top of page
Black Texture
Search

Data Privacy in India: From Legal Requirements to Practical Compliance Guidance - Part 2

  • Writer: Ekta Jhaveri
    Ekta Jhaveri
  • Jul 17
  • 11 min read

IP & Technology Series


Series 1 | Article 4


If you collect or handle Personal Information/Sensitive Personal data or information/Personal data or digital personal data (the “Personal Data”), understanding your legal obligations is just the beginning, the real challenge lies in how you meet them.


This article offers a practical guide to help you fulfil your obligations under the data protection laws1. Additionally, it highlights select measures proposed under the draft Digital Personal Data Protection Rules, 2025 (“Draft DPDP Rules”)2.


A lock symbolising protection of data flowing to the cloud

Performance of Obligations under the Data Protection Laws


I. Determine the Purpose & Necessity of Data Collection

  1. You can start by:


    1. Listing the goods or services you will provide.

    2. Identifying the Personal Data you may require and collect from registered as well as unregistered users to provide the goods or services.

    3. Set out the specific purpose and necessity for collecting such Personal Data.

    4. Identifying the data processing activities you will undertake.

    5. Identifying the internal teams or third-parties with whom you will share such Personal Data.


  2. The purpose for collecting and processing Personal Data must be specific, lawful, and necessary. This information forms the basis of your consent notice and the data privacy policy.


Illustration: A digital platform offering food delivery services will need the name, phone number, email address, and address of the user for the purpose of account creation, order placement, delivery, communications, real-time tracking, and promotions. The platform processes this data by collecting, storing, using, and sharing it. The platform shares this data with its internal team, delivery partners, and sometimes with third parties like service providers and advertisers.


II. Establish a Consent Mechanism

  1. Before collecting or processing any Personal Data, you must obtain valid consent that is free, specific, informed, unconditional, and unambiguous. You must prepare and display a consent notice on the landing page or at the point of data collection on your platform. This notice must be in clear and plain language and should include:

    1. An itemised description of the data including Personal Data you intend to collect and process, and the purpose for which the data will be processed.


    2. The manner in which a user can exercise their rights and a communication link to exercise user rights.


    3. A link to your privacy policy.


    4. The manner in which users may lodge complaints with the Data Protection Board (post-enforcement of the DPDP Act).

  2. You must ensure that the consent notice is available in English or any of the official languages of India. You may enable translation tools on your platform to help users access the content in their preferred language.

  3. If you process Personal Data of children, you must obtain verifiable consent from their parent or lawful guardian. The Draft DPDP Rules also propose that platform owners exercise diligence to verify whether the consenting individual is an adult, and a parent / lawful guardian.


  4. Consent should be recorded through affirmative action, for example, ticking a checkbox, clicking an “I Agree” button, or proceeding after reviewing a clearly worded prompt or statement. This notice can appear as a banner, pop-up, or part of a step in the sign-up process, and should direct the user to read, understand, and accept your privacy policy.


  5. Once the DPDP Act is in force, you must also notify existing users who had previously provided consent, clearly stating the nature and purpose of continued processing. This should be done as soon as reasonably practicable through an email, in-app notice, or any other method.


Illustration: A food delivery platform may display a consent notice during sign-up detailing the data it will collect (e.g., name, contact details, address) and the purposes (e.g., account creation, delivery, customer support, marketing, and promotional offers). The platform must direct its users to read, understand, and accept the privacy policy and require the users to tick a checkbox or click "I Agree" to proceed. This constitutes valid consent with affirmative action.


III. Principles to Follow While Processing Data

It's advisable to adopt the following legal principles while processing Personal Data:


  1. Purpose Limitation: Process Personal Data only for the specific, lawful purposes that were clearly communicated to the user at the time of collection, and for which valid consent has been obtained. Avoid repurposing the data for unrelated activities unless new consent is secured.


  2. Data Minimisation: Collect only that data which is necessary to fulfil the stated purpose. Avoid requesting or storing excessive or irrelevant information.


  3. Appointment of Data Processors: If you share Personal Data with third-party vendors, service providers, or processors, ensure this is done under a valid, and binding contract. The contract must clearly specify the purpose of processing, confidentiality terms, data protection obligations, and ensure the processor’s compliance with applicable laws.


  4. Data Accuracy & Integrity: Implement reasonable measures to ensure that Personal Data collected and processed is complete, accurate, and consistent with its intended use. This includes validating data inputs at each stage, enabling users to update their own data, regularly reviewing stored data for correctness, and detecting and resolving inconsistencies across systems through internal protocols.


  5. Data Retention Limits: Do not retain Personal Data indefinitely. Once the purpose of collection is fulfilled or the user withdraws consent, delete the data in a secure manner, unless required to be retained for any regulatory compliance. The Draft DPDP Rules propose specific retention periods, for example, e-commerce platforms may be required to delete user data after 3 years from the user’s last activity.


Illustration: An ed-tech platform that offers online courses may collect a student’s name, contact details, qualifications, and learning preferences at sign-up to create an account, check eligibility, suggest relevant courses, and provide access to learning material and support. The platform must: (1) use this data strictly for course delivery and student support and not for unrelated marketing or for any purpose beyond which consent has been given; (2) avoid collecting unnecessary data such as government-issued ID or home address unless required for certification or verification; (3) ensure that third-party service providers, like third party support partners, process data only under a contract; (4) implement reasonable measures to maintain the accuracy and integrity of student data by validating inputs at registration, allowing students to update their information, and regularly reviewing stored data for consistency; and (5) delete student data once the account is deactivated or inactive beyond a prescribed period, unless you are required to retain it for legal purposes.


IV. Implement Security Practices & Procedures 

  1. You must implement reasonable security practices, procedures, and standards to safeguard users’ Personal Data and maintain documented security policies. These measures may include:


  1. Data Protection Techniques: Use encryption, obfuscation, masking, or tokenisation of Personal Data to prevent unauthorised access.


  2. Access Controls & Logs: Restrict data access to authorised personnel, implement access control systems for user devices and servers, maintain logs of access to Personal Data, and perform regular data backups.


  3. Monitoring & Breach Prevention: Use firewalls, intrusion detection systems, and routine security audits to monitor data systems and detect vulnerabilities or breaches.


  4. Monitor Third-Party Processors: Where Personal Data is processed by third parties, conduct security audits to ensure they meet contractual and compliance obligations.


  1. The International Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System - Requirements” is one of the security standards recommended under the applicable data protection laws.


V. Establish Technical & Organisational Measures 

  1. In addition to implementing security protocols, you must adopt internal technical and organisational measures that embed privacy into day-to-day operations and demonstrate ongoing compliance with data protection laws. These may include:


  1. Internal Compliance & Standard Operating Procedures (SOPs):

    1. Create SOPs for compliance with data protection laws, your privacy policy, and internal practices.

    2. Review and update SOPs periodically to address regulatory changes and fill operational gaps.

    3. Establish a cross-functional internal compliance team. Assign data protection responsibilities across departments to ensure coordinated implementation.

  2. Data Inventory & Mapping: 


    1. Maintain a detailed and up-to-date record of all Personal Data collected and processed by your organisation. This record should include:

      • The type and description of each category of Personal Data collected;

      • The specific purpose for which each category of data is collected;

      • The source and method of collection (e.g., through a registration form or in-app submission);

      • Information related to user consent, including the identity of the consenting individual, the method and time of consent, and its period of validity;

      • The identity of individuals or entities (internal or external) who store, access, or process the data; and

      • The storage location of the data, such as internal servers, cloud platforms, or third-party systems.


    2. Map the flow of Personal Data across your organisation, from the point of collection to storage, usage, sharing, and deletion. This can be done using process flowcharts, or spreadsheets. 


    Illustration: A diagnostic laboratory may collect patient information, including, name, age, contact details, symptoms, and doctor’s referral information, through its online appointment booking system. Once submitted, the front-desk or admin team accesses it for co-ordinating appointments. The information is then passed on to lab technicians and doctors. After conducting the tests, the laboratory generates reports, which are stored in an internal database and shared with patients via a secure patient portal. Invoices are issued through a third-party billing tool, and patient feedback is collected through a marketing automation platform. By mapping this flow of data, the laboratory can clearly visualise how and when data is collected, who accesses it at each stage, where it is stored, and with whom it is shared. This helps in identifying potential vulnerabilities, fixing compliance gaps, and ensuring better governance over sensitive personal data.

  3. Incident Reporting & Breach Management: 

    Develop SOPs for:


    1. Identification and escalation of data incidents internally.


    2. Assessment, containment, and resolution steps for data breaches.


    3. Notifying affected users and, if applicable, regulatory authorities like the Data Protection Board, in accordance with the applicable laws.


    4. Define timelines and responsible personnel for each stage of incident response.


  4. Training & Awareness: 


    1. Conduct periodic privacy and data protection training for all staff handling Personal Data.


    2. Focus on educating teams about safe data handling practices, identifying red flags, and reporting breaches or suspicious activity.

  5. Periodic Reviews, Audits, & Risk Assessments: 


    1. Conduct internal audits and risk assessments to evaluate the effectiveness of your technical and organisational measures.


    2. Engage auditors, if necessary.


    3. Use findings to update your SOPs, improve safeguards, and close compliance gaps.

  6. Maintain Compliance Records:

    To demonstrate compliance with data protection laws, maintain records, including:


    1. Processing activity logs.

    2. Consent tracking logs.


    3. Security measures implemented.


    4. Data breach incident reports and response logs.

    5. Results from audits and corrective actions taken.


    6. User rights exercise requests and status of such requests.


  1. These technical and organisational measures will help build a culture of privacy compliance across the organisation and act as demonstrable evidence in the event of a regulatory inquiry or investigation.


VI. Establish Grievance Redressal Mechanisms

  1. You must designate a Grievance Officer or Data Protection Officer to address user grievances

  2. Formulate and adopt a grievance redressal process that is:

    1. Clear, with step-by-step procedures for submitting and escalating complaints;


    2. Accessible through your website, app, or platform in a user-friendly format;


    3. Time-bound, with internal protocols to ensure all requests are acknowledged, verified, responded to, and resolved within the legally prescribed timelines.

  3. The contact details of the Grievance Officer or Data Protection Officer and the process for lodging complaints must be specified in your privacy policy.


VII. Establish Users’ Rights Mechanisms 

  1. You must establish a mechanism that enables users to exercise their legal rights under data protection laws, including, the right to access, right to correction and erasure, right to grievance redressal, and right to nominate.


  1. Your users’ rights mechanism must be:


    1. Clear, with step-by-step procedures for submitting requests;


    2. Time-bound, with internal protocols to ensure all requests are acknowledged, verified, responded to, and resolved within the legally prescribed timelines.


  1. You may set up a dedicated communication channel to facilitate such requests. This may include: an in-app form or dashboard section, a designated email address, or a help-desk or customer portal.


  2. Explain the process for exercising users’ rights in your privacy policy.


VIII. Prepare & Publish a Privacy Policy 

You must draft and publish a comprehensive and accessible privacy policy that clearly explains how you collect, use, store, protect, and share users’ Personal Data. This is a key requirement under data protection laws.


  1. You must cover the following:


    1. nature of Personal Data collected from users;


    2. purpose and manner of usage of the Personal Data;


    3. methods and location of storing, processing, and protecting Personal Data;


    4. details of persons, including, third parties or service providers with whom personal data may be shared;


    5. security measures implemented to safeguard data;


    6. grievance redressal mechanisms and other user rights exercising mechanisms; and


    7. other measures implemented by you.


  1. If your platform uses cookies or similar tracking technologies, your privacy policy must include a cookie policy, which should:


    1. seek explicit user consent before placing non-essential cookies;


    2. specify the purpose, types of cookies used (e.g., essential, functional, analytics, or third-party), and type of data collected; and


    3. provide a clear opt-out mechanism for users to manage or disable cookies.


  2. The privacy policy and cookie policy must be written in clear and plain language, easily accessible, prominently displayed, and regularly updated to reflect any changes in legal requirements or data processing practices.


IX. Additional Obligations for Significant Data Fiduciaries3

If your platform is classified as a Significant Data Fiduciary under the applicable data protection laws, you must comply with the following enhanced obligations:


  1. You must appoint a Data Protection Officer based in India, who must act as the primary point of contact for grievance redressal and compliance.


  2. You must conduct a Data Protection Impact Assessment.


  3. You must appoint an Independent Data Auditor to assess your compliance with the provisions of the DPDP Act.


  4. You must conduct periodic Data Audits to evaluate your data protection policies, security practices, and compliance efforts.


Conclusion


Building a privacy-compliant internal framework isn’t a one-time exercise, it’s an ongoing responsibility. The evolving data protection landscape in India calls for more than legal awareness; it demands practical, self-aware, responsible and well-documented internal systems that reflect your accountability and respect for user rights.


While the implementation of the DPDP Act and its accompanying rules is still pending, taking proactive steps now will help your business stay ahead of the compliance curve, avoid disruptions, and build long-term user trust. Start small if needed, map your data, review your privacy policy, and start building a consent mechanism. Privacy compliance is no longer optional.


You may get in touch with us if you would like specialised and customised legal advice on the processing of data by your organisation, a legal audit of your existing data protection policies or advice on compliance with the Data Protection Laws. 


Disclaimer: This article outlines suggested best practices and is not tailored to your specific business/organisation. Since each business/organisation has unique data practices, compliance requirements may vary.  If you collect or process personal data, consult a lawyer to assess your situation and ensure compliance with applicable laws.


About the Author

Ekta Jhaveri has been with MZD Legal Consultancy and practicing law since 2016. Ekta is a part of the Transaction Advisory; Technology; Media Disputes; and General Corporate teams at MZD Legal Consultancy. She can be contacted at ekta@mzdlegal.in


About MZD Legal Consultancy

MZD Legal Consultancy is a boutique law firm in Mumbai, India. The firm was established in 2011 and comprises professionally qualified lawyers with varied levels of experience and expertise in specific practice areas. To know more, click here www.mzdlegal.in

  1. Data protection laws include: (1) The Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Sensitive Personal Data Rules”) prescribed under the Information Technology Act, 2000 (the “Information Technology Act”); and (2) the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), as applicable.

  2. The Draft DPDP Rules and the representations received during the public consultation are currently under review by the Government. Accordingly, any suggestions in this article based on the Draft DPDP Rules and these are purely indicative and not mandatory. These are subject to change upon final publication, notification, and enforcement of the rules. You may choose to adopt the proposed measures based on the nature of your business, operational feasibility, and the type of data processing activities you undertake.

  3. Classification as a Significant Data Fiduciary is based on factors such as volume and sensitivity of data processed, risk of harm to users, or impact on electoral democracy, public order, and state security. Formal notifications will be issued by the Central Government to this effect.

© 2025 by MZD Legal Consultancy. 

Disclaimer: The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, you acknowledge and confirm that you are seeking information relating to MZD Legal Consultancy or have a general interest in reading MZD's articles and/or insights on various aspects of the law. You further acknowledge that there has been no form of solicitation by MZD Legal Consultancy or its advocates. Given that legal advice depends on specific situations and is often subjective, you should consult an advocate prior to taking any action. The information provided through this website is not a substitute for legal advice. It is for informational purposes only. No material or information published by MZD Legal Consultancy, either in the form of articles, newsletters, periodicals, or otherwise, whether on this website or elsewhere should be construed as legal advice.  MZD Legal Consultancy and its advocates shall not be liable for the consequences of any action taken by you relying on the information provided on this website.

MZD

bottom of page