Introduction Most organisations today can point to a compliant looking privacy setup, cookie banners, preference centres, and neatly maintained consent logs. However, the real issue is whether that choice actually changes anything. Increasingly, the answer appears to be no. Users click “Reject All”, withdraw consent, or opt out of tracking, yet data continues to flow…
Introduction The enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), followed by the notification of the Digital Personal Data Protection Rules, 2025, represents a shift in corporate governance operations. For nearly a quarter of a century, data protection in India was governed by the 43A and the SPDI Rules of 2011 under…
For a decade, Indian enterprises hoarded data like oil. We scraped numbers, bought lists, and treated CRMs as goldmines. Under DPDPA , “Legacy Data” sitting in your servers from 2020–2025 is no longer an asset. It is a Toxic Asset. “If you have concerns about the legacy data, you may wish to ask your HR…
Year 2026 will be Foundation Year of Trust with Consent Management Framework in place. 1. Notice & Consent Basics Visual flow: Data Fiduciary sends Notice to Data Principal; Data Principal provides Consent back. 2. Purpose Register & Data Mapping Visual flow: Mapping Personal Data to Purpose for the Data Principal. 3. Processor/Vendor Controls (Part A…
𝐀𝐈 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 : 𝐈𝐧𝐝𝐢𝐚 & 𝐆𝐥𝐨𝐛𝐚𝐥 𝐑𝐨𝐚𝐝𝐦𝐚𝐩,𝟐𝟎𝟐𝟔 AI governance is no longer a value statement, rather it is a proof statement. That is why the India 𝐀𝐈 𝐈𝐦𝐩𝐚𝐜𝐭 𝐒𝐮𝐦𝐦𝐢𝐭 𝟐𝟎𝟐𝟔 𝐢𝐧 𝐍𝐞𝐰 𝐃𝐞𝐥𝐡𝐢 𝐚𝐭 𝐁𝐡𝐚𝐫𝐚𝐭 𝐌𝐚𝐧𝐝𝐚𝐩𝐚𝐦 𝐨𝐧 𝟏𝟗 𝐚𝐧𝐝 𝟐𝟎 𝐅𝐞𝐛𝐫𝐮𝐚𝐫𝐲 𝟐𝟎𝟐𝟔 𝐦𝐚𝐭𝐭𝐞𝐫𝐬, because it is positioned around impact, not hype, and around what can…
𝐓𝐨𝐩 𝟏𝟎 𝐓𝐡𝐢𝐧𝐠𝐬 𝐭𝐨 𝐊𝐧𝐨𝐰 𝐢𝐧 𝐓𝐡𝐞 𝐀𝐫𝐭𝐢𝐟𝐢𝐜𝐢𝐚𝐥 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 (𝐄𝐭𝐡𝐢𝐜𝐬 𝐚𝐧𝐝 𝐀𝐜𝐜𝐨𝐮𝐧𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲) 𝐁𝐢𝐥𝐥, 𝟐𝟎𝟐𝟓. It will have an impact on DPDPA as well. It is a proposed Indian legislative framework designed to regulate the development and deployment of automated systems Creation of an Ethics Committee: The Bill establishes a dedicated Ethics Committee for Artificial Intelligence…
The Mandate of “Specified Purpose” Under the Digital Personal Data Protection Act, 2023, processing personal data is only permissible for a lawful purpose for which the Data Principal has given consent or for certain legitimate uses. A “Specified Purpose” is the fundamental anchor of every data interaction it is the explicit reason mentioned in the…
We are after roughly one month and ten days into the DPDPA implementation countdown. Since, the notification dropped in November, 𝐈 𝐡𝐚𝐯𝐞 𝐰𝐚𝐭𝐜𝐡𝐞𝐝 𝐦𝐚𝐧𝐲 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧𝐬 𝐭𝐫𝐞𝐚𝐭 𝐭𝐡𝐢𝐬 𝐩𝐞𝐫𝐢𝐨𝐝 𝐚𝐬 𝐚 𝐯𝐚𝐜𝐚𝐭𝐢𝐨𝐧 𝐫𝐚𝐭𝐡𝐞𝐫 𝐭𝐡𝐚𝐧 𝐚 𝐬𝐩𝐫𝐢𝐧𝐭. 𝐋𝐞𝐭’𝐬 𝐛𝐞 𝐩𝐫𝐞𝐜𝐢𝐬𝐞 𝐚𝐛𝐨𝐮𝐭 𝐰𝐡𝐚𝐭 𝐭𝐡𝐢𝐬 𝐬𝐢𝐥𝐞𝐧𝐜𝐞 𝐜𝐨𝐬𝐭𝐬 𝐲𝐨𝐮. The 12 Months Milestone (November 2026): This isn’t a ‘soft launch.’…
Introduction In India’s democracy few laws have been as empowering such as the Right to Information (“RTI”) Act, 2005. It acts like a tool in the hands of citizens to cut through the opacity of bureaucratic secrecy, thereby allowing citizens to hold power to account. However, this transparency is now threatened by a change made…
Evidence Based Compliance: The New Currency Under DPDPA The Digital Personal Data Protection Act, 2023 marks a decisive turn in how organisations will be evaluated. The future standard is clear: Compliance will be judged by evidence, not paperwork. Policies, notices, and contracts matter but they no longer determine regulatory outcomes. What matters is the organisation’s…
OLD: Consent is a static checkbox exercise, sufficient for legal ‘satisfaction’. VIBE: Consent is a provable, real-time user journey, where every interaction is logged as irrefutable evidence of informed choice and ongoing intent. OLD: Compliance is an IT department’s operational burden, handled by technical staff. VIBE: Compliance is a C-Suite imperative, where proactive logging of…
When I look back at the last three decades of regulatory transitions in India from excise to GST implementation, from IT Act amendments to sectoral cybersecurity standards, then one lesson has remained unchanged: Those who wait for the deadline always lose the advantage. Not legally, but operationally. The DPDPA is no different. On paper, the…
The Digital Personal Data Protection Rules, 2025 were notified in the Gazette on 13 November 2025 (G.S.R. 846(E)). Some provisions are already in force, while the core compliance obligations kick in over the next 12–18 months: Rules 1, 2 and 17–21 apply from publication; Rule 4 (Consent Managers’ registration) starts one year after publication; Rules…
Introduction FinTech apps make money movement feel effortless, but the moment you sign up they start collecting a lot of personal and financial details. This can include your phone number, bank information, ID proofs, transaction history and even how you use your device. All of this sits behind the smooth buttons and screens you tap…
Most of your employees are using unauthorized AI tools right now. Are you the 67% of organizations with zero visibility? Your Organisation The global AI narrative is fractured. On one side, boards celebrate approved innovation. On the other, an unmanaged crisis of Shadow AI, is silently exposing proprietary data and attracting fierce regulatory scrutiny. The…
Introduction In today’s digital economy, cross-border data transfers are a key part of global trade. For Indian businesses, this is a day-to-day operational reality, but it is also a trigger for multifaceted challenges because of the range of disparate and often conflicting data protection laws in different countries. The disequilibrium of legal regulations is not…
Introduction India’s new era of digital accountability has begun with the introduction of Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDPA“) which is expected to be implemented in the near future. The legislation establishes a comprehensive framework on the collection, use, storage, and transfer of an individual’s personal data. For some organizations,…
Introduction In an administrative framework, student records once served as an instrument in facilitating and ensuring institutional formalities. In contrast, they have now become a crucial part of institutional governance. Hence, their management and protection under the Digital Personal Data Protection Act (“DPDP Act”), 2023, as well as under the existing framework of the Information…
INTRODUCTION Consent in healthcare is no longer a matter of routine paperwork. It has become a statutory and governance obligation under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), the National Digital Health Mission (“NDHM”), and the oversight of ethical guidelines in medical practice. Hospitals and clinics are data fiduciaries. They carry a direct…
Introduction The Digital Personal Data Protection Act (hereinafter referred to as the “DPDPA” or “the Act”) 2023, alters how India looks at data privacy and compliance frameworks. One of the most talked about provisions of the Act is per-transaction, or granular, consent, which requires that a user must provide explicit consent for each and every…
INTRODUCTION As data privacy regulations tighten across the globe, businesses are under growing pressure to keep clear, organized records of how they handle personal data. One such tool widely used internationally is the ‘Record of Processing Activities’, commonly referred to as ROPA. Mandated under the European Union’s (hereinafter referred to as “EU”) General Data Protection…
Disclaimer & Confirmation
As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
However, the user is advised to confirm the veracity of the same from independent and expert sources.
