Overview
LTIMindtree is a global technology consulting and digital solutions giant. They are what the law calls a Data Fiduciary—the entity that decides why and how your data is processed. Because they provide SaaS (Software as a Service) and IT consulting, they handle massive amounts of data from employees, job seekers, and business clients.
If a tech giant of this scale is still catching up to India’s new rules, it’s a massive wake-up call for every other Indian business owner.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
LTIMindtree uses a standard global approach, but the DPDP Act is much stricter about how you ask for permission.
What the policy says: “By using the Website, you agree to the terms of this Privacy Statement.”
What the law requires: This is called “implied consent,” and it’s a big no-no under DPDP. The law says consent must be an affirmative action—meaning the Data Principal (that’s you, the person the data belongs to) must actively click or sign something that says “I agree to X for purpose Y.”
The problem: Bundling consent with just “using the website” isn’t clear enough. Under the new law, consent must be free, specific, informed, and unconditional.
Section 7 — Certain Legitimate Uses 🔴
This is where many global companies trip up. GDPR (Europe’s law) allows for broad “Legitimate Interests,” but India’s DPDP Act is much narrower.
What the policy says: They claim to process data for “legitimate business interests,” such as direct marketing or improving services.
The problem: Section 7 of the DPDP Act only allows processing without explicit consent for very specific things—like if you provide your data voluntarily for a specific purpose, or for state functions, or medical emergencies. “Marketing” doesn’t usually make the cut.
Section 8 — Obligations of Data Fiduciary ✅
As a massive IT firm, LTIMindtree shines here. They are required to keep your data safe, and they do.
What the policy says: They mention “reasonable security practices and procedures” including physical, electronic, and managerial safeguards.
What the law requires: The Data Fiduciary (the company) must take reasonable security safeguards to prevent a data breach. Given their industry certifications (like ISO 27001), they are likely in a good spot here.
Section 9 — Data Retention ⚠️
How long do they keep your data? The law says: once the purpose is served, delete it.
What the policy says: “We will retain your personal information for as long as it is necessary… to fulfill the purposes for which it was collected.”
The problem: This is too vague. DPDP Section 9 requires that data be erased as soon as the purpose is fulfilled or when the user withdraws consent. Without specific timelines (e.g., “we delete job applicant data after 6 months”), the company risks being seen as “hoarding” data.
Section 11 — Rights of Data Principal ⚠️
The DPDP Act gives you, the Data Principal, some serious power. You have the right to access, correct, and erase your data.
What the policy says: They allow you to request access or correction by emailing their DPO.
The problem: They are missing the Right to Nominate. Under Section 14 of the DPDP Act, you have the right to appoint someone else to manage your data rights in case of your death or incapacity. Most legacy policies haven’t added this button yet.
Section 12 — Right of Grievance Redressal ⚠️
If you’re unhappy with how they handle your data, who do you call?
What the policy says: They provide an email address for their Data Protection Officer.
The problem: Under the DPDP Act, the company must provide an internal way to solve your complaint. If that fails, you have the right to escalate it to the Data Protection Board of India. LTIMindtree’s policy doesn’t mention this escalation path yet, which is a mandatory requirement.
Section 16 — Cross-Border Data Transfer ✅
Since LTIMindtree is global, they move data across borders constantly.
What the policy says: They use “Standard Contractual Clauses” to ensure data is safe even when it leaves India.
The law: DPDP allows data transfer to other countries unless the Indian government specifically “blacklists” a country. LTIMindtree’s global framework is likely robust enough to handle this, provided they keep an eye on the government’s restricted list.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | High | Bundled “browse-wrap” consent may be legally void under DPDP |
| Data Retention | Medium | Vague timelines could lead to “over-retention” penalties |
| User Rights | Medium | Missing nomination rights creates a compliance gap |
| Grievance Path | Low | Easy to fix, but currently missing the Board escalation mention |
| Security | Very Low | World-class security infrastructure is already in place |
Recommendations
- Unbundle Consent: Stop assuming users agree just by browsing. Add a clear, specific checkbox for different data uses (e.g., one for the service, one for marketing).
- Add Section 14 Nomination: Update the policy and user profile settings to allow users to nominate a representative.
- Map to Section 7: Audit all “legitimate interest” activities and ensure they actually fit into India’s specific “Certain Legitimate Uses” bucket.
- Define Erasure: Set clear internal “expiry dates” for different types of data—and tell the user what they are.
- Update the Grievance Flow: Explicitly mention the Data Protection Board of India as the final step for unresolved complaints.