On 11 August 2023, India enacted the Digital Personal Data Protection Act (DPDP Act) — the country's first comprehensive data protection legislation. It applies to every organisation that processes the personal data of individuals in India, whether that organisation is based in India or abroad. For enterprises, the clock is ticking: once the rules are notified, compliance will not be optional.
What is the DPDP Act?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's principal legislation governing the processing of digital personal data. It establishes the rights of individuals (called "Data Principals") and the obligations of organisations that determine the purpose and means of processing that data (called "Data Fiduciaries"). The Act is enforced by the Data Protection Board of India (DPBI), an adjudicatory body with the power to impose significant financial penalties.
Key Definitions You Need to Know
| Term | Definition |
|---|---|
| Data Principal | The individual to whom the personal data relates. In the case of a child, the parent or lawful guardian acts as the Data Principal. |
| Data Fiduciary | Any person or organisation that alone or jointly determines the purpose and means of processing personal data. This is the equivalent of a "data controller" under GDPR. |
| Significant Data Fiduciary (SDF) | A Data Fiduciary designated by the Central Government based on volume and sensitivity of data processed, risk to data principals, and potential impact on sovereignty and public order. |
| Data Processor | Any person or organisation that processes personal data on behalf of a Data Fiduciary — e.g., cloud providers, payroll processors, marketing platforms. |
| Consent Manager | A registered entity that acts as a single point of contact for Data Principals to manage their consent across multiple Data Fiduciaries. |
12 Key Requirements of the DPDP Act
The Act imposes a wide range of obligations on Data Fiduciaries. Here are the 12 most critical requirements every enterprise must address:
1. Lawful Purpose and Consent
Personal data may only be processed for a lawful purpose. Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Each purpose of processing must be explicitly stated and consented to separately.
2. Notice Before Collection
Before collecting consent, the Data Fiduciary must provide a notice in clear, plain language describing: what personal data is being collected, the specific purpose of processing, and how the Data Principal can exercise their rights.
3. Purpose Limitation
Personal data collected for one purpose cannot be used for another purpose without obtaining fresh consent. This requires robust data lineage tracking and consent management systems.
4. Data Minimisation
Only data that is necessary for the specified purpose should be collected. Organisations must audit their data collection practices and eliminate unnecessary data capture points.
5. Data Accuracy
Data Fiduciaries must make reasonable efforts to ensure that personal data is complete, accurate, and up-to-date, especially when it is used to make decisions that affect the Data Principal.
6. Storage Limitation
Personal data must not be retained beyond the period necessary for the specified purpose. Once the purpose is fulfilled, data must be erased unless retention is required by law.
7. Data Principal Rights
Data Principals have the right to: access a summary of their personal data and processing activities; correct or erase their data; withdraw consent at any time; nominate another person to exercise rights on their behalf; and file complaints with the Board.
8. Children's Data Protection
Processing children's data (under 18 years) requires verifiable parental consent. Tracking, behavioural monitoring, and targeted advertising directed at children is prohibited. The government may lower the age threshold or grant exemptions for specific platforms.
9. Security Safeguards
Data Fiduciaries and Data Processors must implement reasonable security safeguards to protect personal data — including encryption, access controls, and monitoring — to prevent data breaches.
10. Breach Notification
In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board of India and each affected Data Principal without undue delay, in the manner prescribed by the rules.
11. Cross-Border Data Transfers
Personal data may be transferred outside India to any country or territory not restricted by the Central Government via notification. The government maintains a "negative list" of jurisdictions to which transfers are prohibited.
12. Significant Data Fiduciary Obligations
Organisations classified as Significant Data Fiduciaries face additional requirements: appointing a Data Protection Officer (DPO) based in India, conducting periodic Data Protection Impact Assessments (DPIAs), undergoing independent data audits, and publishing audit reports.
Penalties: What's at Stake?
The DPDP Act empowers the Data Protection Board of India to impose significant financial penalties for non-compliance. Unlike GDPR, which calculates penalties as a percentage of global turnover, the DPDP Act specifies fixed maximum amounts per violation:
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent a data breach | Up to ₹250 crore |
| Failure to notify the Board and Data Principals of a breach | Up to ₹200 crore |
| Non-fulfilment of obligations related to children's data | Up to ₹200 crore |
| Non-fulfilment of additional SDF obligations | Up to ₹150 crore |
| Breach of any other provision of the Act | Up to ₹50 crore |
Importantly, penalties are per instance of violation — meaning an organisation with multiple compliance failures could face cumulative penalties well exceeding ₹250 crore.
Timeline: Where Are We Now?
The Act received Presidential Assent on 11 August 2023. The detailed rules, which specify the mechanics of compliance (e.g., consent procedures, breach notification timelines, SDF criteria), are being developed. Once the rules are notified, organisations will have a limited transition period to achieve compliance. The government has indicated that enforcement will begin in a phased manner, but enterprises should not wait — the preparation window is now.
How to Prepare: A Practical Roadmap
Compliance is a journey, not a destination. Here is a practical step-by-step roadmap for enterprises:
- Conduct a Data Inventory and Mapping Exercise — Identify all personal data across your systems, databases, cloud services, and third-party tools. Document what data you hold, where it resides, and how it flows.
- Assess Your Current Privacy Posture — Perform a gap analysis against the DPDP Act requirements. Identify areas where you fall short and prioritise remediation.
- Implement Consent Management — Deploy purpose-specific consent collection across all data touchpoints. Ensure consent is granular, timestamped, and auditable.
- Build Data Subject Request Workflows — Create automated processes for access, correction, erasure, and grievance redressal requests with SLA tracking.
- Publish Clear Privacy Notices — Draft and display privacy notices in clear, accessible language describing what data is collected, why, and how data principals can exercise their rights.
- Establish a Breach Response Plan — Define roles, escalation paths, and notification templates so you can respond to breaches swiftly and in compliance with the Act.
- Review Cross-Border Data Flows — Audit where personal data is transferred outside India and ensure those jurisdictions are not on the government's restricted list.
- Appoint a DPO and Conduct DPIAs (if SDF) — If your organisation is likely to be classified as a Significant Data Fiduciary, appoint a DPO based in India and begin conducting Data Protection Impact Assessments.
How DataCrux.ai Can Help
DataCrux.ai is purpose-built for DPDP Act compliance. Our AI-powered platform automates data discovery, consent management, DSR fulfilment, breach management, and compliance reporting — giving you a single pane of glass for your entire privacy programme. Built from India, for India, with pricing that works for Indian enterprises.