Mint Explainer: What the new data privacy law means for India's startups

For startups, compliance with the Act becomes increasingly important, not just for the sake of running their businesses, but also for ensuring they're above board when venture capital investors, looking to fund them, conduct their due diligence.

Mint explains what the DPDP Act is and what its implications are for India's startup ecosystem.

What is the DPDP Act?

The DPDP Act is India's first data protection law, specifically designed to protect individuals' personal data and provide larger organizations with a framework for processing such data within the country. This applies to both online and offline data, which are then digitized.

The law makes companies or individuals processing data responsible for a host of duties, including the correct handling of data, ensuring its protection, ensuring that individuals providing their data know what they're providing their data for, erasing data upon the request of an individual or when consent expires, and setting up grievance redressal.

The government has also appointed a four-member Data Protection Board, which will act as a regulatory authority and be responsible for enforcing the data protection regulations.

According to a government official who requested anonymity, a select committee under Meity will now recommend names, following which appointments will be notified.

Which parts of the DPDP Act are relevant to startups?

Broadly, there are several types of violations of the DPDP Act that can impact startups. These include failing to make security safeguards to prevent data breaches and failing to report data breaches.

“These are absolute high-key items that startups will have to keep in mind going forward as they build their businesses," said Supratim Chakraborty, partner at law firm Khaitan & Co.

Consent is the cornerstone of the regulations, which means that if a company wants to access an individual's data, consent must be “free, specific, informed, unconditional and unambiguous", according to the Act.

In simpler terms, companies must explicitly inform users why they need their data, what they will use it for, how long they will retain it, when their consent expires, and when they will remove the data from the companies' systems if it is no longer needed.

As a result, startups can no longer include vague language in their terms and conditions or privacy policies regarding how an individual's data is processed or how long it will be retained.

For artificial intelligence startups, the Act means they have less access to troves of data, and must now be very specific about what they collect from their users, especially given that user consent is a large part of the DPDP Act.

“Good data rules have been long overdue, especially as India emerges as a genuine hotspot for product-first, high-trust startups. The DPDP framework finally brings the kind of certainty Indian tech and AI companies need to build globally respected products," said upGrad co-founder Ronnie Screwvala in a written response to Mint.

If a startup violates consent regulations, it can be fined up to ₹50 crore, unless other penalties are specified. Fines for inadequate data security can reach as much as ₹250 crore.

“There's been unnecessary hoarding of data, which startups will now have to re-evaluate, because now the law is very clear," said Raj Ramachandran, partner at JSA Advocates & Solicitors.

Will the law impact investments?

Investors and experts are both confident that, given the extensive discussion and frequent review of DPDP, the impact will be minimal.

“Giving the industry 18 months to comply is a very mature move, especially since the rules came out in February," said Amarjeet Singh Makhija, partner and startups leader at PwC India. “While companies were already working on it, they weren't going at it full-fledged, which will start happening now."

Others, like Pranav Pai of 3one4 Capital, say that their portfolio companies have already been taking steps to be compliant. “We don't want any of our companies to be in the grey areas of any regulations. Everyone has been preparing for this for a long time," said Pai.

However, Chakraborty of Khaitan & Co. warned that there might be some initial teething issues as companies rush to become compliant. Larger players may prefer partnering with startups that have more mature data handling and governance. “There's a possibility that at the beginning, startups might be impacted negatively unless they can showcase that they are well prepared," he said.