Data Protection & Privacy

India's data protection landscape has undergone a seismic shift with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) and the notification of the DPDP Rules, 2025. Every business that collects, stores, or processes personal data of Indian citizens digitally is now subject to a comprehensive legal framework that carries penalties of up to ₹250 crore for non-compliance.

RPLC – Rane Pingle Law Chambers guides businesses, startups, and institutions through every aspect of data protection compliance — from understanding whether the law applies to your organisation, to building a fully compliant data governance framework, to responding to data breaches and regulatory investigations. Our practice is led by one of India's most experienced data protection lawyers, ensuring that our advice is both legally rigorous and practically implementable.

Our Data Protection and Privacy practice covers DPDPA compliance advisory for businesses across sectors including technology, healthcare, e-commerce, financial services, HR and recruitment, and educational institutions. We assist clients in conducting data audits to map what personal data is collected, how it is stored, who has access to it, and how long it is retained.

We draft and review privacy policies, consent notices, data processing agreements, data sharing agreements, and vendor contracts to ensure full legal compliance. We advise on the rights of data principals — including the right to access, correction, erasure, and grievance redressal — and help businesses build systems to honour these rights within statutory timelines.

For organisations classified or likely to be classified as Significant Data Fiduciaries, we advise on the appointment of a Data Protection Officer (DPO), conduct of Data Protection Impact Assessments (DPIAs), and implementation of enhanced compliance obligations. We also advise on cross-border data transfer compliance under the DPDPA's negative list framework.

Our team has advised over 300 corporate and MNC clients on data protection and privacy compliance — across financial services, technology, healthcare, and consumer goods sectors. We have assisted businesses in transitioning from SPDI Rules compliance to the new DPDPA framework, including redesigning consent mechanisms, updating privacy policies, and restructuring vendor agreements.

We have represented clients in data breach incident response — coordinating with CERT-In, notifying the Data Protection Board, and managing the legal and reputational fallout of significant data incidents. We have also advised international companies on whether and how the DPDPA applies to their India-facing operations.

We take a practical, business-first approach to data protection compliance. Our goal is not to overwhelm your organisation with legal complexity — it is to build a compliance framework that works for your specific business model, sector, and scale.

We begin every engagement with a data audit — understanding exactly what personal data your organisation collects and processes, and where your current practices fall short of legal requirements. From there, we build a prioritised, phased compliance roadmap that allows your team to implement changes systematically without disrupting business operations.

When a data breach occurs, we treat it as a legal emergency — mobilising immediately to meet the 72-hour notification requirement, preserve evidence, and manage regulatory exposure.

We advise and litigate under the Digital Personal Data Protection Act, 2023; the Digital Personal Data Protection Rules, 2025; the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; CERT-In Directions, 2022; the RBI's Cybersecurity Framework for Banks; and SEBI's Cybersecurity and Cyber Resilience Framework.

Our primary regulatory forums include the Data Protection Board of India, CERT-In, the Reserve Bank of India, the Securities and Exchange Board of India, and the Bombay High Court for constitutional and writ matters arising from data protection disputes.

The DPDPA is India's first comprehensive data protection law — and it is fundamentally different from the GDPR in several important ways. Unlike the GDPR, the DPDPA does not recognise "legitimate interest" as a valid legal basis for data processing — consent is the primary and dominant basis. This means businesses that have designed their data collection practices around GDPR's legitimate interest ground will need to redesign their consent frameworks entirely for Indian law compliance.

The 18-month implementation window provided under the DPDP Rules means that full enforcement begins in May 2027 — but businesses that wait until then to begin compliance will find themselves severely underprepared. The time to act is now.