Digital Personal Data Protection Act, 2023 (DPDPA)

Advisory & Implementational Guide

1. EXECUTIVE OVERVIEW

The Digital Personal Data Protection Act, 2023 (“DPDPA”) introduces a comprehensive and enforceable framework governing the processing (collection, use, storage and sharing) of digital personal data in India. The law significantly enhances compliance obligations and introduces high financial penalties for non-compliance.

Enforcement Timeline

While the Digital Personal Data Protection Act, 2023 has been enacted, the Digital Personal Data Protection Rules, 2025 provide a transition period of approximately 18 months for the implementation of core compliance obligations applicable to businesses. Accordingly, organisations are advised to commence compliance planning and operational readiness well in advance of this date to mitigate regulatory, contractual and enforcement risks.

2. DOES THE DPDPA APPLY TO YOU?

The DPDPA applies if your organisation: -

·       Collects or processes digital personal data;

·       Collects personal data in physical form and later digitises it; or

·       Is a foreign entity processing personal data of individuals in India in connection with offering goods or services.

The Act does not apply to personal data made publicly available by the individual or where a person is under a legal obligation to make personal data publicly available.

Your organisation likely falls within DPDPA if you:

- Collect customer data

- Process employee data

- Use CRM or HR software

- Operate a website or mobile application

- Use cloud storage for personal data

3. WHAT HAS CHANGED FROM THE EARLIER REGIME?

·       The DPDPA requires businesses to mandatory obtain verifiable parental consent under circumstances of processing personal data of children. The businesses must avoid tracking / behavioral monitoring and avoid targeted advertising.

·       The DPDPA permits transfer of personal data outside India except to jurisdictions that may be restricted by notification of the Central Government.

4. KEY BUSINESS RISKS

·       Significant financial penalties for non-compliance ranging up to maximum of INR 250 Crores per instance

·       Mandatory reporting of data breaches to regulators and affected individuals

·       Increased contractual exposure with vendors and service providers

·       Reputational harm and regulatory scrutiny

5. UNDERSTANDING YOUR ROLE

Data Fiduciary: Entity that determines the purpose and means of processing personal data.

Data Processor: Entity that processes personal data on behalf of a Data Fiduciary under contractual instructions.

6. QUICK ROLE TEST

You are likely a Data Fiduciary if you: - Decide why personal data is collected; - Decide how personal data is processed; and - Have a direct relationship with customers or users.

You are likely a Data Processor if you: - Process data strictly on client instructions; and - Do not independently determine the purpose of processing.

7. OBLIGATIONS AT A GLANCE

If You Are a Data Fiduciary

You must: - Issue compliant privacy notices; - Obtain and manage valid consent; - Enable withdrawal of consent; - Implement grievance redressal mechanisms; - Notify data breaches to the Data Protection Board of India and affected individuals; - Ensure vendor compliance through contracts.

If You Are a Data Processor

You must: - Act strictly under contract; - Implement robust technical and organisational safeguards; - Support breach reporting and data deletion; - Negotiate contractual liability.

8. OPERATIONAL READINESS – WHAT YOU NEED TO IMPLEMENT

Phase 1: Immediate Actions

·       Identify all sources and categories of personal data;

·       Map data collected against specific purposes;

·       Identify whether processing is based on consent or legitimate use [the law permits processing without consent in certain circumstances classified as “legitimate uses”, including compliance of law, employment-related purposes, medical emergencies, and other public interest situations];

·       Identify vendors and group entities handling personal data;

·       Assign internal ownership for DPDPA compliance.

Phase 2: Short-Term Actions

·       Update privacy policies and notices;

·       Implement consent collection and withdrawal mechanisms;

·       Establish grievance redressal processes;

·       Update vendor, SaaS and outsourcing agreements to include clauses for security, breach notification, audit rights, deletion and subcontracting;

·       Develop a data breach response protocol.

Phase 3: Medium-Term Actions

·       Automate consent management and data erasure;

·       Conduct data protection impact assessments (where applicable);

·       Prepare for designation as a Significant Data Fiduciary (if applicable);

·       Conduct internal training across teams.

9. REGULATORY & CONTRACTUAL RISK MANAGEMENT

A. Data Breach Preparedness

·       Establish internal breach detection and escalation protocols;

·       Prepare notification templates for regulators and individuals;

·       Align reporting obligations across multiple regulators (CERT-In, RBI, SEBI, etc.).

B. Vendor & Contractual Readiness

·       Review and update data processing agreements;

·       Allocate breach-related liabilities contractually;

·       Ensure clear data retention and deletion obligations;

·       Implement audit and compliance rights.

CONCLUSION & WAY FORWARD

The DPDPA represents a fundamental shift in India’s data protection regime. Compliance will require sustained legal, technical and organisational effort. Given the proposed enforcement of core obligations from May 2027, organisations should utilise the transition period to build robust, scalable and defensible compliance frameworks.

Early and structured readiness will significantly reduce regulatory exposure, contractual disputes and operational disruption.