Executive Summary

Data privacy has become a core compliance area for Indian businesses. Any business collecting customer, employee, vendor, student, patient, subscriber or user data must examine its obligations regarding notice, consent, lawful processing, data security, retention, grievance redressal and breach response.

Constitutional Foundation

In Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, the Supreme Court recognised privacy as a fundamental right. This judgment is the constitutional foundation of Indian privacy jurisprudence.

The Digital Personal Data Protection Act, 2023 builds upon this privacy framework by regulating the processing of digital personal data.

Who Should Care

BusinessData Collected
HospitalsPatient records
SchoolsStudent/parent data
SaaS companiesUser/client data
E-commerceCustomer/order data
EmployersEmployee data
Real estate brokersBuyer/seller data
ClinicsMedical records
Financial advisorsKYC and portfolio data

Compliance Flow

Collect Personal Data
        ↓
Provide Notice
        ↓
Obtain Consent / Lawful Basis
        ↓
Use Data for Defined Purpose
        ↓
Secure Data
        ↓
Manage Rights / Grievances
        ↓
Retain / Delete as Required

Documents Businesses Should Maintain

  1. privacy policy;
  2. website terms;
  3. employee privacy notice;
  4. consent forms;
  5. vendor data processing clauses;
  6. data retention policy;
  7. breach response protocol;
  8. grievance mechanism.

Conclusion

Data privacy compliance is not limited to technology companies. Any business processing personal data should maintain clear privacy documentation and internal compliance controls.