In Conversation With Tapan Pati, SVP And Group GC, Godrej & Boyce

1. Based on your experience, what aspects of the DPDP Act have had the most significant impact on compliance within your industry? Are there any specific provisions or challenges that stand out?

The DPDP Act was enacted very recently and the Rules are yet to be notified so the compliance issues are only just beginning to emerge. The real trends will be visible once the yet-to-be notified Data Protection Board starts taking regulatory actions and these are challenged in appellate forums.

I suppose, the scope and validity of existing consents will have to be revisited by businesses. A consent refresh in every case will be a huge logistical challenge and a potentially nightmarish business disrupter.

In my opinion, the purpose for which data may be collected (sales, after-sales service, cross-product marketing etc.) and for whom it may be collected (group companies for instance) will be subject to limitations and close scrutiny based on the principles in the new law. Future data-dependent business models will evolve based on how the case law (including penalties levied) under the DPDP Act shapes up.

Also, the penalties in the range of 50-250 crores may well have an effect beyond deterrent – freezing business initiatives of the larger companies whose balance sheets can absorb these hefty fines and who will also be likely targets of early enforcement actions for that reason.

2. With the rules still awaiting notification, what are your predictions for their content? What aspects would you most hope to see addressed, and conversely, what potential implementation issues raise concerns for you?

It is crucial that Notice and Consent requirements are clarified further. Duration of data storage requirements should also be clarified in the Rules.

Qualifications expected of Data Protection Officer should be listed out. It’s unclear if this can be a full time or a part time role added to an employee’s existing job description.

Granular guidelines for notification as Significant Data Fiduciary must also be laid down in the Rules. Further, a no-enforcement period of 9 months should be provided, as a practical matter, whilst the industry ramps up internal personal data flow identification, augments its IT architecture , revamps business models and strengthens its contractual frameworks to comply with the Act and Rules.

3. Aside from the DPDP Act, are there any other emerging compliance areas you anticipate becoming critical for General Counsels to navigate in 2024?

A wide gamut of laws have been enacted in the last decade and the new notifications and case law under these continue to impact various sectors of the industry. This includes sector specific laws like RERA (2016) and sector agnostic enactments like the Companies Act (2013) the IBC (2016), the GST Act (2017) and the Consumer Protection Act (2019). Additionally, significant developments have happened in the Competition law regime and case laws on arbitration have materially reshaped the ADR landscape. I believe these are the key areas to watch in 2024 as well.