The release of draft Digital Personal Data Protection (DPDP) rules on January 3, 2025 has prompted major companies in India to intensify compliance audits to enhance data protection measures and onboard Data Protection Officers (DPOs), to oversee sensitive personal data and ensure compliance with data protection regulations. Additionally, companies in large numbers have started reaching out to consultancy and law firms to achieve compliance with the Act and its rules.
The likes of Meta, Kotak Mahindra Bank, GMR Group, and Cars24 are on the lookout to hire DPOs to strengthen their respective privacy framework, Storyboard18 has learnt.
Under the DPDP Act, the appointment of a DPO is required for the a ‘data fiduciary’— which refers to any primary private or government entity that collects an individual’s personal data and decides how that personal data will be stored, processed, shared, etc. Thus, if you’re setting up an account on an app, then the app provider is the data fiduciary. Or, if you are purchasing something off a website, and share your card details for the transaction, then that website collecting the card details is the data fiduciary.
While the Act does not explicitly mandate all data fiduciaries to appoint a DPO, companies processing large amounts of personal data (significant data fiduciary, or ‘SDF’) must appoint a DPO.
Meta, considered as a SDF, is looking for a Director in India to join its Product Compliance and Product team, as India’s local DPO, reporting to the Global Data Protection Officer.
“We are looking for someone to provide strategic guidance to ensure we’re complying with India’s new privacy regulation. DPO will engage with India’s Data Protection Board/Ministry of Electronics and IT (MeitY), which will bring insight into how Meta should be responding to the regulator’s expectations,” the company said in a job posting.
Kotak Mahindra Bank is on the lookout for a Data Privacy Manager, who will report to the Bank’s Data Protection Officer and will ensure that the practices in the Bank comply with the DPDP Act. Additionally, DPM should be able to handle the internal / external audits related to data privacy independently.
GMR Group is seeking a DPO that effectively represents the company in front of regulators, audit agencies, government sectoral and nodal cybersecurity and investigative agencies.
Meanwhile, Cars24, one of the leading players in the automotive and financial services sectors, is planning to onboard DPO to ensure compliance across all departments, particularly in data collection, processing, and storage.
Consulting firms, including Tsaaro Consulting and EY, are also looking to hire DPOs for their various clients.
Jasprit Singh, partner, Grant Thornton Bharat, tells Storyboard18 that post the release of the DPDP Act and its rules, a majority of its clients have reached out the advisory firm regarding how to achieve compliance with the Act.
“We are advising clients to conduct a quick gap assessment/internal audit to understand their current privacy landscape followed by updating their privacy documentation such as privacy notices, policies/procedures, templates, cross-border transfer clauses etc.
While some organisations have already onboarded a DPO, others are reaching out to us to evaluate the best solutions. We are helping our clients with DPO -as-a-service and advising them on the competencies in identifying the right DPO for their organisation,” he adds.
However, some firms and consultancies are still awaiting clarifications on which companies will fall under SDF and regarding the roles and responsibilities of the DPO along with the appointment of DPO.
Read more: DPDP Draft Rules: Experts urge brands to evaluate existing data protection practices
Growing Pro Technologies, an IT firm, has taken proactive steps to ensure that data practices align with the evolving regulations, particularly following the release of the DPDPA draft rules. Among several other types of audits, it has conducted Data Flow and Processing Audit; Security and Compliance Audit; Third-Party and Vendor Risk Assessment to review the data-sharing policies and practices with its external partners and vendors to ensure there are no gaps in compliance. Accordingly, it is revising its privacy policies also.
“While, the role of a DPO is becoming increasingly critical in overseeing data protection strategies, managing risks, and ensuring that an organisation is fully aligned with legal requirements, we have not currently appointed a dedicated full-time DPO. Instead, we have distributed compliance responsibilities across our internal teams, including legal and IT departments.
However, as our data governance needs evolve, we are actively evaluating the necessity of appointing a full-time DPO to further strengthen our data protection framework and ensure we remain ahead of regulatory changes,” its co-founder and director, Abhishek Narayan explains.
Growing Concerns Amid Heightened Regulatory Compliance
Heightened regulatory expectations are driving organisations across various sectors to proactively strengthen their data protection frameworks.
A recent study by the Advertising Standards Council of India (ASCI) found that only 6% of Indian websites are ready to comply with the Act’s cookie processing requirements, showing how online marketing could be impacted by the framework.
So, while businesses are preliminarily assessing the suitability of their data practices with the requirements under the Act and the draft rules, another consideration has to be how to suitably obtain consent without experiencing friction and user drop, points out Sidharth Deb, associate director-Public Policy, TQH Consulting.
The challenge is heightened by the fact that 38% of Indian households are estimated to be digitally literate. These complexities could increase for under-18 users and persons with disabilities, he remarks.
Separately, businesses should study how the draft rules and the Act impact their ability to use algorithmic software or train AI models using public data.