Technology, Tools, and Tough Choices in India’s New Privacy Landscape
Organizations face a critical inflection point. India’s Digital Personal Data Protection Act (DPDPA) demands more than compliance checkboxes—it requires fundamental shifts in how businesses handle data, deploy technology, and build trust.
Panel Overview
Moderator:
- Ashok Kini – Session Moderator
Panelists:
- Mayuran Palanisamy – Big Four Consultant specializing in privacy compliance across industries
- Nivedita – Technology Platform Leader, Google Premium Partner and Amazon Verified Partner
- Ravindra V – Chief Information Security Officer, Sundaram Finance
Opening: The Technology Question
Ashok Kini: We’re in the most challenging session after lunch, but the turnout shows how much this matters. Let me start with the question on everyone’s mind. Mayuran, how should organizations begin this journey? When should they deploy tools to handle multilingual consent and cross-platform data?
Mayuran Palanisamy: This discussion arrives at the perfect moment. With DPDP rules expected tomorrow, the act—technically effective since August 2023—finally reaches implementation stage. Most organizations have completed gap assessments, mapping their position against DPDPA expectations. Understanding your compliance posture comes first. How far are you from legal requirements? Where do vulnerabilities hide?
Financial institutions lead the charge, driven by Reserve Bank of India pressure. But implementation presents the real challenge, unfolding across two critical layers. First, operational measures—policies, Data Protection Impact Assessments, processing activity records, and comprehensive data inventories. Second, technological measures requiring automation through privacy management platforms, consent management tools, and protection technologies including encryption, DLP, and monitoring systems.
Here’s what organizations must understand: no single technology solves everything. Anyone claiming their platform handles all challenges is selling, not solving. Real compliance integrates multiple solutions under unified governance.
Platform Reality: Managing Trust and Technology
Ashok Kini: Nivedita, you work both sides of the data equation—principals and fiduciaries. What risks emerge, and how do you manage them?
Nivedita: I work at a digital marketing agency—both a Google Premium Partner and Amazon Verified Partner. We developed Addis, our proprietary tool, to manage advertising campaigns efficiently. Our philosophy centers on data minimization. We collect only essentials—name, email, phone number. That’s it. Limited access and role-based controls maintain compliance and security.
Addis connects directly with Amazon through secure APIs. We don’t store unnecessary data. Clients’ ad performance flows directly through the platform, with every action logged through audit trails. Role-based access, multi-factor authentication, and encryption form our security foundation.
But technology alone doesn’t solve trust issues. Small Amazon sellers often lack technical understanding. They worry about unauthorized data access. Each client receives unique credentials and two-factor authentication. Automation now prevents unauthorized access, ensuring only designated personnel gain entry. We balance trust, transparency, and usability—the three pillars supporting digital privacy for platforms like ours.
The CISO Perspective: Security vs. Privacy
Ashok Kini: Ravindra, from a CISO’s perspective, how does traditional information security differ from DPDPA requirements?
Ravindra V: Organizations wrongly assume information security tools—DLP, SIEM, endpoint protection—automatically ensure DPDPA compliance. They don’t. Information security protects systems; data protection safeguards individual rights.
Existing security tools provide foundation, but fall short on consent tracking, rights management, storage limitation, and purpose restriction. Traditional systems alert you to breaches, but don’t classify them by personal data exposure under DPDPA definitions.
Organizations must augment cybersecurity stacks with privacy-focused technologies. These tools complement rather than replace current systems. We integrate them intelligently to create holistic compliance ecosystems.
Deep Dive: Privacy-Enhancing Technologies
Ashok Kini: We hear a lot about PETs. Mayuran, how should clients choose appropriate solutions within budget constraints?
Mayuran Palanisamy: Organizations must differentiate between privacy management tools and privacy-enhancing technologies. Management tools handle compliance—consent, data subject requests, record keeping. PETs embed privacy into product architecture.
Most organizations focus on management tools rather than true PETs. Even post-GDPR, few companies implement PETs deeply. They require early integration—during product design—not as afterthoughts.
Assess PETs across three dimensions. First, timing—introduce PETs early in development to avoid architectural conflicts. Second, compatibility—ensure integration with legacy systems and modern applications, handling both structured databases and unstructured content like emails and documents. Third, coverage—recognize no tool provides universal solutions. Different tools solve different problems. DLP systems, while not strictly PETs, function as privacy-preserving technologies by preventing leaks.
The Indian Context: Local Innovation Meets Global Standards
Ashok Kini: India’s DPDPA includes unique provisions—nominations, consent managers, minor protections—that distinguish it from GDPR. How do organizations handle these distinctly Indian complexities?
Mayuran Palanisamy: DPDPA borrows global principles—consent, purpose limitation, data minimization—but addresses local realities. GDPR reaches seven years old, and even Europe updates it with the AI Act. Our law offers flexibility, establishing boundaries rather than prescriptive rules.
The right to nominate represents particularly Indian innovation, addressing digital asset management after death. It reduces friction in processes like bank account settlements while respecting individual rights.
I estimate 60–70% GDPR alignment, with remaining provisions tailored for India’s digital public infrastructure—Aadhaar, UPI, DigiLocker. Copy-paste GDPR wouldn’t work for India’s scale or maturity. DPDPA proves progressive by blending global practices with local needs.
AI and Privacy: Breaking the False Dichotomy
Ashok Kini: How can companies embrace AI while meeting privacy obligations?
Mayuran Palanisamy: A myth persists that AI and privacy can’t coexist. They can—and must. AI regulations like the EU AI Act emerged precisely because personal data powers most AI models.
AI governance and privacy principles share common goals: transparency, accountability, bias mitigation. Building privacy by design into AI systems future-proofs them. Regulations will only demand more explainability.
CEOs will soon need to explain how AI models make decisions. AI can’t remain a black box. Privacy compliance strengthens AI ethics—it’s safeguard, not barrier.
Governance: Building the Right Team
Ashok Kini: Who belongs on privacy governance committees, and how should they operate?
Mayuran Palanisamy: Governance teams should include CDO, CISO, DPO, and legal representatives. The biggest mistake? Bringing privacy teams in late—after products or data transformations are underway.
Let me offer an analogy. When buying a car, everyone discusses engine power. But the brake system gives you confidence to accelerate. Privacy functions as that brake—it doesn’t slow you down; it enables safe acceleration.
Committees should meet regularly, facilitating continuous knowledge sharing between business, technology, and compliance teams. Privacy professionals now join change management boards from project initiation. That’s the right direction.
The Cost Question: Investing Wisely
Ashok Kini: An audience member asks—how should organizations balance cost and compliance?
Mayuran Palanisamy: ROI in privacy is straightforward—the penalty you avoid equals your return. Single breaches cost ₹50–250 crore under DPDPA, excluding reputational damage.
I caution against premature overspending on sophisticated platforms. Start with affordable tools solving basic problems. Don’t expect overnight fixes. Like SAP, compliance tools have learning curves—they evolve with your organization.
Many European firms rushed into expensive GDPR platforms without effective use. They spent millions but derived no value for years. Privacy tools work best when built on strong data foundations.
Closing Insights: Wisdom from the Frontlines
Ashok Kini: Before we close, let me ask each of you for one final piece of advice.
Ravindra V: Before selecting tools, master your data basics. Map flows, classify information, eliminate redundancy. No consultant can do this for you—it’s organizational responsibility. Once groundwork solidifies, tool selection becomes straightforward.
Nivedita: From a business standpoint, transparency drives everything. Clients want to know what tools you use, how they work, what happens to their data. Opacity breeds mistrust—and privacy violations. Transparency enables compliance.
Mayuran Palanisamy: In an age of accelerating technology and evolving regulation, data protection fundamentals remain constant. Organizations must understand their data, protect their consumers, and establish governance structures that adapt to change. As India enters a new era of digital privacy, the path may be complex—but the direction is clear. Ethical, transparent, and technology-enabled data stewardship will define the next chapter of trust in India’s digital economy.
Ashok Kini: Thank you all. The question isn’t whether to act, but how quickly organizations can transform compliance from obligation into competitive advantage.
