The Digital Personal Data Protection Act, 2023 ("DPDP Act") was passed by the Indian Parliament and received Presidential assent in August 2023. It has been notified in the Gazette but has not yet come into force, as the Central Government has not issued the commencement notification under Section 1(2) of the Act. In the interim, the Ministry of Electronics and Information Technology (MeitY) had released the draft Digital Personal Data Protection Rules, 2025 for public consultation. These developments mark the transition of India’s privacy regime from abstract principles to an impending statutory framework.

While the absence of an official enforcement date limits the legal applicability of the Act, it does not diminish the urgency of preparation. Businesses—particularly large corporate groups with multiple subsidiaries and verticals—now find themselves in a critical preparatory phase. The current period offers a strategic window for designing and implementing internal privacy governance systems aligned with the anticipated regulatory requirements.

For conglomerates comprising multiple subsidiaries and functional verticals, this is a valuable opportunity to build a robust privacy framework that is compliant by design. Proactive alignment of systems, policies, contracts, and controls with the framework of the DPDP Act will enable a smoother transition once the law becomes operational. The challenge, however, lies in designing a privacy program that balances centralized strategic oversight with decentralized operational autonomy.

Understanding the Challenge: Fragmented Operations, Unified Compliance Expectations

Corporate groups often operate through a mix of subsidiaries, verticals, and functional units—each with its own systems, vendors, and customer bases. These entities may share infrastructure, data repositories, technology platforms, or even personnel. However, under the DPDP Act, every such entity will qualify as a separate Data Fiduciary if it independently determines the purpose and means of processing personal data.

The Act prescribes key fiduciary obligations—such as notice, consent management, purpose limitation, security safeguards, grievance redressal, and breach reporting—which must be met by each processing entity. With the introduction of sectoral audits, risk assessments, and obligations to maintain Records of Processing Activities (RoPA), compliance will no longer be a peripheral IT or legal function. It is evolving into a full-fledged operational mandate.

A Federated Governance Model: Balancing Central Oversight and Local Execution

Given the scale and diversity of operations in a conglomerate, a federated model of privacy governance offers the most legally sound and operationally feasible approach. This model allows for central leadership in policy-making and standard-setting, while enabling entity-specific execution through appointed privacy leads or champions.

At the apex level, a Central Privacy Office (CPO) or Data Protection Governance Committee may be constituted by the holding company. This central body is responsible for crafting the privacy vision, interpreting legal requirements, drafting common policies, and standardizing templates such as consent forms, data breach protocols, data processing agreements (DPAs), and SoAs (Statements of Applicability).

Each subsidiary or vertical, however, should appoint its own Privacy Lead or Data Steward who localizes and operationalizes the group policies within their respective business context. This includes maintaining RoPA, conducting Data Protection Impact Assessments (DPIAs), implementing consent and withdrawal mechanisms, and responding to data principal rights requests.

Statements of Applicability: Tailoring Compliance to Business Realities

The DPDP Act and Rules are expected to empower the Data Protection Board and the government to prescribe sector-specific obligations. Hence, the risk profile and compliance obligations for a energy subsidiary may differ from those of a fintech vertical. This is where a Statement of Applicability (SoA) becomes instrumental.

An SoA is a structured document that maps the applicable privacy controls to a particular entity based on its business functions, data categories processed, lawful bases invoked, and risk exposure. While the group-wide control framework may define the universe of privacy controls, each SoA should be tailored to reflect the specific responsibilities and exemptions relevant to that subsidiary. This approach ensures proportionality and avoids compliance fatigue.

The Necessity of Intra-Group Data Processing Agreements

Many conglomerates operate under the assumption that intra-group data sharing is immune to legal formalities. This is a misconception. Under the DPDP Act, each legal entity will be independently liable for its processing activities. Therefore, whenever personal data is transferred from one group entity to another, the relationship must be documented through an Intra-Group Data Processing Agreement.

Such agreements should clearly define the roles and responsibilities of the parties—identifying whether the receiving entity acts as a Data Processor or a separate Data Fiduciary. The agreement must also address critical elements such as:

 Purpose limitation and data minimization

 Security safeguards and access controls

 Sub-processing restrictions

 Incident notification and coordination

 Retention and deletion obligations

A well-drafted intra-group DPA not only provides legal cover but also ensures accountability and traceability within internal data flows.

Technology and Toolkits: Standardization with Flexibility

To avoid duplication and inconsistency, it is advisable to develop shared toolkits at the group level. This includes:

 Unified data inventory and classification guidelines

 Common risk assessment formats and DPIA templates

 Centralized incident reporting mechanisms

 Shared training materials and awareness modules

However, the implementation of these tools must be flexible enough to allow for localization. For instance, while a common data classification schema may be adopted, the systems and applications used to store data may vary between entities, requiring entity-specific mapping.

Accountability Frameworks: Who Answers to Whom?

Accountability must be institutionalized both horizontally and vertically. Each subsidiary's Data Steward should report to the Group Privacy Office but also remain embedded within the entity’s leadership structure. Regular compliance reporting, internal audits, and cross-entity reviews must be built into the framework.

Further, the central office must establish escalation matrices for incident reporting and grievance redressal. The Act is expected to provide tight timelines for acknowledgment and resolution of grievances—failure to meet these may result in penalties. A dashboard-driven monitoring system that tracks key performance indicators (e.g., RoPA updates, breach response time, training completion rates) can greatly enhance oversight.

Responding to Data Principal Rights and Grievances

Each group entity must be prepared to respond to data principal requests—whether it concerns access, correction, erasure, or withdrawal of consent. The obligation to respond will rest with the entity that collected or is processing the data.

A shared platform or helpdesk system can be implemented to route requests to the appropriate entity while maintaining a consolidated audit trail. Similarly, the appointment of a Group-Level Grievance Officer or DPO (Data Protection Officer) should not preclude the need for designated grievance contacts within each subsidiary, particularly where processing is voluminous or sensitive.

Implementation Roadmap: From Policy to Practice

A phased rollout across the group is often more effective than a blanket implementation. A suggested approach:

Phase I – Foundation Setting:

Establish Group Privacy Office

Draft master policy, control framework, and templates

Identify Privacy Leads across entities

Phase II – Entity-Level Rollouts:

Conduct data mapping and RoPA creation per entity

Finalize SoAs

Customize and deploy tools (consent forms, DPIAs, notices)

Phase III – Testing and Monitoring:

Run mock breach scenarios and rights requests

Initiate internal audits

Address gaps and refine controls

Phase IV – Continuous Improvement:

Integrate privacy into procurement, HR, IT governance

Track regulatory developments and revise documentation

Build a culture of privacy through periodic training

Conclusion: Privacy as a Strategic Differentiator

The DPDP Act represents a paradigm shift—not only in regulatory expectations but in public trust. For India’s business groups, the transition to compliance is not merely a legal obligation but a strategic necessity. In a landscape of increasing cyber threats, competitive scrutiny, and reputational risk, the ability to demonstrate robust and auditable privacy practices will define corporate resilience.

The path forward lies in harmonizing control with autonomy—centralized in spirit, decentralized in action. A federated privacy program, grounded in law and aligned with business reality, is not just a solution to regulatory compliance; it is a blueprint for future-ready governance.

- Gaurav Goswami, Lawyer and Data Privacy Consultant | Founder, PrivEdge Legal.