top of page
Black Texture
Search

Data Privacy in India: From Legal Requirements to Practical Compliance Guidance - Part 1

  • Writer: Ekta Jhaveri
    Ekta Jhaveri
  • Jul 10
  • 6 min read

IP & Technology Series


Series 1 | Article 3


India’s new data protection law is here, well, almost. In August 2023, the Indian Parliament passed the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), marking a major step towards comprehensive data privacy regulation. Although the DPDP Act has been passed, it is yet to be implemented. Until the DPDP Act is notified and enforced, digital platforms, businesses, and anyone handling personal data must continue to comply with the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Sensitive Personal Data Rules”) prescribed under the Information Technology Act, 2000 (the “Information Technology Act”).


Given the evolving legal framework it is essential for anyone who collects or processes personal data to begin preparing now. The time to build a privacy-compliant foundation is before the DPDP Act takes effect.


In this two-part article, I will walk you through the legal obligations under India’s current and upcoming data protection laws, and outline practical steps to help you prepare. Whether you run a digital platform, offer online services, or simply store employee or customer data, this guide will help you understand your legal obligations and adopt practices that align with both existing and future data protection laws in India.


A lock symbolising protection of data flowing to the cloud

Step 1: Determine if the data protection laws apply to you.


  1. The Information Technology Act and the Sensitive Personal Data Rules apply if you are a body corporate1 or person who on behalf of a body corporate, collects, receives, possesses, stores, deals, or handles personal information of a natural person2.


  1. The DPDP Act will apply if you are a person who:

    1. processes digital personal data within India, whether originally collected in digital or non-digital form (if subsequently digitised), or

    2. processes digital personal data outside India in connection with offering goods or services to individuals in India.


If you collect and process such data, you will be classified as a “Data Fiduciary3 under the DPDP Act, and the individual whose data is being processed will be referred to as the “Data Principal”.4


  1. The DPDP Act does not apply if: 

    1. you are processing the digital personal data for any personal or domestic purpose, or 

    2. the digital personal data has been made public by the Data Principal or disclosed under any regulatory requirement.


Illustration: A social media platform that collects and processes data to allow users in India to create profiles, post content, and interact with others, will fall within the scope of both the current and the upcoming data protection laws. Likewise, a supermarket chain that collects customers’ names, phone numbers, and purchase history for a loyalty program or stores employee records digitally, even if it doesn’t operate online, will be governed by these laws.


Step 2: Identify the nature of the data that you collect, store, hold, and process.


  1. If the information you collect is in relation to a natural person, which is capable of identifying such a person, it is defined as “Personal information” under the Sensitive Personal Data Rules. 


  1. If the Personal information you collect consists of information relating to passwords, financial information, physical, physiological and mental health condition; sexual orientation; medical records and history; and biometric information; it is defined as “sensitive personal data or information” under the Sensitive Personal Data Rules. 


  1. If the data you collect is about an individual who is identifiable by or in relation to such data, it is defined as “personal data'', under the DPDP Act. 


  1. If the personal data is collected in digital form, it is defined as “digital personal data”, under the DPDP Act. 


Illustration: A hospital collects a patient’s name, contact details, medical history, diagnostic results, and biometric data for treatment. The patient’s name and contact details will be the patient’s personal information or personal data and their medical history, diagnostic results, and biometric data will be sensitive personal data or information. If this data is stored or processed digitally through an online patient portal or electronic health record (EHR) system), it becomes digital personal data.


Step 3: Understand what activities are considered “processing” of data/information.


  1. The Information Technology Act and the Sensitive Personal Data Rules do not explicitly define the term ‘processing’. However, based on the language used under the relevant provisions, if you collect, receive, possess, store, deal, or handle personal data in any manner it will be considered as processing.


  1. In terms of the definition of “processing” under the DPDP Act, if you collect, record, organise, structure, store, adapt, retrieve, use, align or combine, index, share, disclose by transmission, disseminate or otherwise make available, restrict, erase, and/or destroy digital personal data, through a wholly or partly automated operation or set of operations, it will be considered as processing.


Illustration: A financial services provider that collects user KYC documents, verifies the data, stores it on cloud servers, uses it to assess loan eligibility or creditworthiness, and shares select information with credit bureaus or internal analytics teams is performing multiple processing activities, including, collection, storage, usage, and disclosure.


Step 4: Understand the obligations under the data protection laws.


Obligations under Information Technology Act & Sensitive Personal Data Rules:

  1. publish a privacy policy,

  2. obtain written consent,

  3. process personal information for lawful purposes and the purposes specified in the consent request,

  4. limit retention of personal information,

  5. implement reasonable security practices, procedures, and standards, 

  6. establish a consent withdrawal mechanism, 

  7. establish a grievance redressal mechanism and appoint a grievance redressal officer, and

  8. disclose sensitive personal data or information only with express consent,


Additional and broader obligations under the DPDP Act: 

  1. provide a consent notice to data principals in English or any other official language,

  2. obtain free, specific, informed, unconditional, and unambiguous consent, 

  3. obtain verifiable consent of the parent or guardian (as applicable) to process personal information belonging to children,

  4. process data only for certain legitimate uses5 including specified purposes6,

  5. provide an easy consent withdrawal mechanism and erase relevant information

  6. appoint data processors only under a valid contract,

  7. notify the data principal of any personal data breach,

  8. appoint a data protection officer and publish business contact information of the data protection officer appointed,

  9. avoid tracking/behavioural monitoring and advertising targeted at children,

  10. establish a mechanism to exercise user rights, and

  11. if you are classified as a significant data fiduciary7, appoint an independent data auditor; undertake periodic data protection impact assessment; and periodic audits


Step 5: Performance of obligations under the data protection laws.


Once you’ve determined that data protection laws apply to you, identified the nature of the data you handle, and understood your legal responsibilities under both the current and upcoming frameworks, the next step is to focus on how to perform these obligations effectively.


In Part 2 of this article, I’ll outline a set of suggested steps that will help you build strong internal processes and data governance systems that support compliance and accountability under India’s evolving data protection landscape.


You may get in touch with us if you would like specialised and customised legal advice on the processing of data by your organisation. 


Disclaimer: Since each business/organisation has unique data practices, compliance requirements may vary.  If you collect or process personal data, consult a lawyer to assess your situation and ensure compliance with applicable laws.


About the Author

Ekta Jhaveri has been with MZD Legal Consultancy and practicing law since 2016. Ekta is a part of the Transaction Advisory; Technology; Media Disputes; and General Corporate teams at MZD Legal Consultancy. She can be contacted at ekta@mzdlegal.in


About MZD Legal Consultancy

MZD Legal Consultancy is a boutique law firm in Mumbai, India. The firm was established in 2011 and comprises professionally qualified lawyers with varied levels of experience and expertise in specific practice areas. To know more, click here www.mzdlegal.in

  1. Body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities, under the Information Technology Act, 2000.

  2. Natural person means an individual / human being.

  3. Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data under the DPDP Act.

  4. Data Principal” means the individual to whom the personal data relates and where such individual is: (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf, under the DPDP Act.

  5. Certain legitimate uses are set out in section 7 of the DPDP Act.

  6. specified purpose” means the purpose mentioned in the notice given by the data fiduciary to the data principal under the DPDP Act.

  7. Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government based on the factors set out in Section 10 of the DPDP Act.

© 2025 by MZD Legal Consultancy. 

Disclaimer: The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, you acknowledge and confirm that you are seeking information relating to MZD Legal Consultancy or have a general interest in reading MZD's articles and/or insights on various aspects of the law. You further acknowledge that there has been no form of solicitation by MZD Legal Consultancy or its advocates. Given that legal advice depends on specific situations and is often subjective, you should consult an advocate prior to taking any action. The information provided through this website is not a substitute for legal advice. It is for informational purposes only. No material or information published by MZD Legal Consultancy, either in the form of articles, newsletters, periodicals, or otherwise, whether on this website or elsewhere should be construed as legal advice.  MZD Legal Consultancy and its advocates shall not be liable for the consequences of any action taken by you relying on the information provided on this website.

MZD

bottom of page