Introduction
In today’s world, globalization has been increasing rapidly and every industry and business relies upon software applications, websites, and cloud-based services for collection of an individual’s personal and protected data. this may include any data such as. name of the individual., email, mobile phone numbers, bank details, health records etc and such data should be protected against any unauthorized use. Due to the rapid increase in globalization And advancement there is a major risk. involving data breaches, Cyber attack, cyber stalking, and unauthorized use of an individual personal data. hence any industry and company should take proper measures to preserve the personal information of the individual while making laws suitable for data protection and punishment shall be given to hacker or cyber criminal. As cyber crimes are increasing., it is considered as moral and ethical duty of the company to protect an individual personal information by maintaining privacy. One of the best measures. to protect the personal data. is by adopting. privacy by design, which generally means that while designing., producing, & processing of any software, the foremost component which should be taken into consideration is privacy rather than adding it after the software has been developed. software contract shall be made this contained how an individual data shall be collected, process, developed, use, stored, shared and deleted. to ensure such compliances GDPR (general data protection regulation) and DPDP (digital personal data protection) act 2023 has been passed.
Meaning of privacy by design
Privacy by design is a major concept in personal data protection laws it encourages any company and organization to include privacy related aspect and personal data protection of any user at every stage of software development rather than adding it in the end and after the launch of such software. and it is a duty of an organization to collect such information and personal data which is essential for the course of business and for growth of the business such information shall be preserved. by adequate means. and this is known as data minimization. because unnecessary collection of personal data involves risk harming personal data of the users.
GDPR and privacy by design
GDPR stands for general data protection regulation it is a data protection law, which is adopted from European union. it is designed to protect personal data and information. by maintaining privacy of the individuals residing in European Union. and it is considered as one of the major milestones in privacy related laws in India. according to article 25 of GDPR. involves privacy by design. and privacy by default it mandates the organization while developing any software to protect personal data at every stage rather than focusing in the end. And organization should collect such data and information which is essential for the course of business and not holding or keeping the data longer than the requirement. And information shall be kept securely by maintaining accuracy. This regulation provides several rights to the users, which includes. right to access-personal data, right to correct the incorrect information, and the individual has right to request the deletion of data in any specific condition and also has right to know how their data is being collected, preserved and used. if any organization or company fails to comply with this regulation it will be punished with monetary penalty and harm and damage to company’s reputation.
DPDP act 2023 and privacy by design
India has adopted the digital personal data protection act in 2023 to preserve and protect the digital personal data of an individual and and it allows, the organization to maintain balance between right to privacy and data shall be collected and processed for lawful purposes. Apart from that this act mandate the company to obtain free consent without any coercion and fraud before collecting any personal data of an individual except for the situation where law provides another legal basis and such data shall be collected for a specific time period and for lawful purposes and withholding of data for longer time without any specific purpose shall be deemed as an offense under this act. DPDP act allows an organization to take reasonable actions against any unauthorized access or any unauthorized misuse by cyber criminal. In this act, the individual has several rights related to their data which includes they have right to access their personal data, the individual can request for correction and deletion of inappropriate data and has right to file complaint if their right has been infringed or taken away.
Essential clauses in software contract
A software contract shall include all the essential privacy related clauses, and personal data protection clauses to ensure effective compliance with the DPDP and GDPR act. The software contract shall be drafted in a manner which includes the following clauses such as-
- Data collection clause –this clause includes what kind of personal data will be collected and stored, and what are the purposes and necessity for such collection.
- Consent clause –this clause include that the software contract shall expressly mention the the individual consent which will be taken without coercion and fraud during the course of collection of personal data according to procedure established by law.
- Confidentiality – it is the duty of employees, contractor and business partner to keep user personal data, safe and secure by maintaining confidentiality, and there shall be non-disclosure of such preserved personal information without any lawful authorization.
- Data retention clause – this clause includes time Period. For which the data will be stored and when the organization will delete the personal information after the lawful purpose has been fulfilled.
- Compliance clause – the software contract shall clearly state that all the parties will comply with the rules and regulations DPDP and GDPR act. And non-compliant parties shall be punished as per the procedure established by law.
Difference between GDPR and DPDP act
Both GDPR and DPDP act aims to protect personal data of an individual against unauthorized use by maintaining privacy by giving them all the essential rights given under the act. both the laws provide that the data shall be collected in a lawful manner and shall not be stored for a longer time than it requires. and it is the duty of the organization to maintain the credibility and transparency. while processing an individual personal data. but however, there are certain differences amongst these two act such as- the general data protection regulation mainly focuses on European union users and on data processing an individual right related to the data protection. But on the other hand, the digital personal data product protection acts mainly focus on Digital personal data in India and shall-apply on Indian citizen and provide legal framework related to privacy of an individual data or personal information. however, these each law has a common objective but their mechanism and procedure differ.
Conclusion
Privacy by design has become a milestone in modern software development contract while maintaining privacy at each and every stage of development of any software rather than focusing and adding it on the end. instead of treating privacy as an optional feature the organization should make it as an important part of designing, developing and processing of software contract. The general data protection, regulation and digital personal data protection act provides a legal framework for protection of personal data and provide certain rights to individual so that they can access their personal information or can demand for correction or deletion for specific purposes, or can file complaint for an infringement by an authorized user. The consent of the individual should be taken, which will be free and informed and without any force and should inform about the data retention clause. and compliance with such laws not only avoid penalty, but also built cordial relation, and trust within the user. Which will be directly results in developing and improving reputation of the organization.

Assistant Director, Legallands
Global Trade & Investment Expert
Nicke Tuli is an Assistant Director at Legallands, specializing in international business setup, global trade laws, and cross-border investments. With extensive expertise in Comprehensive Economic Partnership Agreements (CEPA) and foreign dispute resolution, she provides strategic guidance to Indian investors expanding into international markets, particularly in the UAE and GCC region.
Her recent works include analytical pieces on:
Dispute Resolution and Recovery Mechanisms for Indian Investors in the UAE
Economic Impact of Relaxed Export Rules on Indian E-Commerce and MSMEs
Nicke is passionate about simplifying global business frameworks and helping Indian entrepreneurs navigate international legal ecosystems with confidence.

