Three industry leaders reveal how they’re transforming data protection compliance into strategic business advantage today.
Data protection now sits at the heart of business survival. Moderating a recent session brought this reality into sharp focus—retail leaders, AI researchers, and healthcare professionals converged to tackle one question: How do organizations operationalize compliance in an era where data drives everything?
The Digital Personal Data Protection Act (DPDPA) spans just 39 pages, yet it wields penalties ranging from ₹50 crore to ₹250 crore—figures that can dismantle companies overnight. But numbers tell only half the story. The real challenge emerges when businesses must balance innovation against regulation, ethics against efficiency.
This session revealed how three industries are meeting that challenge head-on.
Retail Technology Rewrites Its Playbook
Mr. Subbu Rama Krishnan, Chief Technology Officer at WonderSoft, operates where data meets daily commerce. His firm powers retail operations for Adidas, Samsung, and Indian Terrain—brands that touch millions of customers daily.
DPDPA has forced retailers to confront a fundamental question: Are they data fiduciaries or processors? WonderSoft discovered the answer depends entirely on context. When clients host their own servers, the company functions as a software vendor. But when it provides cloud services, the firm transforms into a partner data fiduciary, shouldering shared responsibility for protection and consent.
The shift has redesigned their entire platform. WonderSoft now embeds modules that capture explicit consent, encrypt data both in transit and at rest, and maintain comprehensive audit trails of every access point.
“Clients no longer open conversations with product features,” Subbu explains. “They start with data safety questions.” This transformation demonstrates a crucial truth: compliance transcends paperwork—it demands design thinking at every level.
AI Governance Moves from Theory to Practice
Dr. Sivaramakrishnan R. Guruvayur, Research Advisor with the Center for Responsible AI and a UNESCO member, brings a global perspective to India’s data landscape. He tracks how countries worldwide are merging AI and privacy laws, layering responsible-AI frameworks onto existing regulations like GDPR, the EU AI Act, and the UAE Data Law.
These frameworks mandate organizations to map their entire data lifecycle—tracking who owns data, who processes it, who decides its use, and how they anonymize it. But Dr. Sivaramakrishnan emphasizes that compliance cannot follow a generic template. Banking operates within decades-old regulatory frameworks, while healthcare and education are still establishing their guardrails.
“Every sector demands its own approach,” he argues. “Compliance must adapt to each domain’s ethical and cultural context.”
India’s AI governance is evolving from abstract principles into concrete practice, and organizations must move at the same pace—or risk falling behind.
Healthcare Battles to Preserve Human Trust
Dr. Krishnan Ganapathy, Distinguished Professor at The Tamil Nadu Dr. MGR Medical University and Emeritus Professor at the National Academy of Medical Sciences, brings decades of medical practice to the compliance conversation. He bristles at the terminology surrounding modern healthcare.
“I dislike calling it an industry,” he states firmly. “Medicine began as trust between doctor and patient.”
Today’s healthcare systems have evolved into complex ecosystems connecting hospitals, insurers, IT vendors, regulators, and compliance teams. Every electronic health record, every telemedicine portal pushes personal information across wider networks and farther distances than ever before.
Dr. Ganapathy insists privacy must never overshadow trust. Indian patients still place more faith in their doctors than any app or policy document. That trust must survive even as systems adopt encryption, anonymization, and cyber-resilience measures.
He highlights a growing threat: cyberattacks on hospitals are escalating. The ransomware attack on AIIMS Delhi exposed how valuable medical records have become on black markets. Safeguarding that data now carries moral weight equal to its legal obligation.
Four Principles Emerge from Practice
The discussion crystallized several critical insights. First, consent remains central but demands practical implementation. Healthcare emergencies require implied consent over formal documentation. Retail transactions can integrate digital consent into checkout flows.
Second, compliance cannot follow a one-size-fits-all model. Dr. Sivaramakrishnan argues each use case requires evaluation for risk and proportional investment. Banks handling KYC data face different requirements than schools managing student-performance records.
Third, awareness gaps persist across the business landscape. Large corporations build dedicated compliance teams while smaller organizations are just beginning to grasp the scope. Training and culture will determine whether compliance becomes sustainable or remains superficial.
Fourth, technology accelerates compliance through RegTech solutions and AI-driven monitoring that manage consent, encryption, and auditability. But technology must serve governance, never replace it.
The Path Forward
DPDPA represents more than a compliance exercise—it signals a cultural transformation. When organizations internalize data protection, they enhance brand reputation, build consumer trust, and future-proof innovation.
India’s law mirrors global standards, but its implementation must remain locally sensitive—respecting our social fabric, economic diversity, and deeply personal relationships, particularly in healthcare and education.
When trust, technology, and transparency converge, compliance becomes natural rather than forced. That defines Compliance in Action.
Q&A
How do your clients ensure that the retail platforms they purchase are DPDPA-compliant?
Mr. Subbu Rama Krishnan (Retail Technology): “Most large clients now start discussions with data protection questions. We show them our ISO 27001 controls and explain how consent, encryption, and withdrawal features are embedded. Smaller businesses still learn by doing, but the fear of ₹50 crore penalties has accelerated awareness.”
How should organizations decide how much to invest in data protection under the DPDPA?
Dr. Sivaramakrishnan R. Guruvayur (AI and Data Ethics): “Adopt a use-case-based approach. Assess what problem you’re solving—KYC, credit scoring, medical imaging, or children’s learning data—and invest protection proportionate to sensitivity. Compliance is context-driven, not uniform.”
How does healthcare reconcile the need for data protection with the doctor-patient trust?
Dr. Krishnan Ganapathy (Healthcare): “Trust comes first. Patients share everything with doctors—sometimes even family history—without hesitation. We must safeguard that information through anonymization and security, but never let fear of compliance erode the human bond that defines medicine.”
