The Complete Guide to India's DPDP Act

What is the DPDP Act and Why Does it Matter?

India's Digital Personal Data Protection Act 2023 (DPDP Act) represents the country's first comprehensive legislation governing how organisations collect, store, process, and share personal data. Passed by Parliament in August 2023, it applies to any entity — Indian or foreign — that processes the digital personal data of individuals within India or offers goods and services to Indian residents.

The Act matters because India is home to over 900 million internet users and some of the world's fastest-growing digital markets. Until now, data protection in India was governed by scattered provisions across the Information Technology Act 2000 and its rules. The DPDP Act creates a unified, enforceable framework with real financial consequences for non-compliance — penalties can reach ₹250 crore per instance.

Core Obligations for Data Fiduciaries

Under the DPDP Act, the entity that determines the purpose and means of processing personal data is called a 'Data Fiduciary' — broadly equivalent to a data controller under GDPR. Data Fiduciaries must obtain free, specific, informed, and unambiguous consent from individuals (Data Principals) before processing their data, and must provide a clear notice explaining the purpose of processing in plain language.

Data Fiduciaries are also required to implement reasonable security safeguards, appoint a grievance officer whose contact details must be accessible to Data Principals, and process data only for the purposes for which consent was obtained. Crucially, they cannot retain personal data longer than necessary and must delete it once the stated purpose is fulfilled or consent is withdrawn.

Significant Data Fiduciaries: Elevated Obligations

The Government of India has the power to designate certain organisations as 'Significant Data Fiduciaries' (SDFs) based on the volume and sensitivity of data processed, potential risk to national security or public order, and their impact on sovereignty. SDFs face additional obligations that go beyond those of ordinary Data Fiduciaries.

SDFs must appoint a Data Protection Officer (DPO) who reports directly to the Board of Directors. They are required to conduct regular Data Protection Impact Assessments (DPIAs) and periodic audits, and must ensure that any algorithmic processing affecting Data Principals is reviewed for bias and fairness. For technology companies with large Indian user bases, SDF designation is a real possibility that should be planned for today.

Data Subject Rights Under DPDP

The DPDP Act grants Data Principals four core rights: the right to access information about personal data being processed about them; the right to correction and erasure of inaccurate or outdated data; the right to grievance redressal with a response within a specified timeframe; and the right to nominate another person to exercise rights on their behalf in the event of death or incapacity.

Organisations must establish mechanisms to receive and respond to these requests within the timelines specified by the Government. While the Act does not currently mandate a specific response window (unlike GDPR's 30-day limit), rules under the Act are expected to prescribe timeframes. Building DSR workflows now, rather than waiting for final rules, puts organisations ahead of the compliance curve.

Consent Management: What Good Looks Like

The DPDP Act requires that consent be obtained via a clear, standalone notice that is not bundled with terms and conditions. Consent must be sought separately for each purpose, and individuals must be able to withdraw consent at any time. Importantly, withdrawing consent cannot be made contingent on forgoing the service unless the processing is essential to it.

Consent management under the DPDP Act must be operationalised, not just documented. This means a Consent Manager — a registered entity that manages consent on behalf of Data Principals — may be involved in the consent chain. Organisations must build systems to record, timestamp, version, and produce evidence of consent, as the burden of proving valid consent lies with the Data Fiduciary.

Data Breach Notification Requirements

The DPDP Act requires Data Fiduciaries to notify the Data Protection Board and affected Data Principals in the event of a personal data breach. Unlike GDPR's 72-hour notification window, the DPDP Act requires notification 'as soon as possible' — suggesting an even more urgent response cadence.

The notification must include the nature of the personal data breached, the number of affected Data Principals, the likely consequences, and the measures taken or proposed to address the breach. Organisations that process personal data at scale need a breach response playbook with pre-drafted notification templates, clear escalation paths, and board-level involvement.

Penalties and Enforcement

The DPDP Act establishes a Data Protection Board of India as the enforcement body, responsible for receiving complaints, conducting inquiries, and imposing penalties. Penalties are substantial: failure to implement reasonable security safeguards can attract up to ₹250 crore; failure to notify a data breach can attract up to ₹200 crore; and breaching the provisions protecting children's data can attract up to ₹200 crore.

The Board has the power to direct data fiduciaries to take corrective actions and to award compensation to affected Data Principals. Significantly, the Act also creates personal liability for key managerial personnel in cases of gross negligence or wilful breach.

Preparing for DPDP Compliance: Where to Start

Compliance with the DPDP Act requires both organisational and technical changes. Start with a data mapping exercise to identify what personal data you hold, where it came from, where it goes, and how long you keep it. This forms the foundation of your consent and retention management programme.

Next, audit your existing consent mechanisms and privacy notices against the DPDP standards. Build or acquire a consent management system that captures granular, purpose-specific consent and can produce evidence of consent on demand. Establish a DSR handling workflow, appoint a grievance officer, and draft your breach notification playbook. Organisations that approach DPDP compliance as an operational programme — not a documentation exercise — will be best positioned when enforcement begins.