leave companies racing to fix fragmented data, consent gaps

Barely a month after DPDP Act rules were notified, companies are weighing compliance hurdles as experts flag grey areas and costs of implementation

Barely over a month since administrative rules under the Digital Personal Data Protection (DPDP) Act were notified, a number of industry players are in a bind about the possible challenges in compliance.

 

What do the DPDP rules mean for legacy data collection and storage? 

The administrative rules under the Digital Personal Data Protection Act may require companies to rationalise the collection and management of data they have collected over the years, since most of it is stored in fragmented formats, experts say.

 

Companies will also have to address concerns about the consent architecture, legitimate use provisions, and the readiness of their legacy information technology systems during the implementation of the DPDP Act rules.

 

The administrative rules under the DPDP Act, notified in November this year, give companies up to 18 months for implementation.

 

“Most businesses have customer data sitting in 20 different places — apps, spreadsheets, old databases — and nobody knows exactly what's where. Companies are scrambling to fix decades of messy data practices in just months. It's like being asked to organise a warehouse while customers are still shopping in it,” said Shashank Karincheti, co-founder and chief product officer at Redacto.

 

How will fresh consent requirements affect internet and social media platforms? 

The DPDP Act’s rules mandate all internet and social media intermediaries that deal in any kind of user data to seek fresh consent, specifying the purposes for which the consent is sought. Apart from this, the new rules also require that consent be sought for each dataset separately.

 

What legal and implementation risks are companies likely to face? 

Other key implementation and legal challenges that companies are likely to face include ambiguity around specific consent and legitimate use provisions, readiness of legacy IT systems, and the absence of detailed subordinate rules and enforcement guidelines, pointed out Aurelia Menezes, partner at law firm King Stubb & Kasiva.

 

“Cross-border data transfers, compliance costs for MSMEs, and the requirement to establish robust grievance redressal and breach reporting mechanisms further add to the complexity. Until regulatory clarity emerges through rules, FAQs and early enforcement actions, companies are likely to face interpretational risks and increased compliance uncertainty,” Menezes said.

 

What approach should the Data Protection Board take on enforcement? 

The Data Protection Board, which has been set up as a regulatory body to oversee the implementation of the DPDP Act, should adopt a “calibrated, risk-based approach consistent with global best practices and standards”, the Cellular Operators Association of India, a representative body for telecom service providers, said.

 

“Further, given the multiplicity of incident-reporting obligations under the IT Act, CERT-In directions, DoT guidelines and now the DPDP framework, harmonised timelines and aligned procedures are required to help avoid unnecessary duplication to ensure cohesive compliance across regulatory regimes,” it said.

 

How could DPDP rules complicate AI model training using public data? 

Implementation challenges could further compound for companies using publicly available data to train their artificial intelligence (AI) and large language models, said Jaspreet Bindra, co-founder, AI & Beyond.

 

“For AI companies in particular, questions around lawful grounds for using publicly available data, legacy datasets, and model training workflows remain grey areas. Compliance today requires re-engineering data pipelines, not just updating privacy policies, and that transition is proving complex, time-consuming and resource-intensive,” Bindra said.

 

What are the concerns around cross-border transfer compliance and enforcement? 

The government is also likely to face a compliance challenge, as some companies may circumvent cross-border transfer rules by sending data outside India while showing that the dataset has been stored in India and deleted as per the authorities’ request, an executive at a tech service provider said.

 

“In the engineering world, if you don’t want to link two things, you can easily create a mapping and show that the data has been deleted, but it remains stored elsewhere,” this executive, who declined to be identified, said.

 

Rajarshi Dasgupta, executive director (tax and data privacy) at Aquilaw, also warns that the rules have several gaps and remain open to interpretation.

 

"Under the DPDPA, cross-border transfers of personal data are permitted unless explicitly prohibited by the government through a ‘negative list’ of jurisdictions (which could be prescribed by the government in the future). Further, the draft DPDP Rules do not define a clear policy framework for the countries which could be designated under the ‘negative list’. Consequently, businesses will remain uncertain about future government decisions, necessitating careful risk assessments and contingency plans for cross-border data flows," he Dasgupta.