The Digital Personal Data Protection Act 2023 is India's first comprehensive data privacy law. Its rules are pending notification — but the framework is clear and penalties are severe: up to ?250 crore per breach of a significant data fiduciary's obligations. Every Indian business that processes personal data needs a compliance plan now.
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 (DPDP Act) governs the processing of digital personal data in India. It applies to:
- Processing of digital personal data within India
- Processing of digital personal data outside India where it relates to offering goods or services to individuals within India
"Personal data" means data about an individual who is identifiable by or in relation to such data. "Processing" means automated operations on digital personal data, including collection, storage, use, sharing, disclosure, deletion, and destruction.
Key roles: Data Fiduciary vs Data Principal
The Act uses terminology that differs from GDPR:
- Data Fiduciary — an entity (person, company, or state) that processes personal data or determines the purpose and means of processing. Equivalent to GDPR's "Data Controller."
- Data Principal — the individual whose personal data is being processed. Equivalent to GDPR's "Data Subject."
- Data Processor — an entity that processes personal data on behalf of a Data Fiduciary.
- Significant Data Fiduciary (SDF) — designated by the Central Government based on volume of data, sensitivity, national security implications, or risk to rights of data principals. SDFs face enhanced obligations.
Core obligations for Data Fiduciaries
Every Data Fiduciary must:
- Process only with consent or for lawful purposes — consent must be free, specific, informed, unconditional, and unambiguous. A "consent notice" in plain language must accompany each consent request.
- Purpose limitation — personal data collected for one purpose cannot be used for a different purpose without fresh consent
- Data minimisation — only data that is necessary for the stated purpose may be collected
- Accuracy — reasonable efforts to ensure personal data is accurate and updated
- Retention limitation — data must be deleted when the purpose is fulfilled or consent is withdrawn
- Security safeguards — reasonable security safeguards to prevent personal data breach
- Breach notification — notify the Data Protection Board and affected data principals in the event of a breach
Rights of Data Principals
Individuals have the following rights under the DPDP Act:
- Right to information — information about data being processed and the basis for processing
- Right to correction and erasure — rectification or erasure of inaccurate personal data
- Right to grievance redressal — the fiduciary must establish a grievance mechanism
- Right to nominate — right to nominate another individual to exercise rights on death or incapacity
The Act does not include a general "right to be forgotten" or right to data portability — making it narrower than GDPR in some respects.
Penalties
The Data Protection Board of India may impose penalties up to:
- ?250 crore — for failure of Significant Data Fiduciaries to observe their obligations
- ?200 crore — for failure to notify a data breach
- ?200 crore — for failure of Data Fiduciaries to safeguard children's data
- ?50 crore — for non-fulfilment of obligations of Data Processors or Data Fiduciaries
Building a DPDP compliance programme: a 5-step approach
Businesses should structure their DPDP compliance around five work-streams:
- Step 1: Data mapping — catalogue all personal data processed, the purpose, the basis (consent or lawful purpose), and the third parties with whom it is shared
- Step 2: Consent management — audit existing consent collection mechanisms and redesign consent notices to meet the DPDP Act's requirements (plain language, specific, with withdrawal mechanism)
- Step 3: Policy drafting — update privacy notice, retention policy, and internal data processing policies
- Step 4: Technical controls — implement deletion/anonymisation workflows, breach detection, and security safeguards
- Step 5: Grievance mechanism — appoint a Data Protection Officer or designate a grievance officer; set up a response process for rights requests
Children's data: a special compliance obligation
Processing of personal data of children (under 18) requires verifiable parental consent. Fiduciaries are prohibited from processing children's data in a manner that is detrimental to their wellbeing. This affects apps, gaming platforms, EdTech, and any service that may be used by minors.
DeccanBridge guidance
Our legal and technology advisory teams assist Indian companies with DPDP Act readiness assessments, consent framework design, privacy notice drafting, and Data Protection Officer advisory. The rules are still pending notification — but mapping your data processing now means you will not be scrambling when they arrive.
Contact: connect@deccanbridge.com or +91 94922 01497.