Swiggy – Data Protection Implementation Timelines - Questionnaire

A. General
1. Do you process digital personal data within the territory of India? (Y/N)

2. Do you process digital personal data from outside India of data principals based in the country?
(Y/N)

3. Approximately how many registered users/customers do you have in India?

a. Less than a million
b. 1-5 million
c. 5-25 million
d. 25-50 million
e. 50-80 million
f. More than 80 million

4. Do you currently process any personal data that could reveal the following (select as many as
applicable):
a. racial or ethnic origin,
b. political opinions,
c. religious or philosophical beliefs,
d. caste status
e. trade union membership,
f. genetic data,
g. biometric data (as defined under the Aadhaar Act, 2016)
h. health condition
i. a natural person’s sex life or sexual orientation
j. financial data
k. May inadvertently collect/process it but it is not linked to identity
l. No

5. Do you have to comply with sectoral regulation pertaining to data protection? (Y/N)
Follow up

6. If yes, in which sectors?

7. For what kind of data?

10. Do you have experience with implementation of data protection laws in other jurisdictions?
(Y/N)

11. Are you clear on your obligations under the Digital Personal Data Act and how to fulfill them?
Y/N - only what is spelt out

12. If No, to the previous question, what could be the reason?

 13. Have you commenced deliberation on implementing the law within your organisation? (Y/N)
Yes to the extent that information and clarity is available in the current draft

14. If no, why not?

B. Specific

Consent Notices
1. Do you currently display consent notices on your websites and applications?
Y/N
2. If your answer to the previous question is yes, how many languages do you currently display and seek
consent in? 6 - for delivery partners there are more languages than customers -
3. The DPDPA requires data fiduciaries to seek user consent in 22 languages.
1. How do you plan on complying with this requirement?
Unsure

2. Will complying with the consent notice obligation involve

technical/architectural/interface changes to your product or service?
Y/N
3. And how long will these changes take to implement?
a. 2-6 months
b. 6-12 months
c. 12-18 months
d. 18-24 months
e. More than 24 months

4. What are the processes involved in making such changes?

Have to speak to the tech team
Might not have the capability - will have to hire people - clarity of scope is required

Children’s Data

1. Do you process children’s data?

(Y/N)

2. The DPDP Act requires data fiduciaries to obtain verifiable consent of the parent and/or guardian of
a child/disabled person.

a. How will the children’s requirement impact your product/service in terms of UX/UI,
architecture, or other technical aspects? There will be impact - only do age gating fpr specific
parts of services - within swiggy instamart there is a tobacco section - so it will impact and is
complicated - no gating on other parts of the service - will have to do gating across the
 board - most likely - what do we do about consumers that are already using it - do we
enforce checks etc - for alcohol not a huge business just in two states - have to keep
reminding people to update kyc - if it were to expand would become trickier
b. How will the persons with disabilities requirement impact your product/service in terms of
UX/UI, architecture, or other technical aspects? Have not looked at this yet

3. How long will implementation of these aspects take?

1. 2-6 months
2. 6-12 months
3. 12-18 months
4. 18-24 months
5. More than 24 months

4. How does the process work?

Will have to check with tech team

5. Are there any additional factors within the law that impact the timeline?
Rules and lack of clarity - have not made a piece by piece assessment - need clarity before anything
actionable

6. What stakeholders in your organization need to weigh in on implementing this provision?

All teams - tech, legal, business, ops - what is the split of delivery partners who look at different
languages

7. The DPDP Act also prohibits data fiduciaries from tracking or behaviorally monitoring children or
targeting advertising at them. Does your platform currently carry out such activities? (Y/N)only in
specific pockets - if you are just on a restaurant page you will see targeted ads - very tricky

8. If No, how long will it take for you to be compliant with this provision?

Appointment of Data Protection Officer

1. Does your organization have a designated individual to deal with data protection-related grievances?
Not sure
1. If your answer to the previous question is yes, please outline the role and responsibilities that
such designated individuals fulfill.

2. Significant data fiduciaries are required to appoint a data protection officer (based in India) to
represent the data fiduciary under DPDPA.
1. What are the timelines involved in appointing a data protection officer based in India?
1. 2-6 months
 2. 6-12 months
3. 12-18 months
4. 18-24 months
5. More than 24 months
2. Have you undertaken a similar exercise for the designation of a nodal officer for compliance
with a technology law before? (Y/N)

3. How long did this take? Can’t say

1. 2-6 months
2. 6-12 months
3. 12-18 months
4. 18-24 months
5. More than 24 months
4. What were the reasons for this timeline?

5. On a scale of 1-5 (1=Not Difficult at All and 5=Extremely Difficult) how would you
describe the search for a suitable candidate to fill the position of Data Protection Officer?

What are the reasons for your response?

Data Audit

1. Do you have experience with carrying out a data audit? Y

2. If yes, how long did it take?
a. 2-6 months
b. 6-12 months
c. 12-18 months
d. 18-24 months
e. More than 24 months
3. Under the DPDPA, SDFs are required to appoint an independent data auditor to carry out a data
audit to evaluate the latter’s compliance with the Act. How long do you think it will take for your
organisation to identify an entity for this purpose?
a. 2-6 months
b. 6-12 months
c. 12-18 months
d. 18-24 months
e. More than 24 months
 4. How long do you think the data audit process will take once rules are brought in and parameters set?
Say the scope is everything
1. 2-6 months
2. 6-12 months
3. 12-18 months
4. 18-24 months
5. More than 24 months

6. Can the compliance requirements for the DPDPA discussed today be undertaken in parallel or do they
have to be done sequentially?
Depends on what all becomes immediately becomes necessary - assuming there are different timelines for
different features - not sure if we will have the luxury

7. If sequentially, then why?

Allocation of resources - then assessment if people are there - then HR has to get involved to hire these -
assessment itself takes few weeks - all new stuff - non compliant if you cfall short - you will develop for the
next few years - will involve hiring and training people

8. If in parallel, then how are you able to manage this?

C. Sectoral

2. Do your sectoral data protection obligations impact your compliance under the DPDPA? (Y/N)

3. If Y, then how?
Not sure will have to check

4. How long will it take you to resolve compliance with both the DPDPA and your sectoral obligations?
a. 2-6 months
b. 6-12 months
c. 12-18 months
d. 18-24 months
e. More than 24 months

5. Will such compliance impact your technical architecture?

D. General Pt. 2

8. Given our discussion on this survey, approximately how long do you expect the implementation of the
Digital Personal Data Act to take - cumulatively?
1. Up to 6 months
2. 6-12 months
 3. 12-18 months
4. 18-24 months
5. More than 24 months (conservatively) - if done sequentially timeline will be much longer -
question of resources - will have to prioritize (and be given the freedom to prioritize) will
depend on what carries a hefty fine and what doesn’t
There are two dimensions - scope of work needed and scale - have to consider that the changes made in
terms of tech and processes have to stand the test of time - have to consider - age gating is complicated given
scale and diversity of products

9. Would you want there to be consultation for the rules? (Y/N)

Must be cognizant of different sub-sectors and complexity of elements sought - not everyone is on the
same level of resources - differences in complexity of business models - element of scale must be
considered - have to test before things are rolled out - different products - instamart does not work the
same way as delivery and these don’t work the same way as food reservation - different stakeholders -
restaurant partners + delivery partners + consumers
10. If Y, then what timeline do you propose for this consultation period?
a. 15 days for comments, 15 days for counter-comments
b. 30 days for comments, 30 days for counter-comments
c. 45 days for comments, 45 days for counter-comments
d. 60 days for comments, 60 days for counter-comments

11. Why?
there are so many different types of stakeholders

Comments: truncated timeline impacts cost - compliance becomes cheaper with more time -