-
Digital Natives
Unlock growth with Grant Thornton Bharat's Digital Natives solutions. Customised support for tech-driven companies in healthcare, gaming, and more.
-
Business Consulting
Our business consulting specialists offer a comprehensive blend of strategic advisory services. We assess the business, industry, operating model, synergy, skill sets and vision of the organisation and recommend the way forward
-
Digital Transformation Services
Grant Thornton’s digital transformation services help traditional businesses digitalise their business models with cloud technology, IoT consulting, app development and more DigiTech solutions.
-
Human Capital Consulting
Our Human Capital Consulting team harnesses technology and industry expertise to assist in constructing adaptable organisations with transparency, fostering productive and value-driven workforces, and inspiring employees to engage meaningfully in their tasks.
-
Production Linked Incentive Scheme
Production-linked Incentive Scheme by the Indian government is aimed at boosting manufacturing. Grant Thornton Bharat offers varied services across sectors to help businesses avail of this scheme.
-
Public Sector Advisory
Our Public Sector Advisory team has focused streams, aligned with the core priorities of the Government of India. We are responsible for providing innovative and customized technical and managerial solutions.
-
Tech Advisory
We have amalgamated Digital Transformation, IT Advisory & Information Management and Analytics into a new offering, DigiTech.
-
Direct Tax services
Our tax specialists offer a comprehensive blend of tax services, tax litigation, regulatory and compliance services, helping you navigate through complex business matters.
-
Indirect Tax Services
Get tax services by leading tax firm Grant Thornton India. Our indirect tax services include consulting, compliance and litigation services for corporate, international and transaction tax
-
Transfer pricing services
Our transfer pricing services experts provide a range of services from provision of APA services to handling large global assignments including Country by Country reporting.
-
US Tax
At Grant Thornton, we help individuals and dynamic companies deal with US tax laws, which are one of the most complicated tax legislations across the world.
-
Financial Services - Tax
Best financial advisory services, tailored for small and large businesses by the experts having comprehensive knowledge of domestic laws and access to multifaceted tools to provide a valuable results.
-
Financial Reporting consulting services
Our experts have significant hands-on experience in providing IFRS/US GAAP services, end-to-end solutions and support services to fulfil financial reporting requirements.
-
Fund accounting and financial reporting
International operations often lack standardisation and have varied local reporting formats and requirements. Our experts can offer proactive insights, practical guidance, and positive progress and help meet regulatory timeframes.
-
Compliance and Secretarial Services
Our experts can assist in overhauling the entire compliance machinery of the organisation through evaluation of the applicable statutory obligations, monitoring of adequate governance controls, reporting and providing ongoing support.
-
Global People Solutions
As businesses transcend borders, both domestic and global considerations need equal attention. Our interim CFO and financial controller support services help organisations meet the business vision.
-
Finance and accounting outsourcing
Our accounting experts assist organisations in managing their accounting and reporting. Our dedicated Integrated Knowledge and Capability Centre (IKCC), allows us to service both the domestic and global markets efficiently and cost-effectively
-
Compliance Management System
We have automation solutions for you that will allow meeting government requirements and remain diligent, which when failed, can lead to penalties and loss in revenue.
-
IKCC: Grant Thornton's Shared Service Centre
The India Knowledge and Capability Centre (IKCC), aimed at delivering solutions by developing capabilities, has completed four years of its journey.
-
Global compliance and reporting solutions
At Grant Thornton Bharat, we meet the challenges of our clients and help them unlock their potential for growth. Our professionals offer solutions tailored to meet our clients’ global accounting and statutory reporting requirements. With first-hand experience of local reporting requirements in more than 145+ locations worldwide, we provide seamless and consistent international service delivery through a single point of contact.
-
Related Party Transactions Governance
Grant Thornton Bharat's comprehensive related-party transaction services ensure good governance by adhering to regulatory requirements, promoting transparency, and providing robust policies for compliance, documentation, and accountability in related-party transactions.
-
Private Client Services
Grant Thornton Bharat Private Client Services offers tailored advisory for family-owned businesses, focusing on governance, compliance, tax, succession planning, and family office structuring to sustain wealth and preserve legacies across generations.
-
GTMitra: Tax & Regulatory Tool
GTMitra, a specialised tax and regulatory tool by Grant Thornton Bharat, supports multinational businesses in understanding laws and regulations for effective growth strategies.
-
Labour codes
Labour codes solutions help you transition through the new legislation. At Grant Thornton, we help businesses divide their approach to make sure a smooth transition.
-
Alerts
At Grant Thornton India, with the help of our tax alerts, we help to provide updates on how to minimise your tax exposure and risks.
-
Cyber
In today’s time, businesses have gone through large transformation initiatives such as adoption of digital technologies, transition to cloud, use of advanced technologies et al.
-
Governance, Risk & Operations
Our Governance, Risk and Operations (GRO) services encompass Internal Audit, Enterprise Risk Management, Internal Financial Controls, IT advisory, Standard Operating Procedures and other services.
-
Risk analytics
Grant Thornton Bharat’s CLEARR Insights is a state-of-the art data analytics platform that will help you in seamless data analysis and efficient decision-making.
-
Forensic & Investigation Services
The team of forensic advisory services experts consists of the best intelligence corporate experts, and fraud risk, computer forensic experts to deliver most effective solutions to dynamic Indian businesses.
-
ESG consulting
Grant Thornton Bharat offers holistic ESG consulting solutions for sustainable business outcomes. With industry expertise and AI technology, we drive long-term value.
-
Transaction Tax Services
Our transaction tax experts understand your business, anticipate your needs and come up with robust tax solutions that help you achieve business objectives ensuring compliance and efficiency
-
Deal Advisory
Unlike other M&A advisory firm in India, we offer deal advisory services and work exclusively with controlled and well-designed strategies to help businesses grow, expand and create value.
-
Due Diligence
Grant Thornton’s financial due diligence services are aimed at corporate looking for mergers and acquisitions, private equity firms evaluating investments and businesses/promoters considering sale/divestment.
-
Valuations
As one of the leading valuation consultants in India, Grant Thornton specializes in all the aspects of the process like business valuation services, financial reporting, tax issues, etc.
-
Overseas Listing
Overseas listing presents a perfect platform for mid-sized Indian companies with global ambitions. Grant Thornton’s team of experts in listings, work closely with clients during all stages.
-
Debt & Special Situations Solutions
Grant Thornton Bharat offers specialist debt and special situations consulting services, including restructuring, insolvency, and asset tracing solutions.
-
Financial Reporting Advisory Services
Grant Thornton Bharat Financial Reporting Advisory Services offer end-to-end solutions for complex financial requirements, including GAAP conversions, IPO support, and hedge accounting advisory, ensuring accurate financial reporting and compliance.
-
Financial Statement Audit and Attestation Services
Grant Thornton Bharat offers customised financial statement audit and attestation services, ensuring impeccable quality and compliance with global standards. Our partner-led approach, technical expertise, and market credibility ensure effective solutions for your business needs.
- Agriculture
- Asset management
- Automotive and EV
- Aviation
- Banking
- Education and ed-tech
- Energy & Renewables
- Engineering & industrial products
- FinTech
- FMCG & consumer goods
- Food processing
- Gaming
- Healthcare
- Urban infrastructure
- Insurance
- Media
- Medical devices
- Metals & Mining
- NBFC
- Pharma, bio tech & life sciences
- Real estate and REITs
- Retail & E-commerce
- Specialty chemicals
- Sports
- Technology
- Telecom
- Transportation & logistics
- Tourism & hospitality
-
Article Agriculture and Budget: Immediate compulsions and long-term visionGovernment focuses on sustainable agriculture, digital infrastructure, and market intelligence to enhance productivity and global competitiveness in agriculture.
-
Article Union Budget 2024 expectations: Building resilience for consumer industryUnion Budget 2024 expectations: Building resilience for consumer industry
-
Thought Leadership Grain to gain: Impact of corn on India’s biofuel revolutionExplore Grant Thornton insights on unlocking India’s Energy Potential on Corn-Based Ethanol as a sustainable fuel solution.
-
Case study Transforming agriculture: The rise of Drone DidisDiscover how Grant Thornton Bharat's Drone Didis initiative empowers rural women and transforms agriculture with drone technology. Learn more about this success.
-
India-UK
India-UK
The Digital Personal Data Protection Act is a law that focuses on how personal information is handled by organisations.
It sets rules to ensure that both businesses and individuals respect and protect personal data. It grants individuals more control over their data and outlines responsibilities for organizations to handle personal information responsibly and transparently.
The government will provide a transition period for businesses to adapt to the new law. During this time, companies can understand the requirements and make necessary changes to their processes. There are certain media statements by the Minister that the rules will be implemented in a series of phases, gradually becoming enforceable over time.
Non-compliance with the Act can result in fines that may extend up to INR 250 crores for each instance. Factors such as nature, severity, impact and duration will be taken into consideration before imposing the penalty.
The Data Protection Board is an authoritative body responsible for overseeing and enforcing the Act. It ensures that companies follow the rules and practices outlined in the Act.
Audit timing can vary based on factors like the scale and type of data processing your business conducts. The Data Protection Board will assess when audits are necessary.
Personal data refers to information that can identify an individual, like their name, phone number, email, address and more.
Sensitive data, often called "special categories," includes health information, nationality, health records, payment information, food allergies, travel patterns & preferences, racial or ethnic details, religious beliefs, and other sensitive aspects of an individual’s life.
A data breach is an act of any personal information leaking out of the organization such as KYC details, card details in an unauthorized manner which may lead to its exposure or misuse.
A Data Protection Officer commonly knows as a DPO oversees data protection efforts within a company. While not all businesses need a DPO, those engaged in significant data processing are required to appoint one by the Act.
The experience gained from GDPR can be valuable, as it shares common principles with the DPDPA. While you won't start from scratch, adjustments in practices will ensure compliance with the DPDPA's unique requirements.
The Act doesn't specify an implementation period but mentions that its provisions will become effective on dates set by the Government. There are speculations that the implementation of the law might take around 6 - 10 months.
The Act acknowledges the extra-territorial effect by regulating the processing of personal data outside of India if it involves individuals in India. This means that even if your business is located outside India but collects or processes personal data of individuals in India, it would need to adhere to the Act's requirements.
The Act will require your business to adhere to stricter guidelines for collecting, processing, and storing customer data. You'll need to ensure that you have explicit, free, specific, informed consent of an individual with a clear affirmative action for collection of their data. You will also need to provide clear notices about how their data will be processed.
Provide Data Principal with a notice detailing the purpose of collected personal data, giving them opt-out option & ways to exercise their rights and how to lodge a complaint with the Data Protection Board.
Depending on your current practices, you might need to re-align processes. This could include reviewing your consent mechanisms, updating privacy policies, and enhancing data security measures.
Data Fiduciaries who deal with high volumes of data, sensitive personal data considering factors like data scale, risk to rights, impact on India's integrity, electoral democracy, state security, and public order.
If you qualify as an SDF, you'll need to appoint a DPO, an Independent Data Auditor and facilitate Data Protection Impact Assessments.
A "Consent Manager" will be a registered individual who serves as a central contact. He shall facilitate data principals in providing, managing, reviewing, and withdrawing consent using a user-friendly, transparent, and interoperable platform.
Aspects like Accountability, Registration regarding Consent Manager is left for rulemaking as a delegated legislation.
Signing a valid contract is mandatory for engaging a Processor. You'll need to include DPDPA compliance clauses in your contracts with service providers. They should adhere to the same data protection standards to safeguard your customers' data.
Cross-border data transfers are permissible under the Act, if they're not directed to restricted countries. The Central Government will notify specific countries or territories via a proposed blacklist.
As an immediate step, the Act requires you to notify the Data Protection Board and affected Data Principals promptly in the prescribed manner.
The DPDPA features the Data Protection Board for compliance oversight. If unsatisfied with the Board's decision, individuals can appeal to the Appellate Tribunal for further review.
Personalized marketing practices will need to align with the Act's consent and notice requirements. You'll likely need to review and modify your marketing strategies to ensure that data processing is transparent and in line with individual preferences.
Conduct training sessions and elevate employee awareness through training, workshops, seminars, and certifications to educate your employees about data protection principles, their responsibilities, and the importance of adhering to the DPDPA's regulations.
- Using strong passwords and security measures to protect their computer systems.
- Encrypting personal data when it is stored or transmitted.
- Implementing access controls to restrict access to personal data to authorized individuals.
- Conducting regular security audits to identify and address security vulnerabilities.
- Review their data collection, storage, and use practices to ensure that they are compliant with both the laws.
- Implement appropriate security measures to protect personal data from unauthorized access, use, or disclosure.
- Put in place a process for individuals to access, correct, or delete their personal data.
- Communicate changes of your businesses' data privacy practices to your customers and employees.
While your business may already be aligned with GDPR regulations, the introduction of the DPDPA might bring about some adjustments in your operational procedures. Although the two regulations share similar principles, the DPDPA could potentially entail specific provisions such as appointing a Consent Manager, making available the right to nominate to the individuals, the enforcement authority is two tiered, there is a special category known as Significant Data Fiduciary with additional obligations to comply, appointment of an independent data auditor, breach reporting notification to both individuals and authority amongst many others.
Large entities adapt their roles based on context. For instance, they might be a data fiduciary in one business, sharing data fiduciary duties in a partnership, and a data processor in another parallel venture. An example could be a tech conglomerate that operates its social media platform as a data fiduciary, collaborates with a marketing agency as a joint data fiduciary, and offers cloud services as a data processor. Each role involves distinct responsibilities and compliance measures.
The GDPR only allows for data processing activities to be certified, not organizations, products or services. For that reason, Europrivacy as a scheme allows controllers and processors to certify that a number of selected data processing activities are in compliance with the GDPR. Two organisations that currently undertake these are https://www.timelex.eu/en/europrivacy & https://www.sgs.com/en/services/europrivacy-certification
There are different certifying authorities for different data protection regulations. For example, for GDPR, the *CNPD* (the Luxembourg data protection authority) has developed a certification mechanism called *GDPR-CARPA https://edpb.europa.eu/news/national-news/2022/cnpd-adopts-certification-mechanism-gdpr-carpa_en
The certifying bodies for GDPR and CCPA are not authorized to certify DPDPA. The DPDPA will have its own certification mechanism may or may not be administered by the Data Protection Board, which is yet to be established.
Even though customer data is anonymized in the order database, a unique identifier or token is usually retained to manage the data. When a customer requests erasure, this identifier can be used to locate and delete the associated anonymized data. This process ensures compliance with the erasure request while maintaining the integrity of the anonymisation process.
Generally, when collecting and using non-PII data solely for the purpose of identifying customer preferences, explicit consent may not be necessary.
From the Bare text of the Act, it appears as though this may be a mandatory requirement for Data Fiduciary's. Detailed guidelines regarding Consent Manager will be established through subsequent rule-making and delegated legislation.
As per the law, a consent manager must be an individual registered with Data Protection Board, serving as a central point of contact for data principals. The requirement also emphasizes transparency and interoperability. This leaves room for interpretation whether it involves an individual appointment alongside an interoperable platform, including automated tools.
In cases where data is truly anonymized and devoid of Personally Identifiable Information (PII), the law might not be applicable. Since the data cannot be linked to individuals, customer identification through this data would not be feasible
Franchisees, handling customer data via shared software, could fall under legal obligations as data processors or controllers. While the software ownership is third-party, both the company and franchisees might share responsibilities to ensure compliant data handling.