Chennai: A future with data governance

As cybersecurity regulation clamours to keep up with improvements in artificial intelligence capabilities, Chennai sits at a crucial pivot point

A key milestone in India’s digital journey is the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA). It regulates how personal data is collected, processed and protected, giving individuals rights over their data and placing obligations on organisations. Its institutional architecture is centred on the Data Protection Board of India.

The cybersecurity landscape in India has grown more complex. The Indian Computer Emergency Response Team (CERT-In) reported more than 1.3 million cybersecurity incidents in 2022, demonstrating vulnerabilities in digital infrastructure. The Indian Cybercrime Co-ordination Centre (I4C) and Cyber Swachhta Kendra were established to counter cyberthreats.

The DPDPA is being implemented in phases, supported by the DPDP rules. Implementation depends on the robustness of India’s cybersecurity architecture. The National Cybersecurity Policy, operational capacity of CERT-In, and the I4C form the infrastructure within which obligations under the DPDPA must be discharged.

The emergence of AI signals both immense potential and a threat vector. AI-driven systems can process personal data at scale, but often striking at the root of consent-based models. AI also shows promise in threat detection, anomaly identification, and automated incident response.

Chennai, India’s second-largest IT export hub and emerging epicentre of fintech, SaaS and healthcare technology, sits at the intersection of these forces. Along with Mumbai, Chennai accounts for the “lion’s share of installed co-location capacity” given its proximity to sub-sea cable landing stations. Projections estimate a three to seven-fold rise in national capacity by 2030, and Chennai will remain a critical player.

Chennai’s cybersecurity, data and governance

Chennai is home to more than 100 Global Capability Centres and IT corridors that generate high volumes of cross-border data flows daily. Chennai’s data centres are stepping up to meet computing capacity needs with the emergence of AI. These developments have paved the way for three shifts:

1. 1. Cybersecurity is no longer a siloed IT function but constitutes a legal obligation with penal consequences for non-adherence and breaches attributable to inadequate safeguards.
   2. Chief information security officers play a central governance role, marking the overlap between technical risk management and legal accountability.
   3. Data protection needs to be embedded in key software architecture through DevSecOps (development security and operations) pipelines, ensuring that privacy is embedded from inception.

Chennai’s DPDPA innovation and maturity

Chennai is a site for innovation vis-a-vis the sector-specific implementation of the DPDPA: For the IT and SaaS sectors, cross-border data transfers and processor accountability are key concerns. The fintech and banking sectors navigate the intersection of the DPDPA and the RBI’s data localisation frameworks. The healthcare sector processes sensitive personal data at scale, attracting the highest tiers of regulatory scrutiny under the DPDPA.

Chennai’s consistent engagement with the the EU’s GDPR gives it compliance maturity and has produced professionals familiar with the principles of privacy-by-design, data subject rights management, and data processing agreements. These capabilities support DPDPA compliance. Chennai is well-positioned to pioneer AI-driven compliance tooling. Its firms can create and export indigenous privacy engineering tools for domestic and global markets. But there are still challenges: there is a skill gap between legal and technical expertise, as well as legacy system integration.

The journey ahead calls for creativity. The convergence of law and technology can unlock innovation in professional frameworks. Public-private partnerships must be leveraged to build shared compliance infrastructure, while sector-specific compliance can reduce interpretative inconsistency. Institutionalising cybersecurity-led governance with security frameworks as the operational foundation for DPDPA compliance can go a long way.

Chennai has demonstrated a proclivity for creativity, be that in its policies on safe and ethical AI and its blueprint for semiconductor manufacturing. The TN Startup and Innovation Policy 2023 aims to establish 15,000 startups by 2032, and the Semiconductor and Advanced Electronics Policy 2024 positions Tamil Nadu for leadership in emerging technology. The law is keeping pace with technology, reminding us that Chennai is both a compliance jurisdiction and potential architect of India’s future with data governance.