Interview with: Vikram Jeet Singh and Kalindhi Bhatia, partners, BTG Advaya

Leaders League: What does the Digital Personal Data Protection Act (DPDPA) change about the way data is gathered and used in India?

Vikram Jeet Singh: The DPDPA introduces, for the first time ever in India, a common data-protection framework that applies across industries while operating alongside existing sectoral privacy regulations. It pushes organizations toward privacy-by-design, emphasizing transparency of purpose, data-collection limits and stronger accountability, while empowering those overseeing each sector. It makes provision for significant financial deterrents (up to $27 million in penalties in some cases) and enforceable individual rights.

The biggest immediate impact is on consent management, which now requires clearer opt-in mechanisms, withdrawal tools and updated privacy notices. Compliance also involves mapping data flows, updating retention and deletion practices and strengthening security controls. General counsel familiar with the GDPR will know that implementing these changes, however, takes time, coordination and funding, making early preparation a priority. 

Beyond compliance costs, what has been the operational impact for businesses as regards things like data collection, international transfers and contracts? Kalindhi Bhatia: Unlike the GDPR, which recognizes multiple lawful bases, the DPDPA adopts consent as the default basis and restricts collection to data necessary for declared purposes. This is a big change for DPR systems designed to function on legitimate-interest grounds. Businesses must redesign interfaces to obtain explicit, granular opt-in consent, enable withdrawal, maintain data inventories and issue compliant privacy notices.

Cross-border transfers are broadly permitted, but the government retains powers to impose future restrictions, creating regulatory uncertainty and highlighting the importance of flexible data-strategies and contractual safeguards. Higher compliance thresholds apply to children’s (i.e., under 18’s) data. Organizations should also realign vendor, processor and employment agreements to address roles, security, breach notification, audits and liabilities.

For boards of Fortune 500 companies, what governance should be put in place help ensure success?
V.S: A Fortune 500 board can establish oversight of DPDPA compliance through a designated privacy governance committee with regular reporting and clear risk visibility. Owing to their scale and data-volumes, many such organizations, particularly consumer-facing businesses, may qualify as Significant Data Fiduciaries, necessitating enhanced governance liabilities including periodic data-audits. Executive accountability can be anchored with the data privacy officer, supported by privacy governance committees to monitor compliance, identify upcoming risks and address operational challenges. Governance can also be reinforced through training programs, robust data-access controls, defined breach-response protocols, clear escalation mechanisms and incentives that promote a strong privacy culture.

Ahead of the core compliance obligations related to the DPDPA kicking in next year, what critical steps should be prioritized to transform DP compliance into a competitive advantage?
K.B: A practical starting point is developing a clear, organization wide understanding of personal data flows, including what data is collected, in what volume, where it is stored, who has access to it and how it is used or shared. Creating a Record of Processing Activities (RoPA) for Indian operations can help achieve this visibility. Organizations subject to the GDPR already have a strong foundation and can adapt existing frameworks, while working with local advisors to address India specific requirements. As a priority, outward facing documents such as employment privacy statements, user privacy notices and consent mechanisms may go to the top of any to-do, followed by internal SOPs and training. It is also useful to appoint accountable stakeholders from each business vertical to oversee implementation, as this builds ownership and enables a faster and more confident rollout.

By Pierre Marteel