Published on June 19, 2025
With data emergingas a strategic asset, the Tata group has taken a proactive stance on data privacy through the Tata Data Privacy Forum. Between March and June 2025, Tata Business Excellence Group (TBExG) launched a series of four virtual knowledge-sharing sessions to help Group companies prepare for compliance with the Digital Personal Data Protection Act (DPDPA), 2023, and the Draft DPDP Rules, 2025, issued by the Ministry of Electronics and Information Technology (MeitY). Supportedbysubject matter experts from across the Group, the sessions focused on critical aspects of privacy compliance, from foundational principles to contractual obligations.
Session 1: How to Start the DPDPA Journey
March 20, 2025
Abha Tiwari, Data Privacy Officer, Air India, opened the series by outlining the DPDPA's scope and foundational principles. She emphasised that the law applies to the personal data of Indian residents and highlighted essential first steps for organisations: identifying data touchpoints, building a personal data inventory, and establishing lawful processing bases—either through consent or legitimate use. She also stressedthe importance of transparency, purpose limitation, data minimisation, and storage limitation. Robust privacy notices, breach notification protocols, and accountability mechanisms, particularlywhen working with third-party processors, were identified as key areas of focus.
Rajesh Ranjan, Data Protection Officer, Titan, followed with a practical implementation roadmap based on a three-tiered framework: customer-facing controls (such as notices and consent), internal governance (roles, policies, and committees)and foundational data mapping. He also introducedtools and templates for vendor assessments, consent management, and breach response, advocating a privacy-by-design approach that integrates privacy into business processes.
Aparna Pathak, Global Privacy Specialist, TCS, introduced the TCS Data Privacy Maturity Assessment tool. Covering five maturity levels—from ad hoc to pioneering—and four key result areas: strategy, execution, governance, and sustenance, the tool enables organisations to benchmark their privacy posture, identify gaps, and build a roadmap for continuous improvements. Shenotedthe tool's confidentiality, ease of use, and alignment with global privacy standards.
Session 2: Data Discovery and Centralised Governance
April 17, 2025
Seshadri Manivannan, SVP, Tata Play, highlighted the foundational role of data discovery in building a privacy-compliant organisation. Using Tata Play's digital transformation journey, he illustrated how personal data is often scattered across internal systems and third-party platforms. Cautioning against relying on outdated manual inventories, he advocated automated, collaborative tools to map data lineage, relationships, and sensitivity—key to effectiveconsent management, breach response, and compliance.
Sanjay Pai, VP-IT, Tata AIG, proposed a centralised "sensitive data vault" using tokenisation and polymorphic encryption to minimise data exposure and enforce real-time consent. He positioned this as a privacy-by-design strategy that also enhances information security. This approach integrates privacy and security into a unified, scalable solution that supports operational efficiency and long-term sustainability.
Sujatha Sree GS, Data Privacy Specialist , Tata Consultancy Services moderated the session, reinforcing the importance of data discovery as the bedrock of privacy compliance. She highlighted the challenges organisations face due to fragmented tools and scattered databases, advocating a one-stop platform to manage privacy obligations efficiently.
Session 3: Controller to Processor Contractual Requirements
May 15, 2025
In this session, Abha Tiwari provided a legal deep dive into the controller-processor relationship under the DPDPA. She distinguished between data fiduciaries and processors, and emphasised that contracts must go beyond generic clauses to include specific obligations such as defined processing purposes, breach notification timelines, audit rights and mechanisms for managing data subject rights. She also addressed the risks of anonymisation, the importance of informed consent, and the need for due diligence when selecting processors, especially in cloud and cross-border contexts.
Sandeep Kumar Yadav, Senior Manager–Legal, Rallis, provided practical insights into drafting and managing statutory data processing contracts under DPDPA. He covered clauses on data retention, breach reporting, indemnity, and audit rights, warning against using overly generic language. Sandeep alsorecommended aligning contracts with statutory obligations and advocated insurance and processor assessments to mitigate risks proactively.
Session 4: Controller to Controller Contractual Requirements
June 5, 2025
Spencer McDuff, Senior Privacy Counsel, TCS Europe, explained the nuances of controller-to-controller relationships under GDPR. While not legally mandated, he recommended such contractsas best practice to clarify roles, ensure compliance, and reduce risks. He outlined key clauses: purpose of data sharing, roles and responsibilities, legal basis, breach notification, data subject rights, retention, and international transfers. Each controller is independently responsible for compliance, consent management, and breach handling, he emphasised.
Harsh Deep Sharma, Assistant Manager – Legal at Tata BlueScope Steel, moderated this session, covering how such relationships are defined with practical & real-world scenarios, and essential contractual clauses. He explored on challenges around data subject rights, breach notifications, liability, and practical issues like consent and data retention alignment in current and even post contract termination. Harsh emphasized the importance of cooperative mechanisms, clarity in consent obligations, and managing liability across jurisdictions.
From foundational compliance and data discovery to contractual obligations and governance, the Tata Data Privacy Forum has set the stage for continuous learning, collaboration, and responsible data stewardship for Group companies.