Compliance with the law is increasingly important for start-ups, not only to manage their business, but also to ensure they have the hope that venture capitalists looking to fund them are doing their due diligence.
Mint explains what the DPDP Act is and its implications for the Indian startup ecosystem.
What is the DPDP Act?
The DPDP Act is India’s first Personal Data Protection Act specifically designed to protect personal data and provide larger organizations with a framework for processing such data within a country. This applies to both online and offline data that is subsequently digitized.
The law imposes a number of obligations on companies or individuals processing data, including handling data correctly, ensuring that data is protected, ensuring that individuals providing their data know what they are providing it for, erasing data at the individual’s request or after consent has expired, and setting up a complaint resolution.
The government has also appointed a four-member Data Protection Board, which will act as a regulatory body and be responsible for enforcing data protection regulations.
According to a government official who requested anonymity, the Meita-led selection committee will now recommend names after which the appointments will be notified.
Which parts of the DPDP Act apply to startups?
Generally, there are several types of DPDP violations that can impact startups. These include failure to implement security measures to prevent data breaches and failure to report data breaches.
“These are absolutely key items that startups will need to keep in mind while building their business,” said Supratim Chakraborty, partner at law firm Khaitan & Co.
Consent is the cornerstone regulations, which means that if a company wants to access an individual’s data, consent must be “free, specific, informed, unconditional and unequivocal” under the law.
Put simply, companies must explicitly tell users why they need their data, what they will use it for, how long they will keep it, when their consent will expire, and when they will remove the data from the companies’ systems when it is no longer needed.
as a result startups can no longer include vague terms in their terms of service or privacy policy regarding how personal data is processed or how long it will be kept.
For AI startups, the law means they have less access to data and must now be very specific about what they collect from their users, especially since user consent is a big part of the DPDP law.
“Good data rules are long overdue, especially as India emerges as a real hotspot for high-confidence product startups. The DPDP framework finally brings the kind of certainty Indian tech and AI companies need to build globally respected products,” upGrad co-founder Ronnie Screwvala said in a written response to Mint.
If a startup violates consent regulations, it can be fined up to ₹50 crore unless other penalties are provided. Fines for insufficient data security can reach up to ₹250 million crowns.
“There has been an unnecessary accumulation of data which startups will now have to rethink as the law is now very clear,” said Raj Ramachandran, partner at JSA Advocates & Solicitors.
Will the law affect investments?
Investors and experts are confident that due to extensive discussions and frequent review of the DPDP, the impact will be minimal.
“Giving the industry 18 months to comply is a very mature move, especially when the rules came out in February,” said Amarjeet Singh Makhija, partner and head of startups at PwC India. “While companies have already been working on it, they haven’t gone into it fully, which is what’s going to happen now.”
Others, like Pranav Pai of 3one4 Capital, say their portfolio companies have already taken steps to be compliant. “We don’t want any of our companies to find themselves in the gray areas of any regulations. Everyone has been preparing for this for a long time,” Pai said.
Chakraborty of Khaitan & Co. however, he warned that there could be some initial problems as companies rush to achieve compliance. Larger players may prefer to partner with startups that have more advanced data processing and management. “There is a possibility that startups can be negatively affected at the beginning if they don’t show that they are well prepared,” he said.
