The Crucial Role of Standards in DPDPA
This is the second article in our ongoing series on the Digital Personal Data Protection Act (DPDPA). If laws tell us what must be done, standards show us how to do it. In this piece, we explore how standards like IS 17428 help bridge the gap between regulatory intent and operational reality—by enabling interoperability, accountability, and trust in India’s digital ecosystem. We also examine existing gaps, the need for sector-specific approaches, and why future-ready standards are critical for the successful implementation of the DPDPA.
Did not read Part 1? Find it here.
While regulations establish a legal framework, standards are what provide a mechanism for ensuring practical compliance — regulations outline what must be achieved; standards suggest how to go about achieving it — thereby creating a bridge between the theoretical and the operational. Standards, while not legally binding, thus become indispensable tools for fostering trust, driving efficiency, and ensuring that regulations become realities.
Take, for instance, safety compliance for electronic devices. The law mandates that devices must meet safety requirements, but to prove compliance, manufacturers must adhere to standards set by BIS. Products that meet these standards are certified and allowed to carry the BIS registration mark, making them eligible for sale.
Before international standards bodies existed, industries and nations operated independently, leading to inefficiencies and incompatibilities. Without shared standards, every industry or country developed its own specifications for products and processes.
This would inevitably lead to many issues. Firstly, engineers and manufacturers often had to reinvent the wheel for each market or system, duplicating efforts unnecessarily. Secondly, it would also lead to increased costs and a loss of time as a product designed in one country often had to be redesigned or retrofitted to work elsewhere. Thirdly, this lack of shared reference points slowed collaboration, making it harder to build on each other’s work, thereby stifling innovation.
A classic example is the railway gauge problem in the 19th century. Different countries and even regions within the same country used different rail widths (gauges), making it impossible for trains to run across borders without unloading and reloading cargo. This lack of standardisation led to delays, increased costs, and inefficiencies in transportation. The eventual adoption of standard gauge railways helped solve this, allowing seamless rail travel and trade across regions.
The Need for Standards in the Digital Space
The need for a set of standards is perhaps greatest in the Information Technology (IT) industry. Organisations cannot operate in isolation if they want to be able to converse and transact seamlessly with each other.
The internet connects different networks across the world, requiring communication between computers, routers, and servers built by different manufacturers and operated by different entities. Without international standards, the internet as we know it would not function. These standards allow for the following:
- Interoperability: The internet links billions of devices, all using different hardware and software. Protocols like TCP/IP ensure that a message sent from one system can be understood by another, regardless of the manufacturer.
- Scalability: Without shared standards, networks would have been built in isolated pockets. Standardised internet protocols allowed new technologies (Wi-Fi, mobile internet) to integrate with existing infrastructure without constant redesigns.
- Security: Standards like SSL/TLS encryption ensure secure communication across the web, preventing fragmented security systems that could lead to vulnerabilities.
- Universal Web Access: HTML, HTTP, and URL standards mean that any browser can access any website, regardless of the operating system or country. Without these, each website might have required proprietary software.
While Indian standards must align with global best practices, they also need to address local challenges, going above and beyond international benchmarks when necessary. This is where the Bureau of Indian Standards (BIS) comes in — As India’s national standards body, BIS is tasked with formulating Indian standards and conducting conformity assessments to ensure adherence.
IS 17428: India’s Data Privacy Standard
Previously, India’s IT landscape relied largely on broad, voluntary frameworks such as ISO 27001 for information security management and the IT Act 2000 for legal recourse in case of cyber incidents.
While these offer important baselines for data security and operational integrity, they fall short in addressing the specific and evolving demands of personal data protection, and the nuanced requirements of data privacy such as purpose limitation, data minimisation, user consent, and breach notification. They also lack enforceable mechanisms for accountability and often do not consider the socio-technical context in which Indian organisations operate.
This was until June 2021, when BIS introduced IS 17428, a two-part standard aimed at ensuring data privacy assurance in organisations, in anticipation of India’s upcoming data protection regime. Part 1 establishes the mandatory parameters for a robust Data Privacy Management System. This includes management-level strategies and engineering practices that organisations must adopt to comply with privacy laws.
Part 2 offers engineering and management guidelines to aid in the implementation of Part 1. Unlike Part 1, this section is not mandatory but serves as a reference framework, providing practical illustrations and best practices for organisations to integrate data privacy measures effectively.
The structured approach of IS 17428 reflects the dual purpose of standards: they guide organisations in implementing the law effectively while fostering a culture of accountability and transparency.
For companies, adhering to standards like IS 17428 simplifies the compliance process, reduces ambiguity, and ensures alignment with both national and international requirements. In the case of data privacy, such standards also reassure individuals and stakeholders that their data is handled responsibly, bridging the gap between regulatory mandates and operational realities.
Questions
Are the current standards sufficient to implement DPDPA?
While current management-level standards provide a foundational framework, significant gaps exist at the operational and technical levels. The lack of explicit standards for consent management, Privacy-Enhancing Technologies (PETs), and data retention processes is a critical shortcoming.
But given the rapid pace of technological advancements, standards cannot be too prescriptive. Overly detailed standards risk becoming obsolete as new technologies emerge. Instead, a balance is required: standards should be flexible and adaptive while providing robust guidance for current technologies.
More seminars and workshops conducted by BIS and MeitY are required to help organisations implement the Act.
How can the gaps in standards be addressed?
Tailored standards for sectors such as healthcare, finance, and education are essential to address unique privacy and compliance needs. Additionally, having different levels of standards for different size organisations must be explored because it is unfair to expect similar practices from both small and large organisations, given the disparity in resources available to both.
While existing standards provide a starting point, significant work remains to fill technical and operational gaps. Current standards lean heavily on management-level guidelines. This is a call for industry players to design technical standards after studying and recognising the gaps, which BIS could then formalise.
