Businesses in India are improving their data privacy practices, but significant gaps remain, particularly in view of the Digital Personal Data Protection Act (DPDPA) 2023, which was passed by the Parliament in August last year. According to the State of Data Privacy in India Survey Report 2024, while 56% of organisations in the country expressed confidence in the government’s privacy-focused initiatives, an alarming 52% indicated that they had faced privacy breaches during the past five years.
The survey, conducted by the Confederation of Indian Industry (CII) and Protiviti, indicates that despite increasing awareness of privacy issues, many organisations still struggle with effective implementation. Also, while 63% of organisations have fully documented privacy policies and procedures, only 24% feel prepared to manage privacy concerns associated with emerging technologies like Artificial Intelligence, the Internet of Things, and blockchain.
While the government has yet to announce the rules to implement the DPDPA, the Minister of Electronics and Information Technology, Ashwini Vaishnaw, has stated that the data privacy law would be “digital by design.” The Act introduces several compliance requirements for collecting and processing personal data, with provisions to curb misuse by online platforms. It also includes penalties of up to Rs 250 crore for data breaches but grants the government the power to exempt state agencies from the law.
The law, which applies to the processing of digital personal data in India, covers data collected in digital form and non-digitised data that is subsequently digitised. It broadly defines personal data as any information about an identifiable individual or concerning such data.
Key data privacy concerns for businesses in India?
A notable survey finding is the gap between large and smaller enterprises in allocating resources to ensure data privacy. Larger companies, with revenues exceeding Rs 1,000 crore, tend to have more robust privacy programmes, with 37% investing over Rs 5 crore in data privacy. On the other hand, smaller businesses, including MSMEs and startups, often lack formal privacy management plans, with 29% reporting no dedicated resources for privacy initiatives. This disparity highlights the challenges smaller organisations face in complying with the DPDPA's regulatory requirements.
The report also underscores the issue of third-party privacy risks, with 38% of organisations addressing these risks through contractual obligations and periodic risk assessments. However, 8% of companies have yet to take significant steps to mitigate third-party risks, exposing themselves to potential breaches.
Additionally, the survey points to the evolving role of technology in enhancing data privacy management. Many organisations are increasingly adopting automation tools for managing consent, data governance, and privacy impact assessments, though only 26% have implemented such systems, indicating the need for wider technological adoption.
The governance of privacy programmes also differs significantly between larger and smaller organisations. Larger enterprises are more likely to have dedicated privacy offices, while smaller organisations often rely on IT and legal departments. For instance, 50% of smaller organisations limit privacy oversight to department heads, while only 11% have established a dedicated privacy office.
As India continues its digital transformation, the survey highlights the need for organisations to invest in data privacy frameworks, strengthen governance, and embrace advanced technologies to ensure compliance with the DPDPA and build trust in the increasingly connected world.