Data PrivacyWhat Are Red Flags in ITeS companies under Data Protection?

September 23, 20230
What Are Red Flags in ITeS Companies Under Data Protection?


The red flags for ITeS companies worldwide including India can be summarised as under;

Lack of Compliance with Regulations
  • Global: Non-compliance with DPDPA, PDPL, GDPR, CCPA, or other regional data protection laws.
  • India: Non-compliance with the Information Technology Act, 2000, and the Digital Personal Data Protection Act,2023(DPDPA,2023).
Inadequate Data Security Measures
  • Global: Lack of encryption, multi-factor authentication, or firewalls.
  • India:  Data security has never been a concern due to lack of Data Protection law in place, which will change after the enforceability of the DPDPA,2023  in place.
Poor Incident Response Plans
  • Global: Absence of a well-defined incident response plan or failure to notify affected parties in the event of a data breach.
  • India: A habit is lacking to disclose and with DPDPA, 2023 to be enforced soon, such mindset should have to be evolved to report data breaches within stipulated timelines.
Ambiguous Contractual Terms
  • Global: Contracts that lack clarity on data ownership, data usage, and data protection responsibilities.
  • India: Contracts that do not specify compliance with Indian data localization requirements.They should be vetted and redrafted.
Inadequate Employee Training
  • Global: Lack of regular training programs on data protection and cybersecurity.
  • India: Failure to train employees on the specific requirements of Indian data protection laws.
Unvetted Third-Party Vendors
  • Global: Lack of due diligence in vetting third-party vendors for compliance with data protection laws.
  • India: Not evaluating the data protection measures of third-party vendors based in India or abroad.
Data Transfer Risks
  • Global: Inadequate safeguards for cross-border data transfers, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
  • India: Non-compliance with Indian data localisation requirements for sensitive personal data.
Lack of Transparency
  • Global: Failure to provide clear and accessible privacy policies.
  • India: Not providing privacy policies in local languages or not being transparent about data collection practices.
Over-collection of Data
  • Global: Collecting more data than necessary for the stated purpose, violating the principle of data minimisation.
  • India: Collecting sensitive personal data without explicit consent.
Automated Decision-Making Without Oversight
  • Global: Use of automated systems for decision-making without human oversight or the ability for human intervention.
  • India: Lack of disclosure about automated decision-making processes, which would be a requirement under DPDPA,2023 once notified for its enforceability.
Failure to Conduct Regular Audits
  • Global: Not conducting regular audits to assess data protection measures.
  • India: Failure to adhere to any mandatory audit requirements set forth by Indian authorities.
Non-Existence of a Data Protection Officer (DPO)
  • Global: Not appointing a DPO where required by law.
  • India: Not appointing a Data Protection Officer if mandated by the upcoming Personal Data Protection Bill.

These red flags can serve as a comprehensive checklist to assess the data protection posture of ITeS sector, both within India and globally.

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.