At the ET CISO Data Protection & Privacy Summit 2025, Hon’ble Justice (Retd.) B. N. Srikrishna—the architect of India’s foundational data protection framework—delivered a sweeping keynote on the evolving philosophy of personal data and the responsibilities it places on enterprises and their security leaders. He emphasized that while personal data holds economic value, equating it to conventional property is fundamentally flawed. “I have my own jurisprudential difficulties with accepting this… it is valued, but it is not property in the sense of owning a house or a car,” he said, noting that monetisation by digital businesses triggered the global push for regulation.Justice Srikrishna stressed that the core principle underpinning India’s privacy law is control. “It is my data not in the sense of proprietorship, but in the sense of an intimate relationship. I should have control over it, and nobody should be able to use it without my consent,” he stated. This shift—from treating individuals as “data subjects” to “data principals”—is a deliberate departure meant to reflect dignity, agency and rights under the Digital Personal Data Protection Act (DPDPA).

Addressing CISOs directly, he outlined their central role as custodians of lawful and ethical data use. Consent, he said, must be at the heart of enterprise data practices. “Consent must be free, informed, specific and unambiguous… long 30-page agreements are no good,” he cautioned, adding that individuals must also retain the ability to withdraw consent without undue friction. This demands urgent updates to organisational forms, disclosures, and digital interfaces before the law comes into full force.

The keynote also spotlighted operational obligations that fall squarely on security leaders—from purpose limitation and data minimisation to secure storage, access restrictions, breach audits and timely deletion. He illustrated the importance of purpose limitation with a personal anecdote about receiving targeted commercial emails after booking a flight. “Somebody has leaked my personal data… and that person is trying to utilise it for his business which has nothing to do with the purpose for which the data was given,” he noted, calling it a clear breach under the new regime.

Justice Srikrishna urged CISOs to prepare for structural reforms: revising privacy policies, mapping data flows, implementing secure digital ecosystems, anonymising datasets for analytics, strengthening vendor governance and training field teams. Organisations handling children’s data, he said, must exercise heightened diligence.

He concluded by framing the DPDPA not merely as compliance, but as a transformative shift. “The law brings a cultural shift… it strengthens the ecosystem, enhances trust, increases credibility, and aligns the CISO as a partner of the company, as responsible as the Board of Directors itself,” he said.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!