Data Privacy & Governance

We advise on compliance with data protection laws across India and globally, including India’s Digital Personal Data Protection Act, 2023, the EU GDPR, UK GDPR, and frameworks in the US, Canada, and Singapore. Our work covers gap analyses, consent mechanism design, data processing agreements, data breach response planning, and regulatory engagement. We advise across sectors including technology, e-commerce, healthcare, education, hospitality, gaming, and financial services.

We conduct and advise on the full suite of privacy risk assessments that businesses require under Indian and global data protection frameworks. This includes Privacy Impact Assessments (PIAs) to identify and minimise data protection risks in new projects and products, Records of Processing Activities (RoPAs) to document all processing activities across the organisation, Privacy Threshold Assessments (PTAs) to determine whether personal data is being processed and whether a full PIA is required, and Transfer Risk Assessments (TRAs) to evaluate the legal and practical risks of transferring data across jurisdictions.

We draft and implement the internal and external policies that form the backbone of a data governance programme. This includes privacy policies, cookie policies, data retention policies, data storage policies, data incident reporting policies, data processing addendums, confidentiality policies, and data subject rights request procedures. We work with clients to build governance frameworks that are operationally practical, not just legally compliant on paper.

Data protection requires a strong information security foundation. We draft and advise on the full suite of IT security policies, including IT information security policies, access control policies, asset management and classification policies, cryptography policies, operations security policies, physical security policies, IT risk management policies, human resource security policies, IT incident response policies, and business continuity and disaster recovery plans. Beyond policy documentation, we advise on cybersecurity compliance, including CERT-In’s mandatory six-hour incident reporting obligation, sector-specific cybersecurity frameworks (such as the RBI’s cybersecurity framework for financial institutions), and cybersecurity audit requirements. We also advise on cyber insurance, helping businesses evaluate and procure coverage for data breach response costs, business interruption, regulatory fines, and third-party liability arising from cyber incidents.

Businesses with global operations need to move data across borders. We advise on the legal mechanisms for cross-border data transfers under the DPDP Act, the EU GDPR (including Standard Contractual Clauses and adequacy decisions), and other applicable frameworks. We conduct Transfer Risk Assessments, structure international data transfer agreements, and advise on data localisation requirements. Our advice accounts for the practical realities of how data actually flows through a client’s technology stack, not just what the law requires in theory.

Not all valuable data is personal data. We advise on the legal framework for protecting and commercialising non-personal data, proprietary datasets, and copyrighted databases. This includes advising on contractual protections for data assets, database rights, the intersection of data protection and IP law, and the structuring of data licensing and data sharing arrangements. For AI companies, we advise on the legal status and licensing of training data across categories.

Different sectors face different data obligations. We advise on sector-specific data compliance requirements in healthcare (clinical trial data, patient records, telemedicine), education (student data, ed-tech platforms), hospitality (guest data, loyalty programmes), gaming (player data, age verification), and financial services (RBI data localisation, payment data). Our approach integrates sector-specific requirements with the overarching data protection framework to give clients a unified compliance position.

We contribute to the development of data protection policy through regulatory consultations, industry submissions, and engagement with policymakers. We are actively involved in INTA’s Data Committee work on cross-border data governance and have proposed a scored indicator-based framework for assessing national data governance regimes. Our policy work draws on the practical issues we encounter in advising clients on data compliance across jurisdictions.