Notification

  • Image

    Webinar | Angel Investing in India: Mistakes First-Time Investors Avoid

    Book your seat

Compliance with the Indian Digital Personal Data Protection Act, 2023

Get in touch with us

    Your information is confidential and secure


    AI Summary
    • The Digital Personal Data Protection Act, 2023 governs how digital personal data is collected, stored, processed, transferred and erased in India.
    • Personal Data under the Act covers only digital or digitised data that can identify an individual, and excludes non-digital data or data that cannot identify a person even in combination with other data.
    • The Act imposes obligations on data fiduciaries and data processors, and also places certain duties on data subjects.
    • B2B SaaS businesses must issue consent notices specifying the type of personal data collected, the specific purpose of use, and the process for withdrawing consent.
    • Consent notices must also state how individuals can raise grievances and how they can file a complaint with the Data Protection Board of India.
    • Individuals have the right to a summary of their personal data, to know the identities of parties it has been shared with, and to correct, update or delete their data unless retention is required by law.
    • Individuals can nominate another person to exercise their data rights in the event of their death or incapacity.
    • Businesses should carry out an internal data audit to map personal data collection, storage and processing, and erase or anonymise data wherever feasible to limit compliance risk.
    • Companies must appoint personnel to handle grievances and complaints, and implement technical measures to prevent and mitigate data breaches.

    Get in touch with us

      Your information is confidential and secure


      For: B2B SaaS businesses

      The Digital Personal Data Protection Act, 2023 (“Act”) is intended to safeguard and protect digital personal data, and (inter alia) govern the manner in which it can be collected, stored, processed, transferred, and erased. The Act imposes requirements on data fiduciaries/collectors and data processors, as well as certain duties on the data subject/individual with respect to personal data.

      “Personal Data” under the Act includes any digital or digitized data about an individual (including any data which can be used to identify an individual). This excludes any non-digital data, or any data which cannot be used to identify an individual in any manner (including in concert with any other data).

      This document is intended to provide a summary of the obligations of B2B-based SaaS business, which arise from the Act.

      An Overview

      The key obligations of businesses towards complying with the Act include:

      • Identify the extent of Personal Data collection, storage and processing which your business undertakes, and how much is necessary.
      • Prepare notices for procuring consents from individuals whose Personal Data you collect, store, and process (including those individuals whose Personal Data has already been collected and/or is being stored or processed), specifying:
        • Type/s of Personal Data you will use;
        • The specific purpose/s you will use it for;
        • The manner in which they can withdraw consent or raise grievances; and
        • The manner in which they can make a complaint to the Data Protection Board of India.
      • Maintain a record of consents procured and provide the following rights:
        • Right to request for (i) summary of their Personal Data being used; and (ii) identities of parties to whom their Personal Data has been transferred;
        • Right to correct, update and/or delete Personal Data (unless required to be retained for compliance with law);
        • Right to redressal for grievances and complaints;
        • Right to nominate another individual to exercise their rights (in the event of death or incapacity)

      Action Items

      While B2B SaaS platforms have limited Personal Data collection, Personal Data can still be collected and processed in case of user accounts for individuals/employees/representatives of enterprise customers. Businesses can take the following actions towards compliance with the Act:

      • Data audit: Carry out an internal data audit, including identifying Personal Data collection, storage and processing requirements;
      • Limit Personal Data usage: Erase or anonymize Personal Data to the extent feasible to reduce the compliance and associated risks, or limit the Personal Data points which are collected;
      • Update your product to enable privacy rights: Businesses should therefore make available on the SaaS tool / platform functionalities to:
        • Issue notices for procuring consent for Personal Data collection, storage and processing prior to any such collection, storage or processing. These notices can be worded in simple and clear terms so as to enable individuals to know their rights, and should include language which clearly states that consent is provided for collection, storage, and processing (including processing by third-parties); specify the purpose/s for the type or types of processing. For example – in case the processing will be done for purposes A, B and C, consent will have to procured specific for each of A, B and C; mention that consent can be withdrawn
        • Request modification, correction, updating, or erasure of Personal Data. Other than any Personal Data which is necessary for providing the services (for example, corporate email IDs), all Personal Data should be subject to modification or erasure pursuant to withdrawal of consent.
      • Appoint person/s who can handle complaints, grievances, or requests from individuals. This can be an individual assigned specifically for this task or a team responsible for ensuring speedy response.
      • Implement technical measures to protect against and mitigate data breaches and their consequences. The Act requires fiduciaries/collectors to “take reasonable security safeguards to prevent personal data breach”, which can include cloud monitoring, penetration testing, ISO certification, etc., depending on the sensitivity and extent of Personal Data.
      About the Author
      Garima Mitra
      Garima Mitra social-linkedin
      Co-founder | garima@treelife.in

      Spearheads Transactions, Contracts, and Compliance verticals. Combines expertise in business law and a passion for social impact to shape the legal and financial ecosystem for startups.

      Sanmita Poojari
      Sanmita Poojari social-linkedin
      Senior Associate | Compliance | sanmita.p@treelife.in

      A compliance expert with a strong foundation in corporate legal and secretarial practices. Excels in corporate governance, regulatory filings, and advisory services on legal and financial matters, ensuring seamless corporate law compliance for clients.

      We Are Problem Solvers. And Take Accountability.

      Related Posts

      Ind AS 115 Revenue Recognition for SaaS and Subscription Businesses
      Ind AS 115 Revenue Recognition for SaaS and Subscription Businesses

      Revenue recognition is where SaaS accounting gets genuinely hard. A customer pays ₹12 lakh upfront for an annual subscription in...

      Learn MoreLearn More
      BharatPe-Ashneer Grover SHA saga: what actually happened and the lessons for founders
      BharatPe-Ashneer Grover SHA saga: what actually happened and the lessons for founders

      BharatPe's shareholders agreement contained the same clauses that sit in almost every Indian venture-backed SHA: restricted shares, a for-cause clawback,...

      Learn MoreLearn More
      SaaS Metrics Investors Track: The Complete Guide & Latest Benchmarks
      SaaS Metrics Investors Track: The Complete Guide & Latest Benchmarks

      Every SaaS investor enters a diligence process with the same underlying question: is this business genuinely compounding, or does it...

      Learn MoreLearn More

      For Customer Support

      Mumbai | Delhi |
      Bangalore | GIFT City

      Speak to Us!

      We respond within 60 minutes.

        Your information is confidential and secure


        Let's talk.

        We've seen most founder problems before. Tell us yours.






          Typically responds within 4 hours
          Or reach out directly