DPDPA 2023

The Act applies to every data fiduciary that processes digital personal data of individuals in India, regardless of where the fiduciary is located. This includes Indian companies of all sizes, from startups to large enterprises. Multinational corporations processing data of Indian customers, employees, or users. Technology companies offering digital services to Indian users. E-commerce platforms, fintech companies, healthtech providers, edtech platforms, and SaaS businesses operating in the Indian market. Any organisation with Indian employees whose HR data is processed digitally.

The Act also applies to personal data processed outside India if it relates to offering goods or services to data principals in India.

Consent and notice: Before processing personal data, a data fiduciary must obtain free, specific, informed, and unconditional consent from the data principal, preceded by a clear notice describing the purpose of processing, the data being collected, and the data principal’s rights. Consent must be as easy to withdraw as it was to give.

Deemed consent: The Act recognises certain situations where consent is deemed to have been given — including voluntary provision of data for a specified purpose, data necessary for the state to provide benefits or services, data processing required by law, and data processing for employment purposes. Understanding which of your processing activities fall under deemed consent versus explicit consent is critical for operational design.

Data principal rights: The Act grants data principals the right to access information about their data, the right to correction and erasure, the right to grievance redressal, and the right to nominate another person to exercise these rights. Data fiduciaries must enable these rights through accessible, functional processes — not buried contact forms.

Grievance redressal: Every data fiduciary must appoint a grievance officer and establish a process for receiving and resolving complaints from data principals. The grievance officer’s contact details must be published prominently. This is not a token appointment — the Data Protection Board will evaluate whether organisations have functional grievance mechanisms.

Children’s data: Processing personal data of children (under 18) requires verifiable parental consent. Certain types of processing — including behavioural monitoring and targeted advertising — are prohibited for children’s data. Organisations that serve or may serve minors need to implement age verification and parental consent mechanisms.

Significant data fiduciaries: The central government may designate certain data fiduciaries as “significant” based on volume of data processed, risk of harm, and impact on sovereignty and public order. Significant data fiduciaries face additional obligations including appointing a Data Protection Officer resident in India, conducting periodic Data Protection Impact Assessments, and independent auditing.

Cross-border transfers: The Act adopts a blacklist approach — data can be transferred to any jurisdiction except those specifically restricted by the central government. This is a simpler model than GDPR’s adequacy framework, but organisations must monitor the restricted jurisdictions list as it develops.

Penalties: The Act prescribes penalties of up to INR 250 crore for various violations, enforced by the Data Protection Board of India. The penalty schedule is specific: failure to take security safeguards resulting in a breach carries a maximum penalty of INR 250 crore; failure to notify the Board and affected individuals of a breach carries INR 200 crore; non-compliance with children’s data obligations carries INR 200 crore.

We implement end-to-end DPDPA compliance programmes. Our approach begins with a gap assessment against all Act requirements, mapping your current data processing activities and identifying where you fall short. We design and implement consent mechanisms, draft privacy notices that meet the Act’s specificity requirements, establish grievance redressal processes, build data principal rights workflows, review vendor and processor agreements, and develop breach response playbooks. For organisations that also need to comply with GDPR or other privacy laws, we design unified programmes that satisfy all applicable regulations.