Data protection and cybercrime are no longer distant global concerns—they have emerged as pressing challenges within India, particularly in digitally advanced states like Kerala. As internet penetration deepens and e-governance expands, these issues are now reshaping how businesses operate and how individuals safeguard their personal information.
The introduction of the Digital Personal Data Protection Act (DPDP Act) 2023 marks a pivotal moment for data privacy in India. This legislation is our answer to global benchmarks like the European Union’s GDPR. But what does it mean in practical terms, especially for businesses operating in Kerala?
Whether you're a startup founder in Kochi, a small business owner in Palakkad, or part of an IT firm in Technopark, the DPDP Act reshapes how you collect, store, and process customer data.
This is not just another regulatory formality. The DPDP Act has teeth—and the costs of non-compliance are steep. Penalties can reach up to ₹250 crore (approximately $30 million) for serious breaches. For MSMEs, this poses significant risks, especially in the absence of legal and compliance teams.
If your organisation handles personal data, you are designated a Data Fiduciary under the law. This comes with a strict set of responsibilities:
Lawful and transparent processing: Data must be collected only for clear and legitimate purposes, with full transparency.
Purpose limitation: You may not use data collected for one purpose (e.g., service delivery) for another (e.g., marketing) without explicit consent.
Data minimisation: Collect only what is necessary. If you’re offering a newsletter, do you really need someone’s full address or date of birth?
Storage limitation: Retaining data indefinitely is no longer acceptable. Redundant data must be safely deleted.
A core tenet of the DPDP Act is the principle of consent. Vague privacy policies and pre-ticked boxes will no longer suffice. Before collecting any data, businesses must obtain clear, informed, and specific consent.
This has wide implications—from local grocery stores running loyalty programmes to mobile apps collecting user preferences. Transparency is now a legal and ethical obligation.
If your business engages with individuals under 18, additional safeguards apply. Verifiable parental consent is mandatory, and targeted advertising to children is prohibited. This is especially relevant for Kerala’s rapidly growing edtech, e-commerce, and digital entertainment sectors.
The law provides individuals—termed Data Principals—with a robust set of rights:
The right to access their personal data
The right to correct inaccuracies
The right to erase data (“right to be forgotten”)
The right to raise grievances
For businesses, this necessitates internal systems capable of managing and responding to such requests efficiently.
Organisations handling large volumes of data or sensitive information—such as banks, hospitals, and major tech firms—may be classified as Significant Data Fiduciaries. With this designation come enhanced obligations:
Appointment of a Data Protection Officer (DPO) based in India
Conducting Data Protection Impact Assessments (DPIAs)
Regular, independent data audits
In Kerala, home to bustling healthcare institutions, financial services, and IT hubs, many organisations are likely to fall under this category. Proactive compliance is no longer optional.
Perhaps the most stringent provision of the DPDP Act is its zero-tolerance stance on data breaches. If your systems are compromised—whether it's a leak of customer emails or sensitive financial records—you must inform:
The Data Protection Board of India (DPBI)
All affected Data Principals
Unlike the GDPR, which only mandates notification in cases of likely harm, the DPDP Act requires all breaches to be reported—no exceptions. Whether you’re a tech startup in Kochi or an insurer in Thrissur, having a breach response plan is no longer a luxury; it’s a necessity.
Until the DPDP Act is fully implemented across sectors, businesses must also comply with the existing Information Technology Act, 2000, and the 2011 Rules on reasonable security practices and sensitive personal data. This dual compliance framework remains in place until the new law fully takes over.
Kerala’s vibrant MSME ecosystem—from coir producers to cloud service providers—faces a tough transition. Updating IT systems, redrafting privacy policies, and training staff all come at a cost. For many, compliance means pulling resources from core operations.
With the rise of data protection obligations, demand for specialised consultants—legal advisers, cybersecurity experts, and compliance officers—is soaring. Kerala’s legal and IT service sectors may benefit, but for individual businesses, this is an additional financial burden.
The DPDP Act requires reasonable safeguards to protect data. This includes encryption, role-based access, monitoring tools, and real-time incident response capabilities. While these measures incur upfront costs, they are cheaper than the fallout from a data breach.
Legal fines aside, the real cost of a breach is often the loss of trust. In Kerala’s close-knit communities, news spreads fast. A single mishap can trigger a public backlash and long-term reputational damage.
Sectors like tourism and healthcare, which routinely handle highly sensitive data (passports, itineraries, medical records), are at heightened risk. A breach could have cascading effects—disrupting tourist inflows, damaging international reputation, and undermining patient trust.
Compliance is not just about policy—it requires a fundamental operational reset:
Data mapping: Businesses must know exactly what data they collect, where it's stored, and how it's used.
Consent management: Systems must be in place to obtain, record, and update consent. This is non-negotiable.
Cross-border data transfers: Though more flexible than GDPR, the DPDP Act still requires businesses to ensure lawful processing when sending data abroad.
Employee training: Even the best policies are useless if staff don’t understand them. From receptionists to developers, every employee is part of the data chain.
Forward-thinking businesses can turn compliance into a strategic advantage. In an era of heightened privacy awareness, a reputation for strong data protection builds trust and brand loyalty. For Kerala’s tech startups, this also opens up opportunities in privacy-enhancing technologies (PETs) and secure-by-design platforms.
In the digital world, trust is currency. Lose it, and even the strongest balance sheet can’t save your business.
As Kerala accelerates digital transformation—smart cities, IT parks, online tourism—it has also become a prime target for cybercrime. High internet penetration and rapid digitisation have created vulnerabilities across sectors.
Ransomware attacks are on the rise, paralysing MSMEs and forcing many to pay up or shut down.
Phishing scams and cloned websites target employees and customers alike, leading to payment fraud and account takeovers.
Banking frauds—UPI scams, card cloning, and online theft—have become more common, with co-operative banks and NBFCs particularly at risk.
Intellectual property theft threatens Kerala’s growing startup ecosystem. Leaked source codes or stolen business strategies can be devastating.
Kerala’s digital integration—across governance, healthcare, and education—means a cyberattack on one entity can ripple through the entire ecosystem. With high vendor interdependence, a weak link anywhere is a threat everywhere.
Moreover, Kerala’s active local media and civil society ensure that cyber incidents receive widespread attention. Public trust in digital initiatives such as Digital India and Digital Kerala is at stake.
In sectors like tourism, where international trust is crucial, a single breach can deter thousands of visitors.
The Information Technology Act, 2000 treats hacking, identity theft, and online fraud as criminal offences. The CERT-In requires significant incidents to be reported within six hours—a deadline many businesses are not prepared for. Financial institutions must comply with RBI’s cybersecurity guidelines, or face penalties and even suspension.
Organisations are realising that cyber threats are not just IT problems—they are business-critical risks. Investments in firewalls, detection tools, and third-party audits are increasing, but skilled manpower remains scarce.
The human element remains the weakest link. Regular employee training, phishing simulations, and awareness drives are essential. Beyond prevention, businesses need robust incident response and recovery plans.
Technopark and Infopark process vast data volumes and can lead India in cybersecurity innovation.
Tourism and healthcare handle sensitive global data, requiring the highest data integrity standards.
MSMEs, despite being the backbone of the economy, are often the least prepared.
Digital governance necessitates secure public infrastructure across all levels.
Despite Kerala’s high digital literacy, cybersecurity awareness among small businesses and citizens remains patchy.
For Kerala’s businesses, data protection and cybersecurity are no longer back-office concerns. They are core to operational continuity, customer trust, and long-term success. Ticking boxes isn’t enough. The future belongs to those who embed privacy, resilience, and responsibility into their digital DNA.
(Pattathil Dhanya Menon is a cybercrime investigator and director of Avanzo Cyber Security Solutions Pvt Ltd.)