Personal data protection has always been a sensitive topic in the digital world, and India is just steps away from consolidating its position in this field, especially now that it has reached a crucial milestone in its regulatory system, which will allow companies and citizens to change the way they handle information online. The Digital Personal Data Protection Act (DPDP) is expected to publish the final rules later this month. Learn more about this subject and discover everything about these new rule.
What changes for India with these new rules
One of the main changes is that the GDPR will now focus exclusively on digital personal data, unlike the European model (GDPR), which covers all types of information. This new data protection law provides for fines of up to ₹250 crore (approximately €28 million) for very serious violations, but it will not apply percentages based on companies’ global revenue.
Furthermore, there will be a simplification that will eliminate the distinction between “personal” and “sensitive” data, thus introducing the concepts of “data subjects,” which are the individuals involved, and “data fiduciaries,” which are the entities/companies that process information. This means the process will be more straightforward, but it will require quick adaptation by organizations accustomed to traditional compliance frameworks.
Some companies have already begun taking steps to prepare for these changes, even before the official publication. Banks, startups, and tech giants are appointing Data Protection Officers (DPOs), even mapping data and redesigning their companies’ consent processes. Meta, for example, and large Indian financial groups are already prioritizing this compliance to avoid reputational risks. Tech startups, meanwhile, have adopted a stance of using regulation as an opportunity to differentiate their products, betting on transparency as an added value.
What are the challenges and opportunities of this new scenario?
Despite the progress, some challenges remain for the new project. The main one is the complexity of implementing such profound changes in a short period of time. Even with the final rules about to be released, some organizations have admitted they are still in the early stages of compliance. Experts in this area point out that the next two months will be a crucial period for adjusting systems and protocols.
Furthermore, another point being discussed is the relationship between innovation and regulation. Some artificial intelligence startups, for example, are already moving toward integrating ethical practices into their processes, starting from the product design stage, and this can reduce future friction. Consulting firms, such as EY and Tsaaro, are trying to develop phased compliance plans, focusing on security and incident response.
Understand the role of Indian society in this new project
Beyond the companies involved in the project, there will be a significant impact on the country’s citizens. This new bill promises to give users the power to control their own data, detrimental to companies: consent, revoke, and demand information about how it is used. This move empowers companies and strengthens them digitally in light of the growing trust in online services, from health apps to e-commerce platforms.
What to expect from now on?
Experts are warning about the potential risks to press freedom and the flow of information, which we are seeing in other contexts. Journalists fear that some restrictive interpretations could limit access to data that is of public interest. This point should generate ongoing debate about the balance between privacy and social transparency.
This announcement by India regarding the publication of digital data protection rules represents an important turning point for the country, as well as for the entire global technology ecosystem. This new law redefines the relationship between individuals and companies in the digital environment.