Complying With The DPDPA – Privacy By Design As A Guiding Principle

India's Digital Personal Data Protection Act, 2023 (DPDPA / Act) defines rights and responsibilities with respect to the processing and protection of personal data in the digital space. The DPDPA has been analyzed from various perspectives – individual rights versus pragmatism and economic interests, cross-border trade implications, comparisons with personal data protection laws from other jurisdictions, and so on. Despite extensive writing and discussion on the subject, since its inception, the Act has left many stakeholders wondering what exactly this (not-so) new law means for them on the ground. Many stakeholders, especially small businesses and startups are understandably apprehensive about operationalizing a data protection regime which imposes heavy penalties for non-compliance, while espousing seemingly complex and esoteric legal principles.

One approach to operationalizing the DPDPA lies in understanding and implementing an underlying principle reflected in data protection regulations around the world – Privacy by Design (PbD). Privacy by Design refers to the 'foundational principles' developed by Ann Cavoukian, former Information & Privacy Commissioner, Ontario, Canada.¹ The principles of privacy or data protection by design have influenced data protection legislations in the EU² and other jurisdictions, including the DPDPA. To summarize, PbD envisions privacy being embedded in systems, instead of superimposed as an afterthought; it balances stakeholder-interests that may otherwise be seen as competing, prioritizes transparency and user-centricity, and is holistic – requiring end-to-end data security.³ The DPDPA is not the first Indian legislation to incorporate PbD principles; it was preceded by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which also require user centricity and transparency to be prioritized by digital businesses when dealing with certain (sensitive) categories of personal information. India's legislative framework requires organizations to embed privacy into their systems and processes from the ground up – making PbD not just a compliance necessity but a competitive advantage for businesses looking to build trust, enhance customer loyalty, and stand out in an increasingly privacy-conscious market.

Privacy by Design under the DPDPA

The DPDPA imposes an obligation on data fiduciaries (i.e. entities responsible for determining the purposes and means of data processing) to embed privacy considerations at every stage of system development. For instance, the DPDPA requires user interfaces to be designed such that user-consent to personal data collection is a clear affirmative action, as well as prioritising data minimisation and ease of navigation by data principals.⁴ Practically speaking, this means that organizations must create a user-friendly mechanism to obtain consent to data collection, limit data collection to only that which is necessary for the specified purposes, and further, ensure that it is as easy for data principals to submit requests for access, erasure, etc. as it is for them to submit or consent to personal data collection in the first place. The Act also requires significant data fiduciaries (government-notified as 'Significant') to conduct a Data Protection Impact Assessment (DPIA) prior to launching a new data processing activity. (DPIAs serve as processes for identifying and mitigating potential risks to individual privacy, ensuring that the necessary technical and organisational safeguards are embedded into systems from the outset.)

Example: Consider a company that is building a new social media app. To adopt Privacy by Design principles in complying with the DPDPA, this company would (among other measures):

• Minimization: Collect only personal data (e.g., email or phone number) necessary for the purpose for which consent is given by the data principal.
• Audits: Conduct audits to assess the impact of company activities / projects on the privacy of individuals – and use the results to inform company practices.
• Security and Integrity: Encrypt personal data to ensure security in transit and storage; conduct periodic security checks and institute incident reporting protocols; Implement systems that maintain data accuracy and prevent unauthorized alterations.
• Consent and Control: Provide digital platform users with options to choose and manage privacy settings, including opting out of third-party data sharing and making requests for correction or deletion of stored personal data.

Another key advantage to adopting PbD when complying with the DPDPA is that this positions an organization to comply with international regulations as well (for example, the EU General Data Protection Regulation), without having to overhaul their entire approach to data privacy, to suit a specific legislation – since the structures are already in place.

Takeaways for Stakeholders

Privacy by Design is both a legal imperative and a strategic advantage – complying with the DPDPA is not about ticking boxes or instituting cursory measures. Reactive compliance, even if it meets minimum regulatory requirements, does not necessarily address systemic flaws / vulnerabilities that may be proactively prevented through PbD.

In summary, organizations are advised to:

• Embed Privacy from the Outset: Conduct privacy impact assessments early on and ensure that systems (and organizations themselves) are configured with privacy-protective settings by default. Integrate PbD principles throughout all stages of product development and service delivery, ensuring that privacy considerations are embedded within business processes.
• Avoid Superficial Compliance: Trade post-hoc or token measures for genuine PbD which integrates privacy into system-architecture. Establish robust internal policies, train employees on data protection and privacy, and invest in up-to-date security technologies that align with organizational needs and capacity.
• Combine Proactive and Reactive Measures: While complying with regulatory reporting requirements, also consider building systems that inherently reduce security / breach risks. Conduct regular internal audits and independent compliance reviews to ensure that practices line up with organizational policies and the law.

Footnotes

1 Ari Ezra Waldman, 'Data Protection by Design? A Critique of Article 25 of the GDPR' (January 25, 2021) [Cornell International Law Journal, Vol. 53, 2021, Northeastern University School of Law Research Paper No. 411-2021] <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3773143#paper-citations-widget> accessed 12 March 2025

2 The European Data Protection Board, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default – Version 2.0 (Adopted on 20 October 2020) <https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf> accessed 12 March 2025

3 Ann Cavoukian, Ph.D., 'Privacy by Design: The 7 Foundational Principles' (Information & Privacy Commissioner Ontario, 2011) <https://iapp.org/media/pdf/resource_center/pbd_implement_7found_principles.pdf> accessed 10 March 2025