From Boardrooms to Boilerplates: The DPDP Act’s Impact on Compliance and Contract Drafting

 

 

Adv. Sreeraj Muralidharan, BBM, FCS, LLB, CFORA

Email: Advsreerajm@gmail.com

 

There are moments in regulatory history when a new law forces an industry to stop and look at itself - really look. The Digital Personal Data Protection Act, 2023, is one such moment for India’s digital economy.

For years, companies treated personal data almost as if it were a cheap, inexhaustible commodity-collect everything, store everything, track everything, and worry about the details later. Consent forms were drafted merely to satisfy appearances, and privacy notices blended into the background like wallpaper. Even a breach was often regarded as a technical inconvenience to be patched quietly.

That period has ended. And the shift did not arrive with fanfare; it arrived with inevitability.

The moment the DPDP Act and the new Rules came into force, you could feel the tremor across industries. Cyber-insurance enquiries jumped. Boards scrambled for internal audits. HR teams, marketing teams, IT teams - everyone suddenly had a stake in compliance. After watching several waves of legislation over the decades - from the transformation of FERA to FEMA, to the rise of the Companies Act, 2013, and the extraordinary disruption of the IBC - this Act feels different. It is not a mere compliance obligation. It marks a cultural shift in how India understands data, responsibility, and trust.

I. A New Architecture of Accountability

1. Consent Is Now a Serious Legal Act

The days of vague, all-encompassing consent statements have vanished. Under Sections 5 and 6, consent must be genuinely informed and specific—no hidden catches, no bundling of unrelated permissions. And perhaps the most powerful change lies in Section 6(10), which places the burden of proof squarely on the company: if questioned, you must be able to show that proper notice was given, and valid consent was obtained.

Many organisations built their digital empires on broad, open-ended consents. That era simply does not survive the DPDP Act.

2. First-Party Data Takes Centre Stage

If earlier businesses depended heavily on third-party datasets - profiles bought, borrowed, or traded - the new law forces them to rely far more on first-party, directly obtained information. Section 4 ties processing tightly to the purpose disclosed. And Section 7 narrows the window for “legitimate use,” cutting off a long list of informal practices that were never formally authorised.

Marketers, in particular, must re-learn the discipline of purpose limitation.

3. Retention Has an Expiry Date

Rule 8 introduces a change that sounds simple but disrupts an entire culture: data cannot be stored indefinitely. Once the purpose is completed, unless another law requires retention, deletion becomes mandatory. The Rules mandate deletion reminders and require companies to warn individuals before their data auto-expires.

It may feel strange to an industry accustomed to “save everything,” but the law is intentionally pushing companies toward disciplined data governance.

4. Breach Notification Is No Longer Optional

One of the clearest departures from the past is Rule 7. A breach today cannot be concealed or diluted. A company must immediately inform both the Data Principal and the Data Protection Board. And this disclosure is not perfunctory. It must cover what happened, how serious the damage is, what the company is doing about it, and how it plans to minimise harm.

This single requirement has completely reshaped the cybersecurity landscape. Insurers, who previously treated cyber-risk as something hypothetical, now insist on verifying day-to-day data-handling practices. A breach now carries legal, financial, and reputational consequences - all simultaneously.

II. Why Cyber-Insurance Is Becoming a Governance Mandate

The recent reporting in The Economic Times captures the situation accurately. The DPDP Act has altered corporate risk calculations almost overnight.

Sections 8, 28, 33 and 34 come with penalties severe enough to make any board nervous. A single breach can trigger multiple forms of liability: statutory penalties, user claims, regulatory scrutiny, and loss of business reputation. And every breach must be disclosed to the very individuals whose data was affected—something no company takes lightly.

For the first time, businesses are turning to cyber-insurance not for comfort but for survival. Insurers, in turn, have become far more demanding. They want evidence of encryption (Rule 6), audit logs that genuinely work (Rule 6(1)(c)), proper retention and deletion practices (Rule 8), clear consent mechanisms (Sections 5–6), breach-response protocols (Rule 7), and strict controls over third-party processors (Section 8 read with Rule 6(1)(f)).

This is not a passing trend in the insurance market. This is the early footprint of enforcement. The law has changed, and insurers are simply adjusting to a more serious risk environment.

III. How the DPDP Act Has Quietly Rewritten Contract Drafting

In my experience, few statutes have affected contract drafting as comprehensively and as swiftly as the DPDP Act. Almost every business contract now requires a rethink.

1. Data Processing Clauses Are No Longer Decorative

What used to be “best practice” is now compulsory. Contracts - whether with vendors, employees, consultants, or agencies - must now clearly spell out the purpose of data processing, the scope, duration, deletion requirements, and the security measures expected. You cannot rely on standard boilerplate anymore; the law demands specificity.

  2. Vendors Must Share the Burden

Under Section 8, the Data Fiduciary remains responsible even if processing is outsourced. This fundamentally changes how companies negotiate with vendors. Audit rights, indemnities, breach timelines, and mandatory technical safeguards are no longer negotiable niceties - they are legal necessities.

Boardrooms are discovering that vendor management has suddenly become a compliance function.

3. Employment Documentation Must Evolve

Even though employment-related processing has a legitimate use under Section 7(i), employers still need to issue clear notices, maintain security, avoid excessive collection, and comply with deletion norms. The HR manual, onboarding forms, attendance systems, and ID card issuance workflows must now be examined through a fresh lens.

4. Cloud and Overseas Processors Face New Expectations

Many Indian companies rely on global vendors who are unfamiliar with India’s statutory requirements. Even without explicit cross-border restrictions yet being operationalised, companies must ensure that processors abroad honour consent requirements, deletion norms, and breach responsibilities.

This alone is prompting renegotiations across software, cloud, and IT service agreements.

5. The Marketing and Digital Ecosystem Faces the Sharpest Shift

The industries most affected are marketing, analytics, and digital agencies. The Act’s stance on children’s data (Section 9; Rules 10–12), the prohibition on dark patterns, and the emphasis on purpose limitation mean that many targeting strategies used over the last decade will simply not survive. Influencer partnerships, digital campaigns, and retargeting workflows—all need contractual revisions.

IV. Children’s Data: A Domain Where the Law Speaks with Moral Force

Among all its provisions, the Act’s approach to children’s data stands out for its clarity and firmness. Section 9 and the accompanying Rules insist on verifiable parental consent and prohibit any practice that profiles, tracks, or targets a child. For platforms catering to young users - especially in gaming, OTT, or ed-tech - the implications are enormous.

Entire user flows will have to be redesigned, and companies that previously relied on behavioural tracking must fundamentally re-evaluate their business models.

V. A Closing Reflection

The DPDP Act does not merely regulate data - it regulates conduct. It addresses a vacuum that had existed for far too long and replaces ambiguity with a structured framework that expects responsibility, restraint, and honesty from companies.

What strikes me most is how quickly it is reshaping corporate behaviour. Boards that once treated data protection as an IT issue now ask far deeper questions: Do we need this data? How long should we hold it? Who exactly has access to it? Where is it stored? And what happens if something goes wrong?

These are no longer philosophical questions; they are questions of compliance, liability, and corporate reputation.

Seen in the larger sweep of legal history, the DPDP Act is not merely another statute. It marks the transition of India’s digital economy into a more mature and accountable phase. A system that respects the dignity of its citizens always earns greater trust - and trust, in the long run, is the true currency of business.