Are We Willing to Change

India’s new data protection law will require businesses to make significant changes to the ways in which they conduct their business. To the point where they will have to fundamentally re-imagine their ways of working. It is not clear to me that many of them understand the sheer magnitude of what that entails.

This article was first published in The Mint. You can read the original at this link. If you would like to receive these articles in your inbox every week please consider subscribing by clicking on this link.


Whenever I speak to my clients about how India’s new Digital Personal Data Protection law will affect their operations, it is almost always their sales teams that express the most consternation. “How are we expected to do our jobs if this new law comes into effect?” they ask me, “What are we supposed to do if we can’t call people to see if they want to buy our products?”

The Modus Operandi for Sales

For almost as long as I can remember, commercial organisations have oriented their sales teams to acquire massive data-sets of personal data—from names and email addresses to mobile numbers—so that they can be converted into leads. They have put in place massive call centres to use this information to reach out to as many people as possible, treating everyone as a potential customer who can be convinced to buy whatever they have to offer, whether they need it or not.

We have all been interrupted at odd hours of the day and night by calls from banks we don’t know selling us loans we don’t want. We cannot spend a minute online without being shown some product or the other that an algorithm has determined we need to see when in fact these messages just get in the way of what we want to do.

Organisations today know of no other way to market their products to us. And so they find dubious means to acquire personal information that they can use for their sales pitches. Which is why, when I break it to them that this spray-and-pray approach is no longer on the table, they seem completely lost.

Changes under DPDP

Under the Digital Personal Data Protection Act (DPDP Act) of 2023, no one can process personal data unless they have a legitimate ground to do so. This, in most instances, will have to be the consent of the data principal to whom that data pertains. Which means that unless all the organisations that plague us with sales calls can show they have our consent to do this, their actions will be against the letter and spirit of the law.

What’s more, since the law requires our consent to be specific, referring precisely to the purpose for which data is being collected, even if a bank has our consent to process our personal data to provide us a loan, it cannot re-use that consent to upsell any other service to us—or share our personal data with anyone else.

As data principals, we will all have rights to ensure that companies comply with the law. Foremost among these is the right to access—the ability to ask any data fiduciary what personal data about us they are processing and who they have transferred it to. This means that organisations will not only have to know what personal data is under their control, they will also have to keep track of each and every purpose to which that data is put. If it happens to get into the hands of someone else, the organisation that processed it will have to demonstrate that this transfer had our consent.

For sales teams that know no other way to market products and services other than by getting their call centre agents to work the phones calling every last person on a list of names purchased on the black market, the bottom has fallen out of that outreach model. Not only will these data-sets be increasingly unavailable, businesses that acquire and sell them will be forced to shut down. What’s more, without a legitimate ground, even the act of continuing to store such data obtained before the DPDP Act came into force will be a violation of the law. When I have explained this to sales teams in the many organizations I have addressed, they have been gobsmacked.

Redesign Your Processes

There are a number of other workflows and processes that companies will have to revisit in the light of the new law.

A couple of days ago, I tried to update my KYC details on my mobile phone. I was told by my telecom provider that I could either allow it to scan my Aadhaar card or provide any other form of identity that I chose. If I opted for the latter, I had to also supply an alternate phone number to which an OTP could be sent.

Now, as it happens, I have no other mobile number. Which means that in order to complete the KYC re-verification of my mobile number (one that I have held without change for 24 years), I had to provide the telecom operator with someone else’s phone number. As a data protection lawyer, I was loath to offer up another person’s personal data without their consent, but, as the lady at the store was at pains to warn me, if I did not comply, my phone number could be cancelled for want of an updated KYC.

It is insidious business processes such as these that companies will have to immediately redesign. If they require the mobile number of any person, they need that person’s consent, even if all they intend doing with it is to send an OTP in order to confirm a KYC update. They should not be asking me to provide them with the mobile number of a family member or colleague because the very act of sending an OTP to it without the consent of the recipient will be a violation of the law.

Each breach of the provisions of the new law will be liable to a penalty of up to ₹250 crore. This is not a sum to be trifled with and organisations around the country have already begun to re-order their operations to ensure compliance.

Given that the government has confirmed that the notification of rules and implementation of the DPDP Act are among the top priorities of the ministry of electronics and information technology, businesses that have not revised their processes accordingly are living on borrowed time.