Compliance as a Service (CaaS) for data refers to a model where third-party service providers ensure that a company adheres to Indian data regulations and compliance requirements.
While the Digital Personal Data Protection (DPDP) Act, 2023, does not mandate strict data localisation, it is expected to significantly influence the landscape as data and metadata within India continue to grow. Industry service providers anticipate that data localisation requirements will gain momentum, driven by increasing privacy, security, and national interest concerns.
The DPDP Act rules are expected to be notified later this year. This follows the Reserve Bank of India (RBI) directive in 2018, which mandated that all banks store data within India.
“We are championing data sovereignty and are clearly ahead of the game, ensuring that the entire data framework and data mesh architecture enable the metadata to reside within the country,” Neelakantan Venkataraman, vice president and global head of Cloud and Edge Business at Tata Communications, said.
Tata Communications caters to large firms and small and medium enterprises (SMEs), where it sees a significant opportunity.
Venkataraman said that many believe data in India is fully sovereign. Still, if metadata, including privacy and PI (personally identifiable information) data, moves out of the country, it can’t be considered truly sovereign.
He added that more than 600 companies currently use Tata Communications’ cloud solutions services. In its FY2023–24 report, Tata Communications recorded ₹17,181 crore in data revenue, including cloud services as part of its broader digital offerings.
“I like to say, not even a single bit of data should move out of the country,” he added.
Neelakantan further said grounding the entire technology stack in localised data is crucial for building generative AI models.
Also read | TCS launches India-focused sovereign cloud to boost domestic revenue
Data storage compliance
Hiranandani Group-owned Yotta Data Services has expanded its data centre parks nationwide. It expects to meet the increasing demand for compliant data storage, catering to enterprises, regulated sectors, and micro small and medium enterprises (MSMEs).
“We are working consciously to help India achieve data sovereignty,” Sunil Gupta, co-founder, CEO & MD of Yotta Data Services, said.
Big tech companies like Amazon, Microsoft, Google, and Meta are concerned that strict data localisation increases costs, complicates global operations, and fragments the internet.
Some firms have complied partially by setting up local data centres (e.g., AWS has expanded its India operations, and Microsoft launched Azure regions in India). Others voiced concerns against strict rules, arguing that cross-border data flows are essential for innovation, global services, and the digital economy.
Smaller players like Digiboxx also provide cloud storage and enterprise backup solutions within India, catering to the growing business demand.
Also read | OpenAI discussing localization of ChatGPT India data
While security isn’t solely determined by data location, local storage options have become increasingly sought after due to localisation requirements, such as those mandated by the RBI. These mandates have led companies across various industries to opt for local storage.
Digiboxx CEO Arnab Mitra told Mint that, from a national security standpoint, data can be vulnerable to foreign surveillance and misuse.
“Local storage, in many ways, ensures that India has complete legal and operational control over its data, especially in crucial times of geopolitical tension,” he said.
Digiboxx provides compliance as a service to sectors such as BFSI (Banking, Financial Services, and Insurance), government, media and entertainment, and legal firms. Many of its clients are small and medium enterprises (SMEs).
Also read | Airtel to steer clear of GPU-as-a-service for now, focus on data centre business
High compliance cost for SMEs
Mitra explains that spending a significant amount per user per year is often unsustainable for SMEs, especially when the features are bundled and not fully utilised. Large corporations may not mind paying such amounts, but such expenses can be challenging to sustain for smaller companies. He also highlights that Digiboxx’s jurisdictional compliance with data remaining on Indian soil significantly benefits SMEs, ensuring legal protection and operational control.
Fintech startup Finarkein operates in a sector where the RBI mandates data localisation. It specialises in data and workflow orchestration for India’s digital public infrastructure. The company raised $4.75 million in a pre-Series A round in August last year.
As co-founder Nikhil Kurhe explained, Finarkein relies on AWS for its services but follows a multi-cloud, multi-region approach.
In 2018, RBI directed all payment data processed in India to be stored locally, allowing foreign entities to process data offshore only if a copy was retained within the country. The move, aimed at enhancing regulatory oversight and data security, significantly impacted players like Mastercard and Visa.
Venture investment groups are also excited about data governance as a space.
Chintan Antani, vice president – Seed & Acceleration at IIMA Ventures, said, “Cybersecurity and data governance are two verticals we’re closely focusing on, and we anticipate making a few more investments in this area.”
Antani added that standardisation is needed across compliance laws—currently, many small and medium enterprises are conservative about adoption.
Also read | What will it take for India to become a global data centre hub?
Clarity in localisation policies
Antani also emphasised the need for clearer localisation policies to support infrastructure investments, stating, “If the law of the land changes and the servers are outside, you can’t really do anything, and unforeseen issues can arise.”
However, smaller companies are feeling the brunt of added compliance requirements.
Tarun Sibal, co-founder of Cloud Photonix, an optical transceiver company, pointed out that the burden of these regulations can be particularly challenging for his company.
“For an MSME, which is already very stretched, the burden of compliance becomes even more significant. We must carefully consider where we house our data, but the associated costs and resource bandwidth add financial pressure to the strained operations.”
Sibal pointed out that India’s evolving regulatory landscape isn’t clear enough for businesses to confidently invest in local infrastructure.
Sibal said, “For the smaller folks like us, I don’t have a clear road map regarding what I need to cover and what I don’t need to worry about.”
Sibal also highlighted the fluid nature of data, as data may pass through India but be stored overseas, complicating control and monitoring. Since data doesn’t have physical boundaries, it’s challenging to determine where it’s truly localised and who is liable for it.
Also read | Big Tech, data privacy rules differ over online tracking of children on net
Source:https://www.livemint.com/companies/compliance-as-a-service-caas-data-localisation-dpdp-act-digital-personal-data-protection-act-rbi-data-sovereignty-11745777858553.html