The DPDP Act spurs retailers to reassess and recalibrate their technology investment strategies
New Delhi: To protect citizen privacy and bolster digital trust, the Indian government introduced the Digital Personal Data Protection Act (DPDP Act) 2023. The accompanying draft rules are set to transform how personal data is managed and secured in India’s booming digital economy.
As the retail sector—a major driver of the nation’s consumer market—prepares to navigate this new regulatory landscape, industry leaders are re-evaluating their technology investment strategies and operational frameworks.
A new regulatory paradigm
At the heart of the DPDP Act is the aim to safeguard citizens’ digital identities while promoting innovation. The draft rules empower individuals with rights such as informed consent, data erasure, and the appointment of digital nominees. By mandating that Data Fiduciaries provide clear information about personal data processing, the legislation intends to build a transparent and accountable data ecosystem. This marks a significant shift for the retail sector, which relies heavily on customer data for personalized services.
“As the sector undergoes these changes, the regulatory landscape is expected to evolve with it. The DPDP Act, set to introduce robust data security measures, will help in safeguarding user data while also enhancing overall experience in the online space,” said Amarinder Dhaliwal, chief product officer at IndiaMART InterMESH Limited.
Investing in privacy-first technologies
The DPDP Act spurs retailers to reassess and recalibrate their technology investment strategies. A central focus is on upgrading data management and security systems to meet the new compliance standards, according to different technology heads of prominent retail and D2C brands that IndiaRetailing spoke to.
Retailers are now channelling investments towards advanced data storage solutions, encryption technologies, and robust governance frameworks designed to protect personal information from unauthorized access and breaches, these tech leaders unanimously agreed.
“Compliance with the Digital Personal Data Protection Act is a top priority. We’re investing in privacy-first technologies, robust data governance frameworks, and tools to ensure transparency and consent management. These regulations also drive us to adopt more secure and efficient data storage solutions. This focus not only ensures compliance but also builds customer trust, which is invaluable in the competitive retail landscape,” said Maruthy Ramgandhi, chief technology officer (CTO), of Snitch, a Bengaluru-based D2C omnichannel fashion brand.
“The implementation of the Digital Personal Data Protection Act is a crucial consideration in our technology investment strategy this year. We are committed to prioritizing data security and customer privacy in every technology deployment. Our approach not only safeguards customer trust but also fosters responsible data utilization in all digital initiatives,” said Nitin Chhabra, chief executive officer (CEO), ace turtle, another Bengaluru based tech driven omnichannel retail brand that handles global brands like Dockers, Wrangler, Lee etc. in India.
Balancing personalization with privacy
Retailers have long depended on customer data to drive personalized marketing campaigns and tailored shopping experiences. However, the DPDP Act challenges businesses to strike a balance between leveraging data for personalization and ensuring robust privacy protections. This dual mandate has pushed retailers to innovate within tight regulatory constraints.
Lokesh Chhaparwal, Senior Vice President of Technology & Engineering at Honasa Consumer Pvt Ltd, a Gurugram-based beauty and wellness company pointed out the evolving dynamics “Regulatory developments, such as the Digital Personal Data Protection Act, are prompting us to prioritize technologies that uphold strong data privacy while fostering innovation.”
This commitment to privacy is critical, especially as consumers grow more aware of data breaches and misuse. In today’s climate, demonstrating a proactive approach to data protection is not just about regulatory compliance but also about maintaining consumer confidence.
Compliance challenges
While the DPDP Act offers an opportunity to enhance data protection standards, it also presents significant operational challenges for retailers, particularly small and medium-sized enterprises. Compliance costs, data localization mandates, and the need for sophisticated consent management systems are among the key hurdles that businesses must overcome.
“We plan to identify vulnerabilities with our tech stack at any given time and take action to mitigate this risk. The forthcoming digital personal data protection regulation has made it a critical focus for us to ensure data security at every level. Customers are becoming more aware of data security issues, and we need to assure them that their data is safe at all points in time,” said Satish Karunakaran, Director of IT Transformation at denim brand Pepe Jeans India.
He further emphasized that while significant progress has been made, continuous improvement and transparent communication with customers about data security measures remain essential.
Integrating advanced technologies and data Governance
The drive towards advanced data protection is not limited to traditional data security measures. Retailers are also exploring the integration of artificial intelligence (AI) and advanced analytics to streamline data processing while adhering to the DPDP Act’s strict guidelines. Dr Sandiip Kothaari, Chief Technology Officer at Speciality Restaurants Ltd., explained:
“The DPDP Act is prompting retailers to reassess and adapt their technology investment strategies in several key areas. From advanced data storage solutions to encryption and consent management platforms, our focus is on building systems that are both secure and compliant with the new regulations.”
These investments extend to omnichannel integration as well, where seamless customer experiences across various platforms must be maintained without compromising data security. For retailers, the challenge is twofold: to continue providing personalized services while embedding privacy at the core of all digital interactions.
The role of third-party vendors and SaaS solutions
A notable challenge highlighted by industry experts is the reliance on third-party service providers, particularly in managing software as a service (SaaS)-based applications. Zahid Ansari, VP-Information & Retail Technology at Forever New, discussed the complexities of managing vendor compliance:
“With the new regulations in place, we are taking a more focused approach to compliance, security, and data protection. Our biggest challenge is managing SaaS-based applications, where third-party providers store and process our data. Making sure these partners follow strong security and compliance standards is something we need to keep a close watch on.”
This reliance on external vendors necessitates rigorous audits, regular legal reviews, and continuous employee training to ensure that all partners adhere to the high standards set by the DPDP Act.
The establishment of a digital Data Protection Board, complete with an online complaint resolution platform, underscores the government’s commitment to swift and transparent governance. This digital-first approach is expected to reduce the compliance burden for smaller enterprises while ensuring that robust data protection measures are uniformly applied across the sector.
As the retail sector embarks on this journey toward enhanced data security, the overarching sentiment among tech experts is one of cautious optimism. While the challenges are significant—ranging from financial implications to technological upgrades—the long-term benefits of building a trust-based, transparent digital ecosystem are undeniable.
