Executive Summary
Data privacy has become a core compliance area for Indian businesses. Any business collecting customer, employee, vendor, student, patient, subscriber or user data must examine its obligations regarding notice, consent, lawful processing, data security, retention, grievance redressal and breach response.
Constitutional Foundation
In Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, the Supreme Court recognised privacy as a fundamental right. This judgment is the constitutional foundation of Indian privacy jurisprudence.
The Digital Personal Data Protection Act, 2023 builds upon this privacy framework by regulating the processing of digital personal data.
Who Should Care
| Business | Data Collected |
|---|---|
| Hospitals | Patient records |
| Schools | Student/parent data |
| SaaS companies | User/client data |
| E-commerce | Customer/order data |
| Employers | Employee data |
| Real estate brokers | Buyer/seller data |
| Clinics | Medical records |
| Financial advisors | KYC and portfolio data |
Compliance Flow
Collect Personal Data
↓
Provide Notice
↓
Obtain Consent / Lawful Basis
↓
Use Data for Defined Purpose
↓
Secure Data
↓
Manage Rights / Grievances
↓
Retain / Delete as Required
Documents Businesses Should Maintain
- privacy policy;
- website terms;
- employee privacy notice;
- consent forms;
- vendor data processing clauses;
- data retention policy;
- breach response protocol;
- grievance mechanism.
Conclusion
Data privacy compliance is not limited to technology companies. Any business processing personal data should maintain clear privacy documentation and internal compliance controls.
