Overview
Mphasis is a leading global provider of IT services, specializing in cloud and cognitive-led enterprise solutions. Given its role as both a Data Fiduciary (for its employees and website users) and a Data Processor (for global banking and insurance clients), its compliance with the Digital Personal Data Protection (DPDP) Act 2023 is critical. The current policy is a “Global Privacy Notice” that attempts to cover multiple jurisdictions but lacks the specific localized triggers required by the Indian regulator.
DPDP Readiness: Section-by-Section Analysis
Section 5 & 6 — Notice and Consent ⚠️
Mphasis provides a detailed notice of the categories of data collected. However, the DPDP Act 2023 requires that the notice be available in English and any of the 22 languages specified in the Eighth Schedule to the Constitution.
What the policy says: The policy is provided only in English. Consent is often inferred through continued use of the website or through a single “Accept” button for cookies and privacy terms.
DPDP requirement: Consent must be free, specific, informed, unconditional, and an affirmative action. The notice must clearly state the data collected and the purpose.
Gap: The policy lacks the “Notice” framework required under Section 5 (specifically the availability in regional languages) and uses a consolidated consent model that may not meet the “specific” and “unbundled” threshold for all processing activities.
Section 8 — Obligations of Data Fiduciary ✅
Mphasis excels in this area due to its nature as a high-security IT services provider. The policy mentions robust technical and organizational measures to protect data.
Strength: The company references adherence to international security standards (ISO 27001, etc.) and mentions regular audits. This aligns well with the Section 8 requirement to protect personal data by taking reasonable security safeguards to prevent breach.
Section 9 — Data Retention 🔴
Critical gap. The policy states: “We will retain your personal information for as long as it is necessary for the purposes for which it was collected or to comply with legal obligations.”
DPDP requirement: Section 9 mandates that the Data Fiduciary must erase personal data upon the Data Principal withdrawing consent or as soon as it is reasonable to assume that the specified purpose is no longer being served.
Gap: The phrase “as long as necessary for business purposes” is overly broad. Under DPDP, once the specific service is rendered, the data must be deleted unless a specific law requires otherwise. Mphasis does not provide a definitive retention schedule or an automated deletion promise.
Section 11, 12 & 13 — Rights of Data Principal ⚠️
The policy acknowledges rights to access, correction, and erasure (aligned with GDPR). However, it falls short on India-specific rights:
- Right to Nominate: There is no mention of the Data Principal’s right to nominate another individual to exercise their rights in the event of death or incapacity (Section 14).
- Grievance Redressal: While a Grievance Officer is named, the policy does not inform the user of their right to lodge a complaint with the Data Protection Board (DPB) of India if they are unsatisfied with the internal resolution.
Section 16 — Cross-Border Data Transfer ⚠️
Mphasis transfers data globally to its subsidiaries and third-party service providers.
Gap: The policy uses standard contractual clauses (SCCs) for transfers. While this works for GDPR, the DPDP Act (Section 16) allows the Central Government to restrict transfers to certain countries. Mphasis’s policy has not yet integrated the “Negative List” approach or the specific notification requirements of the Indian government.
Risk Assessment
| Category | Risk Level | DPDP Section | Findings |
|---|---|---|---|
| Notice Compliance | High | Section 5 | No regional language support; notice not provided at every point of collection. |
| Consent Granularity | Medium | Section 6 | Marketing consent is partially bundled with site usage. |
| Data Erasure | High | Section 9 | Lacks specific “right to be forgotten” triggers aligned with Indian law. |
| Principal Rights | Medium | Section 14 | Missing the ‘Right to Nominate’ entirely. |
| Grievance Path | Low | Section 12 | Grievance officer is present, but DPB escalation is not mentioned. |
| Security | Low | Section 8 | Strong encryption and access control disclosures. |
Final Analyst Note
Mphasis’s privacy policy is “compliance-adjacent”—it meets the spirit of DPDP through its GDPR-heavy framework but fails the technical letter of the Indian law. To reach a score above 80, the company must introduce a specific “India Addendum” that addresses Section 14 (Nomination), Section 5 (Regional Language Notices), and provides a clearer mechanism for the “Right to Withdraw Consent” that is as easy as the “Right to Give Consent.”