Navigating the India Privacy Act: Consent, Compliance, and Organizational Impact by Dr. Pavan Duggal, Dr. Prashant Mali, Puneet Bhasin & Bikash Barai


The India Privacy Act is a landmark piece of legislation aimed at protecting the digital personal data of individuals. It introduces stringent requirements for consent, compliance, and penalties for data breaches, applicable to organizations of all sizes. This blog delves into the key aspects of the Act, its implications for small and large organizations, and the necessary steps for ensuring compliance.



Here is the verbatim discussion:

oh is it yes uh so with respect to small and large organizations the first thing that needs to be understood is the concept of consent and legitimate consent is applicable to all organizations irrespective of size so again which uh question you know was even coming through in the chat box prior that you know uh in the beginning itself where I Define data there's no bifurcation of personally identifiable and sensitive data which means an organization which may be a small organization which is let's say offering a a health packages to their employees just an example and you know you're allowing your employees in health packages which many organizations do today as a bing offer to the employees you are ending up collecting their health related data when a employee is applying to you for a leave you are collecting a medical certificate you are collecting some kind of records from them so at any and every point of time you may imagine that you don't have data but that is actually not a point so you cannot say that you know I'm not taking uh data pertain to your exact health condition or you know I'm a smaller organization I don't collect financial information so I am not coming within this Ambit that is not how it works so irrespective of the size of your organization if you are collecting anything that constitutes personal data you're going to come within the ammit I'll give you a simple example today when you go to a bank they are asking you a lot of information just to open your bank account all of which is sensitive today when you're applying for a credit card when you go for a job employment there is a application that you make and track magnitude of the data breach it's going to be based on the nature of data it is going to be based on how negligent was the organization so though the negligent mind is not the concept but let's say they had zero security or they had let's say only a mediocre level of cyber security and they were dealing with highly sensitive data so all these different permutation combinations are going to determine up to what figure in that 250 crores are you looking at the penalty is it 100 CR is it 200 CR based on that is where there is going to be like a a formula DET so right now the ACT considering the board like the powers given to the board is that there is a certain parameters in which they can determine now if there is further Clarity and rules that will come up thereafter then you know there may be a more tweaking of this with respect to how they are going to work out the penalties so clearly uh any data which has personal data now you really can't distinguish between distributor data or uh um or uh reseller data or your dealers data any data which has pii uh personal information personal data I know these are different words but the words being used so that when you're collecting personal data and you are deciding the means when you're trying to process this data when you classify yourself as a data fiduciary then this law is applying and if you're Gathering huge amount of data and government goes and classifies you as significant dat data fiduciary a different set of uh treatment could get applied so what industry you are in there is no industry specific mentioning in the law it is Data specific if it is personal data dpdp is applicable it is digital personal data dpdp is applicable so there a few other questions like one is right to forget is that concept there.



Universal Consent Requirement

  • Consent must be obtained from data principals through an explicit notice that details data collection, processing, and the involvement of data processors.
  • Notices must be provided in all Indian languages as per the 8th schedule of the Constitution.
  • Consent requirements apply to all organizations, irrespective of size, including startups, MNCs, hospitals, and even housing societies.

Comprehensive Definition of Personal Data

  • The Act encompasses any information that can identify an individual, such as names, health data, email IDs, and IP addresses.
  • There is no distinction between personally identifiable information and sensitive personal data.

Substantial Penalties for Non-Compliance

  • Penalties for non-compliance can reach up to ₹250 crore per violation, with fines dependent on the nature and magnitude of the data breach.
  • The Act does not specify penalties as a percentage of turnover but imposes blanket fines based on the severity of the breach.

Breach Notification and Remedial Actions

  • Organizations must notify the Data Protection Board and affected individuals in the event of a data breach.
  • Post-breach, organizations are required to take demonstrable steps to secure data and inform victims of the breach.

Applicability to Digital Data

  • The Act applies to breaches of digital personal information. Non-digital data that is subsequently digitized also falls under the Act’s jurisdiction.


The India Privacy Act imposes significant responsibilities on organizations, demanding a proactive approach to data protection and privacy. By understanding and adhering to its key provisions, businesses can navigate this regulatory landscape effectively. The CESO platform is dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.



Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".


Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa