Overview and Background

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection law, receiving Presidential assent in August 2023. The DPDP Rules 2025 provide the detailed implementation framework.

Key milestones:

  • August 2023: DPDP Act enacted
  • January 2025: DPDP Rules notified
  • 2025-2027: Phased enforcement begins
Practical Focus

The DPDP Act adopts a consent-centric, principle-based approach rather than prescriptive rules. Organisations have flexibility in implementation but must demonstrate accountability for personal data protection.

Who Does DPDP Apply To?

The DPDP Act applies to:

Territorial Scope

  • Processing of digital personal data within India
  • Processing outside India if it relates to offering goods/services to individuals in India
  • Processing outside India if it involves profiling individuals in India

What is Covered

  • Digital personal data (data in electronic form)
  • Personal data that is digitised after collection
  • Both automated and non-automated processing of digital personal data

Exemptions

  • Personal data processed for personal or domestic purposes
  • Personal data made publicly available by the data principal
  • Processing necessary for enforcement of legal rights
  • Processing by State for specified sovereign functions

Key Terms and Roles

The DPDP Act introduces specific terminology:

DPDP Term Equivalent (GDPR) Definition
Data Principal Data Subject The individual whose personal data is processed
Data Fiduciary Data Controller Entity that determines purpose and means of processing
Data Processor Data Processor Entity that processes data on behalf of Data Fiduciary
Consent Manager No equivalent Registered entity to manage consent on behalf of principals
Significant Data Fiduciary Similar to GDPR DPO requirement triggers High-risk fiduciaries notified by government

Data Principal Rights

The DPDP Act grants individuals the following rights:

Right to Information

  • Summary of personal data being processed
  • Processing activities undertaken
  • Identity of other fiduciaries and processors with whom data is shared
  • Any other information as may be prescribed

Right to Correction and Erasure

  • Correction of inaccurate or misleading personal data
  • Completion of incomplete personal data
  • Erasure of personal data no longer necessary for purpose

Right of Grievance Redressal

  • Right to approach Data Fiduciary's grievance mechanism
  • Right to escalate to Data Protection Board if unresolved

Right to Nominate

  • Right to nominate another individual to exercise rights in case of death or incapacity

Data Fiduciary Obligations

Data Fiduciaries must comply with these core obligations:

Ground for Processing

  • Consent: Primary ground - free, specific, informed, unconditional, unambiguous
  • Legitimate Uses: Specified purposes without consent (employment, emergency, State functions, legal obligations)

Purpose Limitation

  • Process only for purposes consented to or legitimate uses
  • No processing for purposes not disclosed at consent

Data Minimisation

  • Collect only data necessary for specified purpose
  • Not retain data beyond period necessary for purpose

Accuracy

  • Ensure completeness, accuracy, consistency of personal data
  • Particularly where data may impact principal or shared with others

Security Safeguards

  • Implement reasonable security safeguards
  • Prevent personal data breach
  • Notify Board and affected principals of breach

Accountability

  • Publish contact details of person to answer queries
  • Implement grievance redressal mechanism
  • Erase data when consent withdrawn or purpose fulfilled

The DPDP Act establishes detailed consent requirements:

Characteristics of Valid Consent

  • Free: Not obtained through coercion or undue influence
  • Specific: Given for specific purposes, not blanket consent
  • Informed: Principal understands what they're consenting to
  • Unconditional: Not bundled with service access inappropriately
  • Unambiguous: Clear affirmative action, not assumed from silence

Notice Requirements

Before or at collection, provide notice containing:

  • Personal data to be collected and purpose
  • How the principal may exercise rights
  • How to make complaint to Data Protection Board
  • Available in English and 22 scheduled languages

Consent for Children

  • Verifiable parental consent required for children under 18
  • No tracking, behavioural monitoring, or targeted advertising to children
  • No processing that may cause harm to child

Significant Data Fiduciaries

The Central Government may notify certain Data Fiduciaries as "Significant Data Fiduciaries" (SDFs) based on:

Criteria for SDF Designation

  • Volume and sensitivity of personal data processed
  • Risk to rights of data principals
  • Potential impact on sovereignty and integrity of India
  • Risk to electoral democracy
  • Security of the State
  • Public order

Additional SDF Obligations

  • Data Protection Officer: Appoint a DPO based in India, point of contact for principals and Board
  • Data Protection Impact Assessment: Periodic DPIAs as prescribed
  • Audit: Periodic audit by independent data auditor
  • Other Measures: As may be prescribed by rules

Cross-Border Data Transfers

The DPDP Act takes a permissive approach to cross-border transfers:

Default Position

  • Personal data may be transferred outside India
  • No adequacy determination required by default

Government Restrictions

  • Central Government may restrict transfer to specified countries
  • Restrictions will be notified as needed
  • At present, no countries are on the restricted list

Practical Considerations

  • Other laws may impose additional restrictions (e.g., RBI data localisation)
  • Contractual obligations with processors should address transfer
  • Security safeguards must apply regardless of location

Penalties

The DPDP Act introduces significant financial penalties:

Violation Maximum Penalty (INR) Approximate USD
Failure to take security safeguards (breach) Rs. 250 crore ~$30 million
Failure to notify breach Rs. 200 crore ~$24 million
Failure to comply with children's data requirements Rs. 200 crore ~$24 million
Failure to comply with SDF obligations Rs. 150 crore ~$18 million
Failure to comply with other provisions Rs. 50 crore ~$6 million

Note: The Data Protection Board determines penalties based on nature, gravity, and duration of breach, type of personal data affected, and fiduciary's compliance history.

What to Do Now

Organisations should take the following steps:

Immediate Actions

  • Assess applicability of DPDP Act to your organisation
  • Inventory personal data processing activities
  • Review and update privacy notices
  • Assess consent mechanisms against DPDP requirements
  • Review data processor agreements

Medium-Term Actions

  • Implement/enhance data subject rights mechanisms
  • Establish grievance redressal processes
  • Review security safeguards
  • Prepare breach notification procedures
  • Train staff on DPDP requirements

Ongoing Activities

  • Monitor for SDF notification (if applicable)
  • Track rule-making and regulatory guidance
  • Maintain compliance program
DPDP India Privacy Compliance