DPDP Act 2023: Compliance Guide for Indian Businesses

Personal data used to be a checkbox on compliance audits. Today, it governs how businesses collect leads, personalise content, handle user requests, and respond to breaches. It’s also squarely in the spotlight of regulatory scrutiny.

 

With the Digital Personal Data Protection (DPDP) Act, 2023, India formalises its stance on digital privacy. But this isn’t a carbon copy of GDPR. The law reflects local digital infrastructure, platform-first service delivery, and the government’s active role in regulating how data flows within and beyond borders.

A Quick Timeline: How We Got Here

The DPDP Act was the result of six years of legislative evolution—beginning with a landmark Supreme Court ruling and shaped by committee reports, industry feedback, and intense parliamentary debate.

DateWhat Happened
24 Aug 2017Supreme Court declares the Right to Privacy a fundamental right (Justice K.S. Puttaswamy vs Union of India)
22 Dec 2018Justice B.N. Srikrishna Committee initiates public consultations on a draft data law
Jul 2018Committee submits the first draft of the Personal Data Protection Bill
11 Dec 2019The revised PDP Bill, 2019 is introduced in Lok Sabha, sent to JPC
Aug 2022PDP Bill is withdrawn following heavy criticism
18 Nov 2022Ministry releases DPDP Bill, 2022 for public feedback
5 Jul 2023Cabinet clears the DPDP Bill, 2023
3–9 Aug 2023Introduced and passed in both Houses of Parliament
11 Aug 2023Assented by President; becomes the DPDP Act, 2023

What Does the DPDP Act Cover?

The DPDP Act regulates digital personal data – that is, any data that can identify an individual, either directly (e.g., name, phone number) or indirectly (e.g., cookies, device ID).

It applies to:

  • Data collected or processed in India

     

  • Any organisation (Indian or foreign) offering goods/services to individuals in India

     

  • Any data that is processed digitally, even if it was collected offline

This includes everything from signup forms and mobile analytics to cookies and support tickets. If your business handles such data, you’re now required to justify how and why it’s being processed.

Consent is Now a Proper Conversation

Consent under DPDP must be:

 

  • Informed: Users must know what data is being collected and for what purpose

  • Specific: No more one-size-fits-all permissions

  • Easy to Withdraw: Users should be able to say no at any point without friction

Privacy notices must be provided in plain language, and available in 22 Indian languages listed in the Constitution’s 8th Schedule.

A side-by-side comparison table titled "Bad Consent (Non-Compliant)" vs. "Good Consent (DPDP-Compliant)" with five rows

What Rights Do Users Have?

The Act gives data principals (i.e., users) control over how their information is collected, stored, and used. Their rights include:

 

  • Access: See what personal data is held and how it’s used

  • Correction: Fix inaccurate or outdated information

  • Erasure: Request deletion once data is no longer needed

  • Grievance Redressal: Raise complaints and receive timely responses

  • Nomination: Appoint a person to manage rights in case of death/incapacity

These rights apply to all data fiduciaries.
Larger ones or those handling sensitive data must have systems in place to process such requests at scale.

Who is Responsible?

The Act distinguishes between:

  • Data Fiduciaries: The primary organisations that determine how and why data is processed

  • Data Processors: External parties handling data on behalf of a fiduciary (such as analytics firms or cloud providers)

Both are responsible for following privacy practices. That includes:

  • Strong encryption and access controls
  • Clear retention and deletion policies
  • Internal audits and breach protocols

Some fiduciaries, especially those dealing with sensitive data or children’s information, may also need to appoint a Data Protection Officer and maintain more detailed records.

What About Cross-Border Transfers?

Personal data can only be transferred to countries that are officially approved by the Indian government. This provision is aimed at protecting data sovereignty and preventing unrestricted flow of data to unvetted jurisdictions.

For businesses, this means:

Understanding where your data is currently hosted

Re-evaluating vendor contracts and processing locations

Avoiding transfers to countries that are not on the approved list

 

If your cloud infrastructure or SaaS tools operate globally, this may require significant adjustments.

What Happens When There's a Breach?

If personal data is compromised, the DPDP Act requires companies to:

  • Notify the Data Protection Board of India

     

  • Inform the affected individuals without unreasonable delay

This means organisations need a full incident response plan, including breach detection, escalation protocols, and public communication strategies.

Encryption is your first line of defence when devices are lost or compromised.

How Long Can You Store Data?

 

The DPDP Act enforces data minimisation. You cannot retain data longer than necessary for the original purpose.

 

Organisations are expected to:

 

  • Define category-wise retention policies

  • Build systems for automated deletion

  • Explain why certain data is retained for longer durations (e.g., legal holds, financial compliance)

 

DPDP vs GDPR: What’s Similar, What’s Not?

FeatureDPDP Act (India)GDPR (EU)
ScopeOnly digital personal dataAll personal data (digital + physical)
ConsentAllows “deemed” consent in some casesRequires explicit consent
Cross-border transferAllowed only to approved countriesBased on adequacy or safeguards
PenaltiesUp to ₹2,500 croreUp to 4% of global turnover
Sensitive dataNo formal distinctionClear categories with added restrictions

While both laws aim to protect privacy, their definitions, frameworks, and enforcement styles differ. India’s approach allows for greater government involvement in setting conditions for data transfer and enforcement.

Exemptions to the Act

Certain types of data processing are exempt from some or all provisions:

 

  • Legal obligations: Courts, tribunals, and law enforcement bodies

  • Contractual processing: For individuals outside India under international contracts

  • Mergers or restructuring: Corporate actions approved by relevant authorities

  • Loan recovery: Processing to trace defaulters, subject to existing laws

However, even exempt entities are expected to handle data responsibly, especially where harm or discrimination may occur.


What the Data Protection Board Does

The Data Protection Board of India is the enforcement and adjudicating body under this Act. It will:

  • Investigate non-compliance

  • Hear user complaints

  • Impose financial penalties (minimum ₹50 crore in some cases)

  • Direct corrective actions

It is not a regulator like the EU’s data protection authorities, but a quasi-judicial body focused on enforcement.

What This Means for Businesses

If You’re a Large Enterprise

 

You will need to revisit everything — from how you collect consent to how you store backups. Systems must be updated, internal processes documented, and privacy built into the architecture. For most enterprises, this will involve legal reviews, technology upgrades, and ongoing monitoring.

 

If You’re a Startup or SME

 

Smaller companies may not have a compliance team, but they still need to comply. Affordable tools for consent management, breach alerts, and access controls can help bridge the gap. Some may also benefit from outsourcing DPO responsibilities or using plug-and-play privacy solutions.

 

If You’re in Finance or Healthcare

 

Handling sensitive data comes with additional scrutiny. Explicit consent, documented privacy impact assessments, and secure data flows are no longer optional. These sectors may need to over-prepare especially when dealing with external partners and vendors.

Your 6-Step DPDP Compliance Plan

 

1. Run a Privacy Audit

 

Start by building a detailed view of your organisation’s personal data lifecycle. This includes identifying every system where personal data is collected, stored, processed, or shared.

  • Create a central inventory of personal data types, such as names, email addresses, device information, and payment details.
  • Map each data type to its collection source, storage location, access permissions, and retention period.
  • List all third parties, vendors, and platforms that handle personal data on your behalf.
  • Classify data based on risk levels, especially in cases involving children or financial information.

This process is the foundation for compliance and risk mitigation. Without full visibility, it is difficult to manage obligations or respond to incidents.



2. Fix Consent Mechanisms

 

DPDP requires that consent be specific, informed, and easy to withdraw. Most generic or bundled consent methods will not meet this standard.

  • Update all consent notices with clear, purpose-linked explanations.
  • Avoid vague language and pre-checked boxes. Users must know exactly what data is being collected and why.
  • Display opt-in and opt-out options with equal visibility.
  • Support consent notices in multiple languages, including those listed in the Eighth Schedule where relevant.
  • Maintain detailed logs of consent events, withdrawals, and the associated purposes.

Consent is no longer a legal formality. It must be built into both the user experience and your backend records.

 

 


3. Define Data Retention Rules

 

DPDP requires organisations to retain personal data only as long as it is necessary for a defined purpose. Holding on to data without justification increases both regulatory and security risks.

  • Assign retention periods based on data category and legal or business requirements.
  • Automate deletion or archiving when the retention period ends.
  • Maintain clear documentation explaining each retention policy.
  • Create a workflow for processing user-initiated deletion requests, including logs and confirmations.
  • Regularly audit internal systems for data that exceeds retention timelines.

Clear retention rules not only support compliance but also reduce the volume of data exposed in the event of a breach.

 

 


4. Review and Update Vendor Contracts

 

If a vendor processes personal data on your behalf, you are accountable for their compliance posture. Every agreement must be reviewed through the lens of DPDP.

  • Ensure contracts include specific clauses around data protection obligations, breach notification timelines, and cross-border transfer policies.
  • Require vendors to disclose where data is stored and processed.
  • Avoid working with vendors located in jurisdictions not approved by the Indian government.
  • Include audit rights and termination clauses tied to privacy violations.
  • Where necessary, request documentation or certifications that prove alignment with Indian data protection standards.

Your data security is only as strong as your vendor ecosystem. Contracts need to reflect that responsibility.

 

 


5. Train Teams Across Departments

 

Data protection is not limited to legal or IT departments. Everyone who touches personal data must understand their role in upholding privacy standards.

  • Train developers and product teams on principles such as data minimisation and purpose limitation.
  • Help marketing and sales teams understand what kind of data they can collect, how consent must be obtained, and what records must be maintained.
  • Prepare customer service teams to handle access requests, corrections, and grievances.
  • Document procedures for handling complaints and escalate unresolved cases to a designated point of contact.
  • Conduct periodic refreshers and simulate real-world scenarios such as breach drills or user complaints.

Effective compliance depends on consistent execution. Training should focus on practical scenarios, not just theory.

 

 


6. Create a Breach Response Plan

 

When a data breach occurs, your response is scrutinised as much as the breach itself. The DPDP Act requires timely disclosure to both the regulator and affected individuals.

  • Set up monitoring and detection systems that can identify unusual behaviour or unauthorised access.
  • Define roles and escalation steps in case of an incident.
  • Document communication templates for notifying the Data Protection Board and impacted users.
  • Include a timeline for investigation, reporting, and remediation.
  • Test your plan periodically to identify bottlenecks or weak points.

Preparation is critical. A well-documented, well-rehearsed breach plan helps minimise damage and demonstrate accountability.

India’s DPDP Act doesn’t just add another layer of compliance. It forces a cultural shift where data is seen not as a business asset to exploit, but as something entrusted to you, with conditions.

In 2025, privacy risk is business risk. The businesses that internalise this early and seriously – will avoid penalties, defend their reputation, and earn trust where it’s now the hardest to win.

The DPDP Act is not just another regulatory update. It marks a clear shift in how India views privacy not as a formality, but as a right.

Businesses that treat compliance as an afterthought will find it difficult to keep up. But those who build privacy into their operations now can stay ahead of enforcement, avoid steep penalties, and build lasting trust with their customers.

Need clarity on your compliance roadmap?

Our privacy consultants can help you assess gaps, plan next steps, and implement solutions tailored to your business size and sector.

Rahul Surve

Rahul is a seasoned technical expert with over six years of experience in cybersecurity, application support, and IT infrastructure management. As head of Technical Support at RankSecure, he specializes in simplifying complex technical issues, designing secure digital frameworks, and optimizing IT environments. His strong background in cybersecurity strategy and hands-on problem-solving has instilled in him, a passion for sharing insights through training, demos, and technical writing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts