Introduction: India's New Data Protection Era
The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a watershed moment for data privacy in India. Passed in August 2023, this legislation establishes comprehensive requirements for organizations processing personal data of individuals in India—regardless of where the organization is located.
For multinational organizations with Indian customers, employees, or operations, compliance is not optional. This guide provides a practical checklist to help you navigate the DPDP Act's requirements.
Applicability: Does the DPDP Act Apply to You?
The DPDP Act applies to:
- Processing within India: Any processing of digital personal data within India
- Extraterritorial reach: Processing outside India if related to offering goods/services to individuals in India
- Both automated and non-automated: Digital personal data processed in automated or semi-automated ways
Key exemptions: Personal or domestic purposes, publicly available data, and data processed for legal proceedings or regulatory functions.
Key Definitions
| Term | Definition |
|---|---|
| Data Principal | Individual whose personal data is processed (equivalent to GDPR's "data subject") |
| Data Fiduciary | Entity that determines the purpose and means of processing (equivalent to "data controller") |
| Data Processor | Entity that processes data on behalf of a Data Fiduciary |
| Significant Data Fiduciary | Data Fiduciaries notified by government based on volume/sensitivity of data processed |
| Consent Manager | Registered entity enabling Data Principals to manage consent through accessible platform |
Compliance Checklist
1 Consent Management
☐
Obtain free, specific, informed, unconditional, and unambiguous consent before processing
☐
Provide consent requests in clear, plain language (English or any of 22 scheduled languages)
☐
Enable easy withdrawal of consent at any time
☐
Implement mechanism for granular consent (purpose-specific)
☐
Maintain records of consent given and withdrawn
2 Notice Requirements
☐
Provide notice describing personal data being collected and purposes
☐
Include information about how Data Principals can exercise their rights
☐
Provide means to make complaints to the Data Protection Board
☐
Ensure notice is presented before or at time of collection
3 Data Principal Rights
☐
Implement right to access summary of personal data and processing activities
☐
Enable right to correction and erasure of inaccurate/misleading data
☐
Provide right to erasure when consent is withdrawn or purpose is fulfilled
☐
Enable nomination of another person to exercise rights in case of death/incapacity
☐
Establish grievance redressal mechanism and respond within prescribed timelines
4 Data Security & Retention
☐
Implement reasonable security safeguards to prevent breaches
☐
Establish data retention policy—delete data when purpose is fulfilled
☐
Delete data when Data Principal withdraws consent
☐
Delete data of inactive users (as per prescribed period)
5 Breach Notification
☐
Establish breach detection and assessment procedures
☐
Notify Data Protection Board of India of breaches (within prescribed timeframe)
☐
Notify affected Data Principals of breaches
☐
Document all breaches and response actions
6 Children's Data (Under 18)
☐
Obtain verifiable consent from parent/guardian before processing children's data
☐
Do not engage in tracking, behavioral monitoring, or targeted advertising to children
☐
Do not process data in ways detrimental to child's well-being
☐
Implement age verification mechanisms
7 Cross-Border Transfers
☐
Identify all cross-border data flows involving Indian personal data
☐
Verify destination countries are not on restricted list (to be notified)
☐
Implement appropriate contractual safeguards with foreign processors
Significant Data Fiduciary Requirements
If designated as a Significant Data Fiduciary (based on volume, sensitivity, or risk), additional obligations apply:
- Data Protection Officer: Appoint a DPO based in India
- Independent Auditor: Engage independent auditor for annual data audit
- Data Protection Impact Assessment: Conduct DPIA for high-risk processing
- Algorithmic Transparency: For automated decision-making affecting Data Principals
Penalties for Non-Compliance
- Up to ₹250 Crore (~$30M): Failure to take reasonable security safeguards
- Up to ₹200 Crore (~$24M): Failure to notify Board and Data Principals of breach
- Up to ₹200 Crore (~$24M): Non-compliance with children's data provisions
- Up to ₹150 Crore (~$18M): Non-compliance with Significant Data Fiduciary obligations
- Up to ₹50 Crore (~$6M): Other violations
DPDP Act vs. GDPR: Key Differences
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Scope | Digital personal data only | All personal data (digital and manual) |
| Lawful Bases | Consent + Legitimate Uses (narrower) | Six lawful bases including legitimate interest |
| Children's Age | Under 18 | Under 16 (can be lowered to 13) |
| Cross-Border | Restricted country blacklist approach | Adequacy decisions + safeguards |
| Right to Portability | Not explicitly included | Explicit right |
| DPO Requirement | Only for Significant Data Fiduciaries | Based on processing activities |
Implementation Roadmap
Phase 1: Assessment (Weeks 1-4)
- Map all personal data processing involving Indian Data Principals
- Identify legal bases for existing processing activities
- Assess current consent mechanisms against DPDP requirements
- Evaluate cross-border data transfer patterns
Phase 2: Gap Analysis (Weeks 5-8)
- Compare current practices against checklist requirements
- Identify privacy notice updates needed
- Assess technical capabilities for rights fulfillment
- Review vendor contracts for processor obligations
Phase 3: Remediation (Weeks 9-16)
- Update consent flows and privacy notices
- Implement or enhance rights management processes
- Establish breach notification procedures
- Update vendor agreements with processor clauses
Phase 4: Operationalize (Ongoing)
- Train relevant staff on DPDP requirements
- Establish ongoing monitoring and audit processes
- Monitor for rules and regulations from the Data Protection Board
- Conduct periodic compliance reviews
Conclusion
The DPDP Act represents a significant step in India's data protection maturity. For global organizations, compliance requires a structured approach—starting with understanding applicability, assessing current practices, and systematically addressing gaps.
While the Act awaits full implementation (pending rules and the establishment of the Data Protection Board), organizations should begin preparations now. Early compliance demonstrates commitment to data protection and positions you ahead of regulatory deadlines.